usernames are case insesitive during login. 
i have tested with thinclient, and NX and danielsan have tested on a
workstation

the username RoNnY can login just as well as the correct username ronny
when you login with a different username you loose your group meneberships.
it's like a separate account with the same homedir. 
This can allow the user to circumvent group based restrictions and loose access
rights for group based file rights. 

set to p1 for it's security implications.

http://honk.sigxcpu.org/projects.html#pam-naming might be used to fx: enforce
lowercase usernames. 

kind regards
Ronny Aasen

to explain the effects a bit more verbose:

<sep> the poor admin at luster spent weeks troubleshooting a issue where a
teacher never could access the school shared documents. she logged in
constantly with capital first letter in her name, he constantly tested with her
correct username. :s

<sep> also this explains why some students had full internet when they logged
in as exam users. since they would not be in the group blocking them in the
proxy... 

The problem probably originates from the LDAP searches which are case
insensitive.  No idea how to avoid it.

I believe the ldap search rules are in /etc/nss-ldapd.conf .

during the gathering we discussed to make login casesensitive again, for the
benefit of releasing our lenny this year.

this is because this fix is quite straightforward. if someone comes up with a
fix for incasesenstive logins in time, this is of course also fine :-)

Debian bug, even potential for a stable point release update. 
At what time will we know if this will be in stable or not ? 

http://bugs.debian.org/552433


Ronny

I believe this behaviour is determined by the "EQUALITY" matching rule defined
for attribute "uid" in the schema, not sure which one (built-in perhaps?) as
the definition in 'core.schema' is commented out, but it reads:

# Derived from RFC 1274, but with new "short names"
#
#attributetype ( 0.9.2342.19200300.100.1.1
#       NAME ( 'uid' 'userid' )
#       DESC 'RFC1274: user identifier'
#       EQUALITY caseIgnoreMatch
#       SUBSTR caseIgnoreSubstringsMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

No idea how to avoid it too.

Looking at 'id' output:

tjener:~# id demstu
uid=10019(demstu) gid=10019(demstu)
groups=10004(students),10005(none),10019(demstu)

tjener:~# id DemStu
uid=10019(DemStu) gid=10019(demstu) groups=10019(demstu)

I suspect the inconsistency stems from the case sensitivity of:

attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
        EQUALITY caseExactIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

in:

objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
        DESC 'Abstraction of a group of accounts'
        SUP top STRUCTURAL
        MUST ( cn $ gidNumber )
        MAY ( userPassword $ memberUid $ description ) )

Both defined in 'nis.schema'.

Yet another remark aside:
Regarding scripts that are designed to kill left-behind processes of logged-out
users (killer etc.), users could also evade process purging by using creative
capitalisation.

A fix for this is nss-ldapd in Lenny is being worked on, and I hope will show
up soon.

http://lists.debian.org/debian-release/2009/12/msg00037.html got some
information.

uploaded nss-ldapd_0.6.7.2~edu1_i386.changes to lenny-test, though it may need
ftpmaster approval and will need confirmation that it actually resolves the
issue.

fixed packages have been uploaded to s-p-u by the maintainer and to lenny-test
by vagrantc. please confirm it fixes the issue.

afaik this is fixed, can someone test and confirm, please?!

I tested it, and can confirm that this is fixed. closing! :D