Nelson Vale wrote: > The user's DN is OK now (no extra characters), but the ldap > authentication still doesn't work. I think the problem is that double > quotes must be escaped before sent to AD.
OK. > In my fix in rlm_ldap (test purpose only), I did just that before > assigning the vp_user_dn->vp_strvalue value to user_dn in > ldap_authenticate() and it works OK. OK. The issue is that the value of the attribute is used *directly*. It's really the responsibility of the RADIUS server to pass the correct data to the LDAP query. i.e. rather than: perform_search(... vp_user_dn->vp_strvalue ...) it should do: char buffer[1024]; vp_print(buffer, sizeof(buffer), vp_user_dn->vp_strvalue); perform_search(... buffer ..) That is what your fix seems to do, and is the right thing to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html