Re: nss-pam-ldap case sensitivity

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: "Michael Jedlicka" <michaelj [at] itdynamics.co.za>
To: <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: nss-pam-ldap case sensitivity
Date: Thu, 22 Sep 2011 09:24:20 +0200

Thank you for the help, modified the files and they work 100%

I do understand the security risks but this unfortunately is something that has been with us for a while and would be hard to correct in a short amount of time. The best would be to correct the Novell edir tree to have lower case users and groups. At this point in time I have been informed that our edir is case insensitive as well so we can't add 2 users with the same name but different cases.

I appreciate your time.

>>> Arthur de Jong <arthur@arthurdejong.org> 9/21/2011 9:49 PM >>>
On Tue, 2011-09-20 at 09:48 +0200, Michael Jedlicka wrote:
> Is there any possibility of adding the functionality of setting case
> sensitive and case insensitive searches as I do understand the
> security risk it poses with multiple usernames being returned but
> would prefer within the config an option. If this is not possible we
> will need to downgrade to an older version which did allow case
> insensitive searches for logins which undoes all the fixes done since
> that version.

There is currently is no easy way to disable the case-sensitivity in
nslcd. More background on the security implications are here:
http://arthurdejong.org/nss-pam-ldapd/news.html#20091122

A quick "fix" for this would be to replace the case-sensitivity checks
in nslcd/{passwd,group,shadow}.c from:
if ((reqname==NULL)||(strcmp(reqname,names[i])==0))
with:
if ((reqname==NULL)||(strcasecmp(reqname,names[i])==0))

You still have the security problems then though.

A better approach would be to always lower case user and group names
received from LDAP but that will be a bit tricky and ugly. It also
requires that the LDAP server keeps treating uid attribute searches
case-insensitively, otherwise the lookups won't work.

--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

Disclaimer

This e-mail may contain confidential information and may be legally privileged and is intended only for the person to whom it is addressed. If you are not the intended recipient, you are notified that you may not use, distribute or copy this document in any manner whatsoever. Kindly also notify the sender immediately by telephone, and delete the e-mail. When addressed to clients of the company from where this e-mail originates ("the sending company") any opinion or advice contained in this e-mail is subject to the terms and conditions expressed in any applicable terms of business or client engagement letter . The sending company does not accept liability for any damage, loss or expense arising from this e-mail and/or from the accessing of any files attached to this e-mail.

If this e-mail contains abusive and/or inappropriate content please report it to Abuse@itdynamics.co.za

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

nss-pam-ldap case sensitivity, Michael Jedlicka
- Re: nss-pam-ldap case sensitivity, Arthur de Jong
  - Re: nss-pam-ldap case sensitivity, Michael Jedlicka

Prev by Date: Re: ldap_result() timing out despite no "timelimit"
Next by Date: nss-pam-ldapd dependencies question
Previous by thread: Re: nss-pam-ldap case sensitivity
Next by thread: Some questions