Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18686

Add option to PAM authentication plugin to allow case insensitive username matching

    Details

      Description

      Some PAM modules, such as pam_winbind, automatically "normalize" usernames to all lower case characters. For example, see this log snippet from the comments of MDEV-18651:

      Feb 21 19:02:20 mariadev1 mysqld: pam_unix(password-auth:auth): authentication failure; logname= uid=502 euid=502 tty= ruser= rhost= user=JohnD
      Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): Verify user 'JohnD'
      Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): user 'JohnD' granted access
      Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): Returned user was 'johnd'
      Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:account): user 'johnd' granted access
      

      It might be worthwhile to add an option to the PAM authentication plugin to allow case insensitive username matching in cases like this.

      For example, let's say that we have an option called pam_case_insensitive_usernames. Then, if this option were enabled, and if a user logged in with the "DBA" PAM user, and if the PAM module "normalized" this user name to "dba", then the PAM authentication plugin would still allow authentication to succeed, even if the MariaDB user had the name "DBA".

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: