MDEV-18686 Add option to PAM authentication plugin to allow case inse…

…nsitive username matching

add a new option --pam-windbind-workaround for a pam plugin to
work around pam_winbind unconditional username lowercasing

mysql-test/suite/plugins/r/pam.result

@@ -22,4 +22,24 @@ Now, the magic number!
 PIN: ****
 drop user test_pam;
 drop user pam_test;
+create user PAM_TEST identified via pam using 'mariadb_mtr';
+#
+# athentication is unsuccessful
+#
+Challenge input first.
+Enter: not very secret challenge
+Now, the magic number!
+PIN: ****
+set global pam_winbind_workaround=1;
+#
+# athentication is successful
+#
+Challenge input first.
+Enter: not very secret challenge
+Now, the magic number!
+PIN: ****
+select user(), current_user(), database();
+user()	current_user()	database()
+PAM_TEST@localhost	PAM_TEST@%	test
+drop user PAM_TEST;
 uninstall plugin pam;

mysql-test/suite/plugins/t/pam.test

@@ -17,18 +17,34 @@ EOF
 --echo # athentication is successful, challenge/pin are ok
 --echo # note that current_user() differs from user()
 --echo #
---exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_good.txt
+--exec $MYSQL_TEST -u test_pam < $MYSQLTEST_VARDIR/tmp/pam_good.txt
 
 --echo #
 --echo # athentication is unsuccessful
 --echo #
 --error 1
---exec $MYSQL_TEST -u test_pam --plugin-dir=$plugindir < $MYSQLTEST_VARDIR/tmp/pam_bad.txt
+--exec $MYSQL_TEST -u test_pam < $MYSQLTEST_VARDIR/tmp/pam_bad.txt
 
---remove_file $MYSQLTEST_VARDIR/tmp/pam_good.txt
---remove_file $MYSQLTEST_VARDIR/tmp/pam_bad.txt
 drop user test_pam;
 drop user pam_test;
+create user PAM_TEST identified via pam using 'mariadb_mtr';
+
+--echo #
+--echo # athentication is unsuccessful
+--echo #
+--error 1
+--exec $MYSQL_TEST -u PAM_TEST < $MYSQLTEST_VARDIR/tmp/pam_good.txt
+
+set global pam_winbind_workaround=1;
+--echo #
+--echo # athentication is successful
+--echo #
+--exec $MYSQL_TEST -u PAM_TEST < $MYSQLTEST_VARDIR/tmp/pam_good.txt
+
+--remove_file $MYSQLTEST_VARDIR/tmp/pam_good.txt
+--remove_file $MYSQLTEST_VARDIR/tmp/pam_bad.txt
+drop user PAM_TEST;
+
 let $count_sessions= 1;
 --source include/wait_until_count_sessions.inc
 uninstall plugin pam;

plugin/auth_pam/auth_pam.c

@@ -52,6 +52,8 @@ static char pam_debug = 0;
 #define PAM_DEBUG(X)   /* no-op */
 #endif
 
+static char winbind_hack = 0;
+
 static int conv(int n, const struct pam_message **msg,
                 struct pam_response **resp, void *data)
 {
@@ -159,7 +161,8 @@ static int pam_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
   PAM_DEBUG((stderr, "PAM: pam_get_item(PAM_USER)\n"));
   DO( pam_get_item(pamh, PAM_USER, (pam_get_item_3_arg) &new_username) );
 
-  if (new_username && strcmp(new_username, info->user_name))
+  if (new_username &&
+      (winbind_hack ? strcasecmp : strcmp)(new_username, info->user_name))
     strncpy(info->authenticated_as, new_username,
             sizeof(info->authenticated_as)-1);
   info->authenticated_as[sizeof(info->authenticated_as)-1]= 0;
@@ -185,6 +188,10 @@ static MYSQL_SYSVAR_BOOL(use_cleartext_plugin, use_cleartext_plugin,
        "supports simple PAM policies that don't require anything besides "
        "a password", NULL, NULL, 0);
 
+static MYSQL_SYSVAR_BOOL(winbind_workaround, winbind_hack, PLUGIN_VAR_OPCMDARG,
+       "Compare usernames case insensitively to work around pam_winbind "
+       "unconditional username lowercasing", NULL, NULL, 0);
+
 #ifndef DBUG_OFF
 static MYSQL_SYSVAR_BOOL(debug, pam_debug, PLUGIN_VAR_OPCMDARG,
        "Log all PAM activity", NULL, NULL, 0);
@@ -193,6 +200,7 @@ static MYSQL_SYSVAR_BOOL(debug, pam_debug, PLUGIN_VAR_OPCMDARG,
 
 static struct st_mysql_sys_var* vars[] = {
   MYSQL_SYSVAR(use_cleartext_plugin),
+  MYSQL_SYSVAR(winbind_workaround),
 #ifndef DBUG_OFF
   MYSQL_SYSVAR(debug),
 #endif