diff options
| -rw-r--r-- | mysql-test/suite/plugins/r/pam.result | 20 | ||||
| -rw-r--r-- | mysql-test/suite/plugins/t/pam.test | 24 | ||||
| -rw-r--r-- | plugin/auth_pam/auth_pam.c | 10 |
3 files changed, 49 insertions, 5 deletions
diff --git a/mysql-test/suite/plugins/r/pam.result b/mysql-test/suite/plugins/r/pam.result index 86303206b3b..46f1223d7b3 100644 --- a/mysql-test/suite/plugins/r/pam.result +++ b/mysql-test/suite/plugins/r/pam.result @@ -22,4 +22,24 @@ Now, the magic number! PIN: **** drop user test_pam; drop user pam_test; +create user PAM_TEST identified via pam using 'mariadb_mtr'; +# +# athentication is unsuccessful +# +Challenge input first. +Enter: not very secret challenge +Now, the magic number! +PIN: **** +set global pam_winbind_workaround=1; +# +# athentication is successful +# +Challenge input first. +Enter: not very secret challenge +Now, the magic number! +PIN: **** +select user(), current_user(), database(); +user() current_user() database() +PAM_TEST@localhost PAM_TEST@% test +drop user PAM_TEST; uninstall plugin pam; diff --git a/mysql-test/suite/plugins/t/pam.test b/mysql-test/suite/plugins/t/pam.test index 8a95d6baed2..8441b83c5c3 100644 --- a/mysql-test/suite/plugins/t/pam.test +++ b/mysql-test/suite/plugins/t/pam.test @@ -17,18 +17,34 @@ EOF --echo # athentication is successful, challenge/pin are ok --echo # note that current_user() differs from user() --echo # ---exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good.txt +--exec $MYSQL_TEST -u test_pam < $MYSQLTEST_VARDIR/tmp/pam_good.txt --echo # --echo # athentication is unsuccessful --echo # --error 1 ---exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_bad.txt +--exec $MYSQL_TEST -u test_pam < $MYSQLTEST_VARDIR/tmp/pam_bad.txt ---remove_file $MYSQLTEST_VARDIR/tmp/pam_good.txt ---remove_file $MYSQLTEST_VARDIR/tmp/pam_bad.txt drop user test_pam; drop user pam_test; +create user PAM_TEST identified via pam using 'mariadb_mtr'; + +--echo # +--echo # athentication is unsuccessful +--echo # +--error 1 +--exec $MYSQL_TEST -u PAM_TEST < $MYSQLTEST_VARDIR/tmp/pam_good.txt + +set global pam_winbind_workaround=1; +--echo # +--echo # athentication is successful +--echo # +--exec $MYSQL_TEST -u PAM_TEST < $MYSQLTEST_VARDIR/tmp/pam_good.txt + +--remove_file $MYSQLTEST_VARDIR/tmp/pam_good.txt +--remove_file $MYSQLTEST_VARDIR/tmp/pam_bad.txt +drop user PAM_TEST; + let $count_sessions= 1; --source include/wait_until_count_sessions.inc uninstall plugin pam; diff --git a/plugin/auth_pam/auth_pam.c b/plugin/auth_pam/auth_pam.c index a6a981f9641..83fd64e4cb1 100644 --- a/plugin/auth_pam/auth_pam.c +++ b/plugin/auth_pam/auth_pam.c @@ -52,6 +52,8 @@ static char pam_debug = 0; #define PAM_DEBUG(X) /* no-op */ #endif +static char winbind_hack = 0; + static int conv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) { @@ -159,7 +161,8 @@ static int pam_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) PAM_DEBUG((stderr, "PAM: pam_get_item(PAM_USER)\n")); DO( pam_get_item(pamh, PAM_USER, (pam_get_item_3_arg) &new_username) ); - if (new_username && strcmp(new_username, info->user_name)) + if (new_username && + (winbind_hack ? strcasecmp : strcmp)(new_username, info->user_name)) strncpy(info->authenticated_as, new_username, sizeof(info->authenticated_as)-1); info->authenticated_as[sizeof(info->authenticated_as)-1]= 0; @@ -185,6 +188,10 @@ static MYSQL_SYSVAR_BOOL(use_cleartext_plugin, use_cleartext_plugin, "supports simple PAM policies that don't require anything besides " "a password", NULL, NULL, 0); +static MYSQL_SYSVAR_BOOL(winbind_workaround, winbind_hack, PLUGIN_VAR_OPCMDARG, + "Compare usernames case insensitively to work around pam_winbind " + "unconditional username lowercasing", NULL, NULL, 0); + #ifndef DBUG_OFF static MYSQL_SYSVAR_BOOL(debug, pam_debug, PLUGIN_VAR_OPCMDARG, "Log all PAM activity", NULL, NULL, 0); @@ -193,6 +200,7 @@ static MYSQL_SYSVAR_BOOL(debug, pam_debug, PLUGIN_VAR_OPCMDARG, static struct st_mysql_sys_var* vars[] = { MYSQL_SYSVAR(use_cleartext_plugin), + MYSQL_SYSVAR(winbind_workaround), #ifndef DBUG_OFF MYSQL_SYSVAR(debug), #endif |