[Date Prev][Date Next] [Chronological] [Thread] [Top]

Username case



I have an OpenLDAP 2.4.42 server in which I have loaded an LDIF file that contains (among other entries) the following:

    # james, staff, yoyodyne.com
    dn: uid=james,ou=staff,dc=yoyodyne,dc=com
    uid: james
    cn: james
    objectClass: account
    objectClass: posixAccount
    loginShell: /bin/bash
    uidNumber: 1010
    gidNumber: 100
    homeDirectory: /home/james

Separately, I have a Centos 7 box that retrieves user information from the OpenLDAP server above, by means of the Name Service Switch framework in the Centos 7 system. Users to be authenticated in this box may not be defined locally, but in the OpenLDAP server alone; PAM has been configured in the Centos system so that, for such users, and when attempting to log in over SSH, a directory is created in the Centos box on the fly as necessary, using the path retrieved from the OpenLDAP server in the homeDirectory attribute for the user. The authentication itself is carried out by a remote RADIUS server; PAM is correctly configured for this too.

This works fine as described, in that when one attempts to log in over SSH into the Centos system as james, provided that the right password is supplied, the '/home/james' directory is created in the Centos system and an interactive SSH session is established.

What I would be interested in next is an OpenLDAP setup so that the entry for a given user can be retrieved from the OpenLDAP server in a case-insensitive manner. The goal is to be able to authenticate username, password pairs over the SSH interface in the Centos7 system, with the username being cases-insensitive. 

As far as I can tell, in the process of establishing an SSH session, the OpenSSH daemon in the Centos 7 system will attempt to verify that the username is valid by invoking the gepwnam() Linux system call. This function will attempt to retrieve information for its argument - a username string - in a case-sensitive way. It first looks into the relevant local files and, if nothing is found and the NSS framework is appropriately configured, it will next attempt to obtain the data from an LDAP server.

PAM helps me here by providing a PAM module (pam_regex) which enables me to normalize incoming usernames - in essence, this module makes is easy to recast all incoming usernames to strings where all uppercase letters are transformed into their lowercase versions. The problem that I have is that OpenSSH invokes getpwnam() both before and after the pam_regex module has been invoked. Thus, if the username received from the client is, say, James, OpenSSH will invoke getpwnam("James") first, and getpwnam("james") later, after pam_regex has normalized "James". 

The upshot here seems to be that what I would need is an OpenLDAP setup such that when getpwnam("james") and getpwnam("James")  - or any other case combination of "James" - are invoked, the OpenLDAP server would return the same user data.

Now it seems to be the case that, with a user entry in OpenLDAP as described above, getpwnam("james") will look for an entry such that the its uid attribute takes the value "james". I.e. if the value of uid is, say, "James" then it will be ignored. Which, following the discussion above, doesn't fit my goal.

I guess that the question would be the following: Is it possible to configure OpenLDAP so that getpwnam() can retrieve a given entry from the OpenLDAP server in a case-insensitive way? How would one create an entry for a user identified as James so that getpwnam("James"), getpwnam("james"), getpwnam("JAMES"), etc. would all cause the OpenLDAP server to return exactly the same Linux user data (uidNumber, gidNumber, homeDirectory)? Other than the obvious and impractical approach consisting of creating identical entries for all the case combinations of the target name, that is.