Lightdm changes case of username unless only certain users allowed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Ubuntu 12.04
On a desktop where are our users are allowed to log in:
Feb 24 08:04:24 southafrica lightdm: pam_ldap(
and the user can successfully log in even though the username was typed with an upper case.
On a desktop where we have a restricted list of users, the list is FIRST checked, before the case is changed, so the user cannot log in (admittedly when typing the username "incorrectly"), even though they are in the list of allowed users.
Feb 24 08:04:18 southafrica lightdm: pam_listfile(
Feb 24 08:04:24 southafrica lightdm: pam_unix(
Feb 24 08:04:24 southafrica lightdm: pam_unix(
Feb 24 08:04:24 southafrica lightdm: pam_winbind(
Feb 24 08:04:24 southafrica lightdm: pam_winbind(
Feb 24 08:04:24 southafrica lightdm: pam_ldap(
0 root@southafric
auth required pam_listfile.so onerr=fail item=user sense=allow file=/etc/
0 root@southafric
gerhard
A local override is to add gerhard AND Gerhard to /etc/login.
affects: | lightdm (Ubuntu) → pam (Ubuntu) |
I'm sorry this bug has taken so long to find its way to the pam package. Unfortunately, this is not a bug per se in either component. The problem is a semantic difference between the two different pam modules: you are using pam_ldap, which does case-insensitive name lookups (because that's how LDAP works), together with pam_listfile which, like all the modules include in pam, work on case-sensitive usernames (because this is the standard Unix semantics).
We could reassign this bug to libpam-ldap, but this seems unlikely to result in a change in the behavior of that module since it's been that way for over a decade and no one's figured out a good way to fix it yet.