Force lowercase usernames via PAM/LDAP
Simon Matter
simon.matter at ch.sauter-bc.com
Fri Aug 8 07:51:12 EDT 2003
Hi Cyrus IMAPd users,
I've been having problems when I realized that there are authentication
methods which are case insensitive regarding the username. Many people
in non *X worlds are used the mix case in their username when looging on
to different services. I realized that most current software packages
support some option to lowercase usernames but my problem was that
authenticating against PAM->LDAP simply succeeds whatever case was used
for the username.
I have then looked for a way to force PAM to only authenticate lowercase
usernames but unfortunately I didn't find a simple solution and I didn't
want to change the LDAP schema. Did I miss something here? I really
didn't find a way to deny authentication with uppercase usernames.
So, I decided to create my own PAM plugin which simply denies access
when a username contains uppercase letters. I'm using the following
config as my ldap-auth stack:
#%PAM-1.0
# Authenticate against LDAP but only if username is lowercase
auth requisite /lib/security/pam_deny_uc.so
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
The plugin including rpms are here:
http://home.teleport.ch/simix/RPMS/Pam_deny_uc/
The binary rpm is built on RedHat 7.2. To rebuild on other version do:
rpmbuild -tb pam_deny_uc-0.1.tar.gz
On RedHat 6.2, one must use:
rpmbuild -tb --nodeps pam_deny_uc-0.1.tar.gz
I hope this can help some people who have problems with mixed case
usernames. Feedback is always welcome.
Regards,
Simon
More information about the Info-cyrus
mailing list