Package: libpam-ldap
Version: 184-8.7+b1
Severity: normal
Dear Maintainer,
This is a related follow up to bug #842202, in which I reported that
lightdm exhibited issues when users logged in, via pam_ldap stack, using
mixed case usernames (eg: Bkroth instead of bkroth).
As noted there, the LDAP schemas allow for the uid attribute to match
via case insensitive "equality" matches.
However, the issue is that pam_ldap then (somewhat naturally) returns
the user provided data (it did successfully return a search after all)
to the application rather than the server provided uid ldap attribute
response.
Some applications perform their own NSS based lookup and ignore the data
provided by pam, but others (eg: lightdm) just use the data returned by
pam.
The following patch basically backports the fixed behavior from
libpam-ldap-186 to have pam return the authoritative server data
instead. Additionally, it includes the optimization of only fetching
the necessary attributes in the ldap call rather than all of them
associated with the user.
Alternatively, one could just backport 186 for jessie/wheezy, but that
package as it stands in stretch currently has an issue with the default
ldap conf file location (which I'll get to in a moment).
Let me know if you have any questions.
Thanks,
Brian
-- System Information:
Debian Release: 8.6
APT prefers stable
APT policy: (500, 'stable'), (120, 'testing'), (110, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libpam-ldap depends on:
ii debconf [debconf-2.0] 1.5.56
ii libc6 2.19-18+deb8u6
ii libldap-2.4-2 2.4.40+dfsg-1+deb8u2
ii libpam-runtime 1.1.8-3.1+deb8u1
ii libpam0g 1.1.8-3.1+deb8u1+b1
libpam-ldap recommends no packages.
Versions of packages libpam-ldap suggests:
ii libnss-ldap 265-3+b1
-- debconf information excluded
diff -u -ruN libpam-ldap-184/debian/changelog libpam-ldap-184.cae/debian/changelog
--- libpam-ldap-184/debian/changelog 2016-11-17 15:42:41.000000000 -0600
+++ libpam-ldap-184.cae/debian/changelog 2016-11-17 15:47:30.976030991 -0600
@@ -1,3 +1,13 @@
+libpam-ldap (184-8.7+b1+caejessie1) cae-jessie-backports; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport a few features from libpam-ldap-186:
+ * Noramlize username by returning server provided attribute instead of user
+ provided attribute.
+ * Also limit the attributes fetched from the LDAP server.
+
+ -- Brian Kroth <bpkr...@gmail.com> Thu, 17 Nov 2016 15:32:37 -0600
+
libpam-ldap (184-8.7) unstable; urgency=medium
* Non-maintainer upload.
diff -u -ruN libpam-ldap-184/debian/patches/limit_fetched_attrs libpam-ldap-184.cae/debian/patches/limit_fetched_attrs
--- libpam-ldap-184/debian/patches/limit_fetched_attrs 1969-12-31 18:00:00.000000000 -0600
+++ libpam-ldap-184.cae/debian/patches/limit_fetched_attrs 2016-11-17 15:31:19.997366146 -0600
@@ -0,0 +1,32 @@
+--- a/pam_ldap.c
++++ b/pam_ldap.c
+@@ -2560,6 +2560,20 @@
+ return ret;
+ }
+
++static char *_pam_ldap_attrs[] = {
++ "host",
++ "authorizedService",
++ "shadowExpire",
++ "shadowFlag",
++ "shadowInactive",
++ "shadowLastChange",
++ "shadowMax",
++ "shadowMin",
++ "shadowWarning",
++ "uidNumber",
++ NULL
++};
++
+ static int
+ _get_user_info (pam_ldap_session_t * session, const char *user)
+ {
+@@ -2618,7 +2632,7 @@
+ }
+
+ rc = ldap_search_s (session->ld, ssd->base, ssd->scope,
+- filter, NULL, 0, &res);
++ filter, _pam_ldap_attrs, 0, &res);
+
+ if (rc != LDAP_SUCCESS &&
+ rc != LDAP_TIMELIMIT_EXCEEDED && rc != LDAP_SIZELIMIT_EXCEEDED)
diff -u -ruN libpam-ldap-184/debian/patches/normalize_username libpam-ldap-184.cae/debian/patches/normalize_username
--- libpam-ldap-184/debian/patches/normalize_username 1969-12-31 18:00:00.000000000 -0600
+++ libpam-ldap-184.cae/debian/patches/normalize_username 2016-11-17 15:29:58.724472042 -0600
@@ -0,0 +1,45 @@
+--- a/pam_ldap.c
++++ b/pam_ldap.c
+@@ -2652,7 +2652,13 @@
+ return PAM_BUF_ERR;
+ }
+
+- session->info->username = strdup (user);
++ rc = _get_string_value (session->ld, msg, session->conf->userattr,
++ &session->info->username);
++ if (rc != PAM_SUCCESS)
++ {
++ session->info->username = strdup (user);
++ }
++
+ if (session->info->username == NULL)
+ {
+ ldap_msgfree (res);
+@@ -3333,6 +3339,13 @@
+ pam_set_item (pamh, PAM_USER,
+ (void *) session->info->tmpluser);
+ }
++ else if (rc == PAM_SUCCESS && session->info->username != NULL)
++ {
++ (void) pam_set_data (pamh, PADL_LDAP_AUTH_DATA,
++ (void *) strdup (session->info->username),
++ _cleanup_data);
++ rc = pam_set_item (pamh, PAM_USER, (void *) session->info->username);
++ }
+ return rc;
+ }
+ }
+@@ -3363,6 +3376,13 @@
+ _cleanup_data);
+ rc = pam_set_item (pamh, PAM_USER, (void *) session->info->tmpluser);
+ }
++ else if (rc == PAM_SUCCESS && session->info->username != NULL)
++ {
++ (void) pam_set_data (pamh, PADL_LDAP_AUTH_DATA,
++ (void *) strdup (session->info->username),
++ _cleanup_data);
++ rc = pam_set_item (pamh, PAM_USER, (void *) session->info->username);
++ }
+
+ return rc;
+ }
diff -u -ruN libpam-ldap-184/debian/patches/series libpam-ldap-184.cae/debian/patches/series
--- libpam-ldap-184/debian/patches/series 2016-11-17 15:42:41.000000000 -0600
+++ libpam-ldap-184.cae/debian/patches/series 2016-11-17 15:31:42.933618188 -0600
@@ -2,3 +2,5 @@
chsh_ldap_conf
log_shadowlastchange_failure
username_for_memberuid
+normalize_username
+limit_fetched_attrs