Univention Bugzilla – Bug 53262
Syntax-Error in /etc/freeradius/3.0/mods-available/ldap when admin password contains "
Last modified: 2021-05-29 17:38:35 CEST
During Install of "unvention-radius" the LDAP admin password is written to /etc/freeradius/3.0/mods-available/ldap In our case the password contains a " character, the resulting entry in /etc/freeradius/3.0/mods-available/ldap looks like this: password = "somecharacters"somemorecharacters" which is not a valid syntax. Freeradius generates the following startup error: freeradius[12462]: /etc/freeradius/3.0/mods-enabled/ldap[42]: Syntax error: Expected comma after 'somecharacters': somemorecharacters" Workaround: manually change to password = 'somecharacters"somemorecharacters' (but will be reversed by "ucr commit ldap")
My suggested fix is of course not working if the generated machine.secret turns out to contain a ' instead of an ". So the better fix is to not allow the "-character as part of the machine secret. Unfortunately create_machine_password () in /usr/share/univention-lib/base.sh does not exclude that character. And it does not honour the UCR variable password/quality/forbidden/chars so there is currently no work around except modifying /usr/share/univention-lib/base.sh
instead of editing /usr/share/univention-lib/base.sh you can redefine create_machine_password () in an own file: # # /usr/share/univention-lib/zz-bug-53262.sh # create_machine_password () { local length="$(/usr/sbin/univention-config-registry get machine/password/length)" local compl="$(/usr/sbin/univention-config-registry get machine/password/complexity)" if [ -z "$length" ]; then length=20 fi if [ -z "$compl" ]; then compl="scn" fi pwgen -1 -${compl} ${length} -r\" | tr -d '\n' }
create_machine_password() is used in many places, where each use would further limit the set of allowed characters. Instead of limiting the character set do proper string escaping as documented in <https://freeradius.org/radiusd/man/unlang.html>.