Upgrading is what broke this functionality. It works with version 1.0.1. Sometime after that a change was made to rlm_ldap.c. This change modified the ldap_escape_func() function. The way this function works in 1.1.4 and up is different than 1.0.1. Basically, it didn't escape anything in 1.0.1 and now it does.
What we see in 1.1.4/1.1.6 is that a UserDN returned from AD using OpenLDAP looks like this: CN=Lastname\,Firstname, CN=bla,DC=bla After the ldap_escape_func() returns it looks like this: CN\\3dLastname\\5c\\5c\\2cFirstname\\2cCN\\3dbla\\2cDC\\3dbla The \, gets escaped then translated and becomes \\5c\\5c\\2c which doesn't match \, in the member= results of the group. Any ideas where the extra \\5c is coming from? Brian Dourty System Administrator - Team Lead Division of IT University of Missouri - Columbia 573-882-1035 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Phil Mayers Sent: Tuesday, June 05, 2007 6:50 PM To: FreeRadius users mailing list Subject: Re: Ldap group troubles Dourty, Brian R. (IATS) wrote: > I'm having some trouble with the ldap group configuration against AD and > need a little help. > > > > Freeradius 1.1.4 Upgrade. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
