Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18686

Add option to PAM authentication plugin to allow case insensitive username matching

    XMLWordPrintable

Details

    Description

      Some PAM modules, such as pam_winbind, automatically "normalize" usernames to all lower case characters. For example, see this log snippet from the comments of MDEV-18651:

      Feb 21 19:02:20 mariadev1 mysqld: pam_unix(password-auth:auth): authentication failure; logname= uid=502 euid=502 tty= ruser= rhost= user=JohnD
      Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): Verify user 'JohnD'
      Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): user 'JohnD' granted access
      Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): Returned user was 'johnd'
      Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:account): user 'johnd' granted access
      

      It might be worthwhile to add an option to the PAM authentication plugin to allow case insensitive username matching in cases like this.

      For example, let's say that we have an option called pam_case_insensitive_usernames. Then, if this option were enabled, and if a user logged in with the "DBA" PAM user, and if the PAM module "normalized" this user name to "dba", then the PAM authentication plugin would still allow authentication to succeed, even if the MariaDB user had the name "DBA".

      Attachments

        Issue Links

          Activity

            People

              serg Sergei Golubchik
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.