RSS feed

Re: nss-pam-ldap case sensitivity

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nss-pam-ldap case sensitivity

Thank you for the help, modified the files and they work 100%

I do understand the security risks but this unfortunately is something that has been with us for a while and would be hard to correct in a short amount of time. The best would be to correct the Novell edir tree to have lower case users and groups. At this point in time I have been informed that our edir is case insensitive as well so we can't add 2 users with the same name but different cases.

I appreciate your time.

>>> Arthur de Jong <> 9/21/2011 9:49 PM >>>
On Tue, 2011-09-20 at 09:48 +0200, Michael Jedlicka wrote:
> Is there any possibility of adding the functionality of setting case
> sensitive and case insensitive searches as I do understand the
> security risk it poses with multiple usernames being returned but
> would prefer within the config an option. If this is not possible we
> will need to downgrade to an older version which did allow case
> insensitive searches for logins which undoes all the fixes done since
> that version.

There is currently is no easy way to disable the case-sensitivity in
nslcd. More background on the security implications are here:

A quick "fix" for this would be to replace the case-sensitivity checks
in nslcd/{passwd,group,shadow}.c from:
  if ((reqname==NULL)||(strcmp(reqname,names[i])==0))
  if ((reqname==NULL)||(strcasecmp(reqname,names[i])==0))

You still have the security problems then though.

A better approach would be to always lower case user and group names
received from LDAP but that will be a bit tricky and ugly. It also
requires that the LDAP server keeps treating uid attribute searches
case-insensitively, otherwise the lookups won't work.

-- arthur - - --


This e-mail may contain confidential information and may be legally privileged and is intended only for the person to whom it is addressed. If you are not the intended recipient, you are notified that you may not use, distribute or copy this document in any manner whatsoever. Kindly also notify the sender immediately by telephone, and delete the e-mail. When addressed to clients of the company from where this e-mail originates ("the sending company") any opinion or advice contained in this e-mail is subject to the terms and conditions expressed in any applicable terms of business or client engagement letter . The sending company does not accept liability for any damage, loss or expense arising from this e-mail and/or from the accessing of any files attached to this e-mail.

If this e-mail contains abusive and/or inappropriate content please report it to

To unsubscribe send an email to or see