On 08/11/2011 10:01 AM, Vlad Glagolev wrote:
Hello there,I'm here to say that I've found kind of misconfiguration/bug in Freeradius. The version is 2.1.10, and the platform is i386 (i686) OpenBSD. when I try to use group membership check, I see strange behaviour: instead of commas there are symbols (those are in ASCII?) like that: [files] expand: (|(&(objectClass=PosixGroup)(memberUnixUserName=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=PosixGroup)(memberUnixUserName=uid\3dtest\2cou\3dIT\2cou\3dDepartments\2cou\3ddom.tld\2cou\3dDomains\2cou\3dUsers\2cdc\3ddomain\2cdc\3dtld))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtest\2cou\3dIT\2cou\3dDepartments\2cou\3ddom.tld\2cou\3dDomains\2cou\3dUsers\2cdc\3ddomain\2cdc\3dtld))) of course if I use %{User-Name} instead of %{control:Ldap-UserDn} it works well (with simplified search filter, but it's the same with that above): [files] expand: (&(objectClass=posixGroup)(memberUnixUserName=%{User-Name})) -> (&(objectClass=posixGroup)(memberUnixUserName=test)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=domain,dc=tld, with filter (&(cn=disabled)(&(objectClass=posixGroup)(memberUnixUserName=test))) rlm_ldap::ldap_groupcmp: User found in group disabled is this a known behaviour?
LDAP DN's have reserved characters, comma is one of the reserved characters. To properly form a DN the reserved characters must be "escaped", there are two methods to escape a reserved character, either precede it with backslash or convert it to it's hexadecimal ascii code point preceded by backslash. The hexadecimal ascii code point for comma is 2c, thus all your commas are getting replaced by \2c as part of the DN escaping.
That explains the odd string, as to whether the escaping is occurring at the right place I would need some more information than you've provided. Hopefully that gives you enough information to proceed.
-- John Dennis <[email protected]> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
