LDAP group - samaccountname

Olivier Mahieu o_mahieu at hotmail.com
Tue Feb 4 21:27:05 CET 2020

Its active directory Administrator account. No backslashes.
Doing radtest mschap returns correct vlan.

Verzonden vanaf mijn Samsung Galaxy-smartphone.

-------- Oorspronkelijk bericht --------
Van: Alan DeKok <aland at deployingradius.com>
Datum: 4/02/20 21:21 (GMT+01:00)
Aan: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Onderwerp: Re: LDAP group - samaccountname

> On Feb 4, 2020, at 2:42 PM, Olivier Mahieu <o_mahieu at hotmail.com> wrote:
> Hello,
> Using the LDAP module in post-auth section (PEAP-MSCHAPv2); the correct user group is not found for VLAN assignment.
> I think it has to do with the samaccountname. 5c5cAdministrator instead of Administrator.

(9) Received Access-Request Id 111 from to length 261
(9)   User-Name = "AD-OM\\Administrator"

  That's generally not a good idea.  i.e. account names with backslashes. etc.

(9)     EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(9)        --> (samaccountname=AD-OM\5c5cAdministrator)
(9)     Performing search in "dc=MAH,dc=TEST" with filter "(samaccountname=AD-OM\5c5cAdministrator)", scope "sub"

  FreeRADIUS escapes the backslashes for security reasons.  Otherwise the users could add magic characters, change the ldap query, and do bad things.

  What is the account name in LDAP?  Does it have the backslashes in it?

  Alan DeKok.

List info/subscribe/unsubscribe? See https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C4c7bfa280f8d43a067d808d7a9afdbb5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637164445071414620&sdata=WKscEKZKjE3nEq%2BwD5ukBpMQ6nugRLwmRLVU75nS3Hc%3D&reserved=0

More information about the Freeradius-Users mailing list