This one turns out to be more complex than it looks. Unfortunately due
to the way PAM works neither LightDM or the greeter know for sure the
context of the prompts that PAM sends. So they don't know they're being
asked for a username or something else in which whitespace might be
significant. It seems unlikely but since we can never know what PAM
modules exist we can't just strip whitespace from PAM responses.
Trying to log in from a text terminal confirms that a simple login will
fail with whitespace. Code checking pam_unix, pam_ldap and pam_krb5
doesn't appear to show them making any attempt to strip whitespace. I'm
assuming then the whitespace stripping is being done server side on your
LDAP server?
>From a user experience it seems correct that whitespace should be
ignored and the only thing that can do this reliably is the PAM modules
which know the context of the username response from LightDM/Unity
Greeter. So I'll reassign this bug to libpam-ldap as that seems to be
the module that the problem might be in.
** Also affects: lightdm (Ubuntu)
Importance: Undecided
Status: New
** Also affects: libpam-ldap (Ubuntu)
Importance: Undecided
Status: New
** Changed in: libpam-ldap (Ubuntu)
Status: New => Triaged
** Changed in: libpam-ldap (Ubuntu)
Importance: Undecided => Medium
** Changed in: lightdm (Ubuntu)
Status: New => Invalid
** Changed in: lightdm (Ubuntu)
Importance: Undecided => Medium
** Changed in: lightdm
Status: Triaged => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1195039
Title:
Whitespaces in login name cause authentication problems
Status in Light Display Manager:
Invalid
Status in “libpam-ldap” package in Ubuntu:
Triaged
Status in “lightdm” package in Ubuntu:
Invalid
Status in “unity-greeter” package in Ubuntu:
Invalid
Bug description:
This is an Ubuntu 12.04.2 LTS deployment in an university lab environment.
The university is in a transition setup, where student ids are provided both
through an Active Directory, as well as LDAP.
So identification goes through both layers, first krb5 and then ldap.
However, a home directory gets mounted via krb5.
Behavior: if user types a whitespace (or more) at the beginning or the
end of the username, lightdm takes that string literally and runs it
through authentication. The confusion here was that while krb5 refuses
to authenticate the string (which doesn't exist as a user), ldap
strips the whitespaces and it happily authenticates the userid. The
user gets in, but they don't have a home mounted.
Is there any reason why leading whitespaces and trailing whitespaces
are not being stripped out of the usernames? That would be of great
help to our users here. The white space is just the natural way of
waking up a dormant machine, so users do it frequently. It is also
difficult to educate a large crowd about this issue, especially with
the double authentication that behaves differently.
Thank you.
To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/1195039/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
