MDEV-18686 Add option to PAM authentication plugin to allow case insensitive username matching

add a new option --pam-windbind-workaround for a pam plugin to
work around pam_winbind unconditional username lowercasing

1 files changed, 9 insertions, 1 deletions

diff --git a/plugin/auth_pam/auth_pam.c b/plugin/auth_pam/auth_pam.c
index a6a981f9641..83fd64e4cb1 100644
--- a/plugin/auth_pam/auth_pam.c
+++ b/plugin/auth_pam/auth_pam.c
@@ -52,6 +52,8 @@ static char pam_debug = 0;
 #define PAM_DEBUG(X)   /* no-op */
 #endif
 
+static char winbind_hack = 0;
+
 static int conv(int n, const struct pam_message **msg,
                 struct pam_response **resp, void *data)
 {
@@ -159,7 +161,8 @@ static int pam_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
   PAM_DEBUG((stderr, "PAM: pam_get_item(PAM_USER)\n"));
   DO( pam_get_item(pamh, PAM_USER, (pam_get_item_3_arg) &new_username) );
 
-  if (new_username && strcmp(new_username, info->user_name))
+  if (new_username &&
+      (winbind_hack ? strcasecmp : strcmp)(new_username, info->user_name))
     strncpy(info->authenticated_as, new_username,
             sizeof(info->authenticated_as)-1);
   info->authenticated_as[sizeof(info->authenticated_as)-1]= 0;
@@ -185,6 +188,10 @@ static MYSQL_SYSVAR_BOOL(use_cleartext_plugin, use_cleartext_plugin,
        "supports simple PAM policies that don't require anything besides "
        "a password", NULL, NULL, 0);
 
+static MYSQL_SYSVAR_BOOL(winbind_workaround, winbind_hack, PLUGIN_VAR_OPCMDARG,
+       "Compare usernames case insensitively to work around pam_winbind "
+       "unconditional username lowercasing", NULL, NULL, 0);
+
 #ifndef DBUG_OFF
 static MYSQL_SYSVAR_BOOL(debug, pam_debug, PLUGIN_VAR_OPCMDARG,
        "Log all PAM activity", NULL, NULL, 0);
@@ -193,6 +200,7 @@ static MYSQL_SYSVAR_BOOL(debug, pam_debug, PLUGIN_VAR_OPCMDARG,
 
 static struct st_mysql_sys_var* vars[] = {
   MYSQL_SYSVAR(use_cleartext_plugin),
+  MYSQL_SYSVAR(winbind_workaround),
 #ifndef DBUG_OFF
   MYSQL_SYSVAR(debug),
 #endif