RSS feed

Re: nss-pam-ldap case sensitivity

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nss-pam-ldap case sensitivity

On Tue, 2011-09-20 at 09:48 +0200, Michael Jedlicka wrote:
> Is there any possibility of adding the functionality of setting case
> sensitive and case insensitive searches as I do understand the
> security risk it poses with multiple usernames being returned but
> would prefer within the config an option. If this is not possible we
> will need to downgrade to an older version which did allow case
> insensitive searches for logins which undoes all the fixes done since
> that version.

There is currently is no easy way to disable the case-sensitivity in
nslcd. More background on the security implications are here:

A quick "fix" for this would be to replace the case-sensitivity checks
in nslcd/{passwd,group,shadow}.c from:
  if ((reqname==NULL)||(strcmp(reqname,names[i])==0))
  if ((reqname==NULL)||(strcasecmp(reqname,names[i])==0))

You still have the security problems then though.

A better approach would be to always lower case user and group names
received from LDAP but that will be a bit tricky and ugly. It also
requires that the LDAP server keeps treating uid attribute searches
case-insensitively, otherwise the lookups won't work.

-- arthur - - --
To unsubscribe send an email to or see