[MDEV-18686] Add option to PAM authentication plugin to allow case insensitive username matching Created: 2019-02-21  Updated: 2019-04-25  Resolved: 2019-04-25

Status: Closed
Project: MariaDB Server
Component/s: Plugin - pam
Fix Version/s: 10.2.24, 10.1.39, 10.3.15, 10.4.5

Type: Task Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-18651 PAM authentication forces lowercase. Closed

 Description   

Some PAM modules, such as pam_winbind, automatically "normalize" usernames to all lower case characters. For example, see this log snippet from the comments of MDEV-18651:

Feb 21 19:02:20 mariadev1 mysqld: pam_unix(password-auth:auth): authentication failure; logname= uid=502 euid=502 tty= ruser= rhost= user=JohnD
 
Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): Verify user 'JohnD'
 
Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): user 'JohnD' granted access
 
Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): Returned user was 'johnd'
 
Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:account): user 'johnd' granted access

It might be worthwhile to add an option to the PAM authentication plugin to allow case insensitive username matching in cases like this.

For example, let's say that we have an option called pam_case_insensitive_usernames. Then, if this option were enabled, and if a user logged in with the "DBA" PAM user, and if the PAM module "normalized" this user name to "dba", then the PAM authentication plugin would still allow authentication to succeed, even if the MariaDB user had the name "DBA".

 Comments   
Comment by Sergei Golubchik [ 2019-04-18 ]

added an option --pam-winbind-workaround

Generated at Thu Feb 08 08:45:58 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.