On 3/1/06, Jesper Krogh <jesper.krogh@xxxxxxxxx> wrote:
> On 3/1/06, Nick Kew <nick@xxxxxxxxxxxx> wrote:
> > On Tuesday 28 February 2006 21:40, Jesper Krogh wrote:
> > > Is it possible to make apache match the username "case-insensitive"
> > > against lists in AuthUserFile /AuthGroupFile?
> >
> > That would potentially be a security hole.
>
> Yes if it could be done without people knowing it. If it were
> configurable, it would be a feature :-)
>
> If I didn't explain the problem well enough, then an example would work:
> I just would like apache to assume that Jesper, JESPER, jesper, and so
> on, was the same user
> when matching up agaings the lists.
>
> > > We're using mod_ntlm and it generally works fine, but the different
> > > platforms tend to send usernames in mixed cases.
> >
> > Hmmm. Don't you get that behaviour if you use a case-insensitive filesystem?
>
> No. That would give me flexibillity in the names of the files
> containing the user-list, not the
> usernames.
>
> I have got the mod_ntlm C-code, so if anyone could give me directions
> on how to modify
> the REMOTE_USER stuff from a C-apache module, then I could probably do
> it that way.
Sometimes "fresh eyes" in the morning helps a lot. This patch against
mod_ntlm2 makes
the usernames in lowercase:
diff -Nur mod_ntlm2-0.1/mod_ntlm.c mod_ntlm2-0.1-mod/mod_ntlm.c
--- mod_ntlm2-0.1/mod_ntlm.c 2003-02-23 16:58:02.000000000 +0100
+++ mod_ntlm2-0.1-mod/mod_ntlm.c 2006-03-01 09:06:13.000000000 +0100
@@ -522,6 +522,12 @@
/* silently accept login with same credentials */
r->user = apr_pstrdup(r->connection->pool,
ntlm_connection->user);
+
+ char *user= r->user;
+ while(*user){
+ *user = tolower(*user);
+ user++;
+ }
r->ap_auth_type = apr_pstrdup(r->connection->pool,
NTLM_AUTH_NAME);
return OK;
@@ -557,6 +563,11 @@
* NULL; */
r->user = apr_pstrdup(r->connection->pool,
ntlm_connection->user);
+ char *user= r->user;
+ while(*user){
+ *user = tolower(*user);
+ user++;
+ }
r->ap_auth_type = apr_pstrdup(r->connection->pool,
NTLM_AUTH_NAME);
@@ -664,6 +675,11 @@
* connection. The other allocations are temporary and can be
* tossed away any time. */
r->user = apr_pstrcat(r->connection->pool, sent_user, NULL);
+ char *user= r->user;
+ while(*user){
+ *user = tolower(*user);
+ user++;
+ }
r->ap_auth_type = "Basic";
Jesper
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|