[Pkg-xfce-devel] Bug#842202: lightdm combined with pam_ldap and mixed case usernames results in broken group enumeration, etc.

Brian Kroth bpkroth at gmail.com
Wed Oct 26 20:51:58 UTC 2016

Package: lightdm
Version: 1.10.3-3
Severity: normal

Dear Maintainer,

We have an environment that uses pam_ldap to authenticate most of our 

Due to some nuances of the core (open)LDAP schema, the uid attribute 
will return success on "equality" matches even if the requested query 
includes spaces or mixed case.  See Also:

So, if you attempt to login as " Bkroth" instead of "bkroth", the LDAP 
server will respond successfully.

Unfortunately, pam_ldap (probably reasonably) just takes that to mean 
that the provided username is valid and passes it through (it did ask 
for an equality match after all).  A better thing to do at that stage 
would probably be to hand back the value in the uid attribute that the 
LDAP server responded with, but I'll leave that for a separate pam_ldap 
bug report.  Somewhat related:

The trouble is that lightdm, takes the user provided value and 
1) assigns it to the USER and LOGNAME environment variables, and
2) uses it to try and initgroups(), which then fails (group memberships 
in LDAP are usually done with fully qualified DNs which don't do the 
loose equality matching described above).

The combination of incorrect USER environment variables and missing 
supplementary groups causes lots of other problems.

Note that programs like su, login, ssh, etc. don't exhibit this behavior 
since they turn around and perform a lookup of the "true" username 
against the NSS database again when populating the environment 
variables.  Here's a few examples:

The attached patch essentially just adjusts lightdm's behavior to 
perform the same sort of NSS lookup to get the true username.

I also have a dumbed down sample test program to illustrate the issue 
outside of lightdm in case it helps.

Let me know if you have any questions or comments.


-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages lightdm depends on:
ii  adduser                                3.113+nmu3
ii  dbus                                   1.8.20-0+deb8u1
ii  debconf [debconf-2.0]                  1.5.56
ii  libc6                                  2.19-18+deb8u6
ii  libgcrypt20                            1.6.3-2+deb8u2
ii  libglib2.0-0                           2.42.1-1+b1
ii  libpam-systemd                         215-17+deb8u5
ii  libpam0g                               1.1.8-3.1+deb8u1+b1
ii  libxcb1                                1.10-3+b1
ii  libxdmcp6                              1:1.1.1-1+b1
ii  lightdm-gtk-greeter [lightdm-greeter]  1.8.5-2

Versions of packages lightdm recommends:
ii  xserver-xorg  1:7.7+7

Versions of packages lightdm suggests:
ii  accountsservice  0.6.37-3+b1
ii  upower           0.99.1-3.2

-- Configuration Files:
/etc/lightdm/lightdm.conf changed [not included]

-- debconf information excluded
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lightdm-1.10.3_normalize-username.patch
Type: text/x-diff
Size: 4298 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20161026/de7ad515/attachment.patch>

More information about the Pkg-xfce-devel mailing list