From eb41d2005159da16a8b9f50a5f972fdb029ee09e Mon Sep 17 00:00:00 2001
From: Wolfgang Link <w.link@proxmox.com>
Date: Tue, 8 Sep 2020 14:09:45 +0200
Subject: [PATCH] fix #2947 login name for the LDAP/AD realm can be
 case-insensitive

This is an optional for LDAP and AD realm.
The default behavior is case-sensitive.

Signed-off-by: Wolfgang Link <w.link@proxmox.com>
---
 PVE/API2/AccessControl.pm |  1 +
 PVE/AccessControl.pm      | 22 ++++++++++++++++++++++
 PVE/Auth/AD.pm            |  1 +
 PVE/Auth/LDAP.pm          |  7 +++++++
 4 files changed, 31 insertions(+)

diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index fd27786..a77694b 100644
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -292,6 +292,7 @@ __PACKAGE__->register_method ({
 	my $username = $param->{username};
 	$username .= "\@$param->{realm}" if $param->{realm};
 
+	$username = PVE::AccessControl::lookup_username($username);
 	my $rpcenv = PVE::RPCEnvironment::get();
 
 	my $res;
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 6a85c1a..d3bc6ea 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -891,6 +891,28 @@ sub add_role_privs {
     }
 }
 
+sub lookup_username {
+    my ($username) = @_;
+
+    $username =~ m!^(${PVE::Auth::Plugin::user_regex})\@(${PVE::Auth::Plugin::realm_regex})$!;
+
+    my $realm = $2;
+    my $domain_cfg = cfs_read_file("domains.cfg");
+    my $casesensitive = $domain_cfg->{ids}->{$realm}->{'case-sensitive'} // 1;
+    my $usercfg = cfs_read_file('user.cfg');
+
+    if (!$casesensitive) {
+	my @matches = grep { lc $username eq lc $_ } (keys %{$usercfg->{users}});
+
+	die "ambiguous case insensitive match of username '$username', cannot safely grant access!\n"
+	    if scalar @matches > 1;
+
+	return $matches[0]
+    }
+
+    return $username;
+}
+
 sub normalize_path {
     my $path = shift;
 
diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index 4d64c20..88b2098 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -94,6 +94,7 @@ sub options {
 	group_classes => { optional => 1 },
 	'sync-defaults-options' => { optional => 1 },
 	mode => { optional => 1 },
+	'case-sensitive' => { optional => 1 },
     };
 }
 
diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
index 09b2202..97d0778 100755
--- a/PVE/Auth/LDAP.pm
+++ b/PVE/Auth/LDAP.pm
@@ -129,6 +129,12 @@ sub properties {
 	    optional => 1,
 	    default => 'ldap',
 	},
+        'case-sensitive' => {
+	    description => "username is case-sensitive",
+	    type => 'boolean',
+	    optional => 1,
+	    default => 1,
+	}
     };
 }
 
@@ -159,6 +165,7 @@ sub options {
 	group_classes => { optional => 1 },
 	'sync-defaults-options' => { optional => 1 },
 	mode => { optional => 1 },
+	'case-sensitive' => { optional => 1 },
     };
 }
 
-- 
2.39.2