Some time ago, I submitted the below security issue, and I wanted to know when the next release was due that (hopefully) fixed the issue(!?!?)
-Ben > If I know a valid password for any > account, I can get in with a username of "*", and the valid password. > > Passwords appear to be properly handled, usernames are apparently not being > escaped by the rlm_ldap module. (as of 0.8.1) Anytime more than one user has > the same password, this hole does not work. (so it's properly checking for > multiple query returns) > > -Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html