From b88a1e38743e18035412397fb521d81357320516 Mon Sep 17 00:00:00 2001
From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Wed, 19 Nov 2014 14:22:09 -0500
Subject: [PATCH] Don't molest the DN we get back from libldap

---
 src/modules/rlm_ldap/ldap.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
index bdefefd..6e22df3 100644
--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
@@ -969,13 +969,22 @@ char const *rlm_ldap_find_user(ldap_instance_t const *inst, REQUEST *request, ld
 		goto finish;
 	}
 
+	/*
+	 *	We can't use pairmake here to copy the value into the
+	 *	attribute, as the dn must be copied into the attribute
+	 *	verbatim (without de-escaping).
+	 *
+	 *	Special chars are pre-escaped by libldap, and because
+	 *	we pass the string back to libldap we must not alter it.
+	 */
 	RDEBUG("User object found at DN \"%s\"", dn);
-	vp = pairmake(request, &request->config_items, "LDAP-UserDN", dn, T_OP_EQ);
+	vp = pairmake(request, &request->config_items, "LDAP-UserDN", NULL, T_OP_EQ);
 	if (vp) {
+		pairstrcpy(vp, dn);
 		*rcode = RLM_MODULE_OK;
 	}
 
-	finish:
+finish:
 	ldap_memfree(dn);
 
 	if ((freeit || (*rcode != RLM_MODULE_OK)) && *result) {
-- 
2.1.4