Qin Zhen wrote: > when i trys to login with username 'james*', ldap_escape_fun acctually > converts it into 'james\2a\2a\2a\2a\2a\2a...', but the radius debug mode > still shows > Debug: rlm_ldap:performing search in dc=sg, o=company, with filter > (&objectclass=radiusprofile)(userlogin=james)) > that measn ldap still search based on filter 'userlogin=james' and ignores > those '\2a\2a\2a' followed, and hence it finds the username 'james' from > ldap and allows the user to login. > is it the way lastest freeradius supposed to be?
No, it's a known bug in FreeRADIUS 1.0.5. That's why I told you earlier to get a fixed version in CVS. > if user james can use 'james*' or 'james\\' to login as usual, isnt it > unsecure? I think "james*" (without escaping) in a LDAP filter is insecure, it may disclose informations about other users named "jamesfoo" or "jamesbar" ... -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
