Force lowercase usernames via PAM/LDAP

Simon Matter simon.matter at ch.sauter-bc.com
Fri Aug 8 07:51:12 EDT 2003


Hi Cyrus IMAPd users,

I've been having problems when I realized that there are authentication
methods which are case insensitive regarding the username. Many people
in non *X worlds are used the mix case in their username when looging on
to different services. I realized that most current software packages
support some option to lowercase usernames but my problem was that
authenticating against PAM->LDAP simply succeeds whatever case was used
for the username.
I have then looked for a way to force PAM to only authenticate lowercase
usernames but unfortunately I didn't find a simple solution and I didn't
want to change the LDAP schema. Did I miss something here? I really
didn't find a way to deny authentication with uppercase usernames.

So, I decided to create my own PAM plugin which simply denies access
when a username contains uppercase letters. I'm using the following
config as my ldap-auth stack:

#%PAM-1.0
# Authenticate against LDAP but only if username is lowercase
auth        requisite     /lib/security/pam_deny_uc.so
auth        required      /lib/security/pam_ldap.so
account     required      /lib/security/pam_ldap.so

The plugin including rpms are here:
http://home.teleport.ch/simix/RPMS/Pam_deny_uc/

The binary rpm is built on RedHat 7.2. To rebuild on other version do:
rpmbuild -tb pam_deny_uc-0.1.tar.gz

On RedHat 6.2, one must use:
rpmbuild -tb --nodeps pam_deny_uc-0.1.tar.gz

I hope this can help some people who have problems with mixed case
usernames. Feedback is always welcome.

Regards,
Simon




More information about the Info-cyrus mailing list