[MDEV-18686] Add option to PAM authentication plugin to allow case insensitive username matching - Jira

XML

Word

Printable

Details

Type: Task
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Fix Version/s: 10.2.24, 10.1.39, 10.3.15, 10.4.5
Component/s: Plugin - pam
Labels:
None

Description

Some PAM modules, such as pam_winbind, automatically "normalize" usernames to all lower case characters. For example, see this log snippet from the comments of ~~MDEV-18651~~:

Feb 21 19:02:20 mariadev1 mysqld: pam_unix(password-auth:auth): authentication failure; logname= uid=502 euid=502 tty= ruser= rhost= user=JohnD

Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): Verify user 'JohnD'

Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): user 'JohnD' granted access

Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): Returned user was 'johnd'

Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:account): user 'johnd' granted access

It might be worthwhile to add an option to the PAM authentication plugin to allow case insensitive username matching in cases like this.

For example, let's say that we have an option called pam_case_insensitive_usernames. Then, if this option were enabled, and if a user logged in with the "DBA" PAM user, and if the PAM module "normalized" this user name to "dba", then the PAM authentication plugin would still allow authentication to succeed, even if the MariaDB user had the name "DBA".

Attachments

Issue Links

relates to

MDEV-18651 PAM authentication forces lowercase.

Closed

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Geoff Montee

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019-02-21 20:32

Updated:: 2019-04-25 07:27

Resolved:: 2019-04-25 07:27

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.