This is an optional for LDAP and AD realm. The default behavior is case-sensitive.
Signed-off-by: Wolfgang Link <[email protected]> --- v1 -> v2: * naming of paramenter * use grep instead of a loop, to avoid login errors with ambiguous usernames v2 -> v3: * move lookup_username * use user- realm- regex instead write own PVE/API2/AccessControl.pm | 1 + PVE/AccessControl.pm | 22 ++++++++++++++++++++++ PVE/Auth/AD.pm | 1 + PVE/Auth/LDAP.pm | 7 +++++++ 4 files changed, 31 insertions(+) diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm index fd27786..a77694b 100644 --- a/PVE/API2/AccessControl.pm +++ b/PVE/API2/AccessControl.pm @@ -292,6 +292,7 @@ __PACKAGE__->register_method ({ my $username = $param->{username}; $username .= "\@$param->{realm}" if $param->{realm}; + $username = PVE::AccessControl::lookup_username($username); my $rpcenv = PVE::RPCEnvironment::get(); my $res; diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index 6a85c1a..d3a353f 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -891,6 +891,28 @@ sub add_role_privs { } } +sub lookup_username { + my ($username) = @_; + + $username =~ m!^(${PVE::Auth::Plugin::user_regex})\@(${PVE::Auth::Plugin::realm_regex})$!; + + my $realm = $2; + my $domain_cfg = cfs_read_file("domains.cfg"); + my $casesensitive = $domain_cfg->{ids}->{$realm}->{'case-sensitive'} // 1; + my $usercfg = cfs_read_file('user.cfg'); + + if (!$casesensitive) { + my @matches = grep { lc $username eq lc $_ } (keys %{$usercfg->{users}}); + + die "ambiguous case insensitive match of username '$username', cannot safely grant access!\n" + if scalar @matches > 1; + + return $matches[0] + } + + return $username; +} + sub normalize_path { my $path = shift; diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm index 4d64c20..88b2098 100755 --- a/PVE/Auth/AD.pm +++ b/PVE/Auth/AD.pm @@ -94,6 +94,7 @@ sub options { group_classes => { optional => 1 }, 'sync-defaults-options' => { optional => 1 }, mode => { optional => 1 }, + 'case-sensitive' => { optional => 1 }, }; } diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm index 09b2202..97d0778 100755 --- a/PVE/Auth/LDAP.pm +++ b/PVE/Auth/LDAP.pm @@ -129,6 +129,12 @@ sub properties { optional => 1, default => 'ldap', }, + 'case-sensitive' => { + description => "username is case-sensitive", + type => 'boolean', + optional => 1, + default => 1, + } }; } @@ -159,6 +165,7 @@ sub options { group_classes => { optional => 1 }, 'sync-defaults-options' => { optional => 1 }, mode => { optional => 1 }, + 'case-sensitive' => { optional => 1 }, }; } -- 2.20.1 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
