Hi! I have a Problem using the ldap Module to search in the ldap Tree for a specific Attribute Containing a (.
I am using FreeRadius (2.1.12) for 802.1X Authentification (EAP-TLS) which is working fine. After successful EAP Authentication, I want to check if the User has an Entry in the LDAP: During authenticate (I just changed a bit of formattig to have it readable here): Auth-Type eap { eap # Some Code to react to EAP Auth Failures if ( "%{TLS-Client-Cert-Common-Name}" != "" ) { update control { Tmp-String-1 = "%{ldap_WLAN_auth: ldap:///cn=UserAccounts,dc=DE?cn?sub? ( & (CommonName=%{TLS-Client-Cert-Common-Name}) (allowedSSID=%{Aruba-Essid-Name}) )}" } if ("%{control:Tmp-String-1}" == "") { update control { Auth-Type := "Reject" } update reply { Reply-Message = "The user %{User-Name} is not known or allowed to access the SSID %{Aruba-Essid- Name}" } reject } Now the {TLS-Client-Cert-Common-Name} contains a ( and a ) which leads to a bad search filter: |Debug: [ldap_WLAN_auth] - ldap_xlat |Info: expand: ldap:///cn=UserAccounts,dc=NI-NGN,dc=DE?cn?sub?(&(CommonName=%{TLS-Client-Cert-Common-Name})(allowedSSID=%{Aruba-Essid-Name})) -> ldap:///cn=UserAccounts,dc=DE?cn?sub?(&(CommonName=Testuser(10) Daniel)(allowedSSID=ssid-data)) |Debug: [ldap_WLAN_auth] ldap_get_conn: Checking Id: 0 |Debug: [ldap_WLAN_auth] ldap_get_conn: Got Id: 0 |Debug: [ldap_WLAN_auth] performing search in cn=UserAccounts,dc=DE, with filter (&(CommonName=Testuser(10) Daniel)(allowedSSID=ssid-data)) |ldap_search() failed: Bad search filter: (&(CommonName=Testuser(10) Daniel)(allowedSSID=ssid-data)) |Debug: [ldap_WLAN_auth] Search returned error |Debug: [ldap_WLAN_auth] ldap_release_conn: Release Id: 0 |Info: expand: %{ldap_WLAN_auth:ldap:///cn=UserAccounts,dc=DE?cn?sub?(&(CommonName=%{TLS-Client-Cert-Common-Name})(allowedSSID=%{Aruba-Essid-Name}))} -> If I have searched correctly it should work if I rewrite the Attribute with \28 for ( and \29 for ) (as ascii string, not escaped :-)) As it seems the rewrite Module is not the solution as i could not get it to do this :-) It works as I expected it to do if the CommonName does not contain the Parentheses. Any Ideas to work around these Parentheses? Preferably using any Char allowed in the Common Name, as i expect it to contain Umlauts or an & Char. Greetings, Daniel
smime.p7s
Description: S/MIME Kryptografische Unterschrift
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html