Re: nss-pam-ldap case sensitivity

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: nss-pam-ldap case sensitivity
Date: Wed, 21 Sep 2011 21:49:24 +0200

On Tue, 2011-09-20 at 09:48 +0200, Michael Jedlicka wrote:
> Is there any possibility of adding the functionality of setting case
> sensitive and case insensitive searches as I do understand the
> security risk it poses with multiple usernames being returned but
> would prefer within the config an option. If this is not possible we
> will need to downgrade to an older version which did allow case
> insensitive searches for logins which undoes all the fixes done since
> that version.

There is currently is no easy way to disable the case-sensitivity in
nslcd. More background on the security implications are here:
  http://arthurdejong.org/nss-pam-ldapd/news.html#20091122

A quick "fix" for this would be to replace the case-sensitivity checks
in nslcd/{passwd,group,shadow}.c from:
  if ((reqname==NULL)||(strcmp(reqname,names[i])==0))
with:
  if ((reqname==NULL)||(strcasecmp(reqname,names[i])==0))

You still have the security problems then though.

A better approach would be to always lower case user and group names
received from LDAP but that will be a bit tricky and ugly. It also
requires that the LDAP server keeps treating uid attribute searches
case-insensitively, otherwise the lookups won't work.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

nss-pam-ldap case sensitivity, Michael Jedlicka
- Re: nss-pam-ldap case sensitivity, Arthur de Jong

Prev by Date: Re: Some questions
Next by Date: Re: ldap_result() timing out despite no "timelimit"
Previous by thread: nss-pam-ldap case sensitivity
Next by thread: Re: nss-pam-ldap case sensitivity