> the problem is with the groupmembership_filter. It contains the > Ldap-UserDn attribute which gets xlated and escaped: > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > > A DN usually contains commas which get escaped and break the ldap > search. I am not so sure why we should escape ',' in the first place. > That way we break any ldap searches for attribute values holding DN's.
This is correct. For info the python-ldap module contains a function: def escape_filter_chars(assertion_value): """ Replace all special characters found in assertion_value by quoted notation """ s = assertion_value.replace('\\', r'\5c') s = s.replace(r'*', r'\2a') s = s.replace(r'(', r'\28') s = s.replace(r')', r'\29') s = s.replace('\x00', r'\00') return s ...implying that only \*()NUL need be escaped? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html