FreeRADIUS 3.0.25 with a singe backslash in user's password

Alan DeKok aland at
Fri Dec 3 14:01:49 CET 2021

On Dec 3, 2021, at 2:42 AM, Burn Zero <burnzerog at> wrote:
> I noticed some authentication issues recently and saw that it is due to
> people using backslash \ in their passwords. If there is a single backslash
> in the password, then FreeRADIUS adds another backslash to it and hence the
> authentication is rejected.

  That's not quite what happens.

> I have:
> In LDAP module,
> update {
> control:My-Raw-Password         += 'User-Password'
> }

  I suspect this isn't what's actually there.  Instead of pasting the exact string, you've re-typed it.

  These are computers.  Details matter.

> Then in authorize,
> ntlm_auth.authorize {
>  if (!control:Auth-Type && User-Password) {
>    update control {
>      User-Password := "%{string:control:My-Raw-Password}"
>      Auth-Type := ntlm_auth
>    }

  I have no idea why you're doing this.  It's not necessary.

  If the password is in LDAP, it can be checked via LDAP.  You don't need ntlm_auth.

> I searched several posts in this mailing list but I couldn't get it. Could
> you please let me know how to parse the backslash as backslash and not to
> add any extra backslash?

  Don't use ntlm_auth.  Use ldap as it was intended.  It works.

  Alan DeKok.

More information about the Freeradius-Users mailing list