Merge pull request #2397 from rkdarst/pam_normalize_username

pam_normalize_username option: round-trip usernames through PAM to normalize
2025-10-19 16:03:00 +00:00 · 2019-02-15 15:17:28 +01:00
parent 8c76f2b30c a6d217d113
commit 52d8f74eb1
2 changed files with 31 additions and 0 deletions
--- a/docs/source/reference/authenticators.md
+++ b/docs/source/reference/authenticators.md
@@ -106,6 +106,16 @@ c.Authenticator.username_map  = {
 }
 ```

+When using `PAMAuthenticator`, you can set
+`c.PAMAuthenticator.pam_normalize_username = True`, which will
+normalize usernames using PAM (basically round-tripping them: username
+to uid to username), which is useful in case you use some external
+service that allows multiple usernames mapping to the same user (such
+as ActiveDirectory, yes, this really happens).  When
+`pam_normalize_username` is on, usernames are *not* normalized to
+lowercase.
+
+
 #### Validate usernames

 In most cases, there is a very limited set of acceptable usernames.
--- a/jupyterhub/auth.py
+++ b/jupyterhub/auth.py
@@ -707,6 +707,16 @@ class PAMAuthenticator(LocalAuthenticator):
        """
    ).tag(config=True)

+    pam_normalize_username = Bool(False,
+        help="""
+        Round-trip the username via PAM lookups to make sure it is unique
+
+        PAM can accept multiple usernames that map to the same user,
+        for example DOMAIN\\username in some cases.  To prevent this,
+        convert username into uid, then back to uid to normalize.
+        """
+        ).tag(config=True)
+
    def __init__(self, **kwargs):
        if pamela is None:
            raise _pamela_error from None
@@ -798,6 +808,17 @@ class PAMAuthenticator(LocalAuthenticator):
            self.log.warning("Disabling PAM sessions from now on.")
            self.open_sessions = False

+    def normalize_username(self, username):
+        """Round-trip the username to normalize it with PAM
+
+        PAM can accept multiple usernames as the same user, normalize them."""
+        if self.pam_normalize_username:
+            import pwd
+            uid = pwd.getpwnam(username).pw_uid
+            username = pwd.getpwuid(uid).pw_name
+            username = self.username_map.get(username, username)
+        else:
+            return super().normalize_username(username)

 class DummyAuthenticator(Authenticator):
    """Dummy Authenticator for testing