Using ldap_xlat in unlang with Chars not allowed in an ldap search

Wed, 29 Aug 2012 08:14:37 -0700 

Hi!

I have a Problem using the ldap Module to search in the ldap Tree for a
specific Attribute Containing a (.

I am using FreeRadius (2.1.12) for 802.1X Authentification (EAP-TLS) which
is working fine. After successful EAP Authentication, I want to check if the
User has an Entry in the LDAP:

During authenticate (I just changed a bit of formattig to have it readable
here):

Auth-Type eap {
        eap
        # Some Code to react to EAP Auth Failures

if ( "%{TLS-Client-Cert-Common-Name}" != "" ) {
        update control {
            Tmp-String-1 =
                        "%{ldap_WLAN_auth:
                        ldap:///cn=UserAccounts,dc=DE?cn?sub?
                        (
                        &
                        (CommonName=%{TLS-Client-Cert-Common-Name})
                        (allowedSSID=%{Aruba-Essid-Name})
                        )}"
        }
                
if ("%{control:Tmp-String-1}" == "") {
        update control {
                Auth-Type := "Reject"
        }
        update reply {
                Reply-Message = "The user %{User-Name} is not known or
                                allowed to access the SSID %{Aruba-Essid-
                                Name}"
        }
        reject
}

Now the {TLS-Client-Cert-Common-Name} contains a ( and a ) which leads to a
bad search filter:

|Debug:   [ldap_WLAN_auth] - ldap_xlat
|Info:        expand:
ldap:///cn=UserAccounts,dc=NI-NGN,dc=DE?cn?sub?(&(CommonName=%{TLS-Client-Cert-Common-Name})(allowedSSID=%{Aruba-Essid-Name}))
-> ldap:///cn=UserAccounts,dc=DE?cn?sub?(&(CommonName=Testuser(10)
Daniel)(allowedSSID=ssid-data))
|Debug:   [ldap_WLAN_auth] ldap_get_conn: Checking Id: 0
|Debug:   [ldap_WLAN_auth] ldap_get_conn: Got Id: 0
|Debug:   [ldap_WLAN_auth] performing search in cn=UserAccounts,dc=DE, with
filter (&(CommonName=Testuser(10) Daniel)(allowedSSID=ssid-data))
|ldap_search() failed: Bad search filter: (&(CommonName=Testuser(10)
Daniel)(allowedSSID=ssid-data))
|Debug:   [ldap_WLAN_auth] Search returned error
|Debug:   [ldap_WLAN_auth] ldap_release_conn: Release Id: 0
|Info:        expand:
%{ldap_WLAN_auth:ldap:///cn=UserAccounts,dc=DE?cn?sub?(&(CommonName=%{TLS-Client-Cert-Common-Name})(allowedSSID=%{Aruba-Essid-Name}))}
->


If I have searched correctly it should work if I rewrite the Attribute with
\28 for ( and \29 for ) (as ascii string, not escaped :-))

As it seems the rewrite Module is not the solution as i could not get it to
do this :-)

It works as I expected it to do if the CommonName does not contain the
Parentheses.
Any Ideas to work around these Parentheses? Preferably using any Char
allowed in the Common Name, as i expect it to contain Umlauts or an & Char.

Greetings,
Daniel

Attachment: smime.p7s
Description: S/MIME Kryptografische Unterschrift

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to