thanks for Nicolas's reply.
so in lastest version (1.0.5), a username 'jam\' will be converted into
'jam\5c' and ldapsearch will be based on 'jam\5c' right? so this username is
supposed not to be found in ldap in this case?
but how come in my server, the ldapsearch will base on 'jam' and those
invalid charactors r just simply eliminated? scratching head...pls
assist..thanks so much
----- Original Message -----
From: "Nicolas Baradakis" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
Sent: Wednesday, December 07, 2005 6:51 PM
Subject: Re: question on ldap_escape_func in rlm_ldap.c
Qin Zhen wrote:
i couldn't figure out what does the change intend to do, is it to
filter out '*', '\\', '()' and '=' from username? and why should it
be in that way? please help me. thanks a lot in advance.
The function ldap_escape_func() filters all LDAP-specific characters
from RFC 2254. This prevents LDAP injection attacks.
BTW there's a known bug in this function, you can get a fixed version
here. (the patch will be included in next release)
http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c?rev=1.122.2.8
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
