[Freeipa-users] username case sensitivity

Dmitri Pal dpal at redhat.com
Sat Jun 27 01:12:53 UTC 2015 

On 05/18/2015 06:16 AM, Andy Thompson wrote:
>> -----Original Message-----
>> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
>> Sent: Monday, May 18, 2015 4:07 AM
>> To: Andy Thompson
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] username case sensitivity
>>
>> On Sun, May 17, 2015 at 10:26:45PM +0000, Andy Thompson wrote:
>>>> -----Original Message-----
>>>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>>>> bounces at redhat.com] On Behalf Of Jakub Hrozek
>>>> Sent: Sunday, May 17, 2015 5:23 PM
>>>> To: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] username case sensitivity
>>>>
>>>> On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote:
>>>>> On (15/05/15 17:27), Andy Thompson wrote:
>>>>>> Is there a way to enforce case sensitivity for trusted AD users?
>>>>>> I am
>>>>> trying to use username for ssh chroots and I can authenticated
>>>>> with any case combination of <UsERname> but if ssh is set to match
>>>>> on <username> then the chroot is not enforced and the user is
>>>>> dropped to their usual home directory.  I found a case_sensitive
>>>>> option for sssd but it
>>>> does not
>>>>> seem to have any affect.   Running RHEL6.6 clients.
>>>>> IPA domain is by default case sensitive.
>>>>> So You will not change anything if you put "case_sensitive = true"
>>>>> into domain section of sssd.conf.
>>>>>
>>>>> But SSSD will create subdomains for each AD domain. It is
>>>>> different id_provider therefore different default values are used
>>>>> for subdomains and for AD provider it is case *insensitive* by default.
>>>>>
>>>>> Currently there's no way how to change it for subdomains (AD
>>>>> trusted
>>>>> domains)
>>>>>
>>>> What are you using for the SSH matching? The way the case
>>>> insensitiveness is implemented in SSSD is that all usernames are
>>>> forcibly lowercased on output, so as long as SSH uses the standard
>>>> NSS calls, you should be good with using the lowecase usernames..
>>>>
>>> They were initially all in lower case and working  when I tested and finalized
>> the setup.  I passed the credentials off and they used mixed case and the
>> match stopped working.
>>
>> What is "they" ? I guess not SSSD but grabbing the data directly from LDAP?
> The match clauses in the sshd config were set to use lower case names.  It is using sssd, just a regular ipa client installation.  If I logged in using USERName insetad of username, the match clause did not work.
>
> -andy
>
Do we have any follow up on this thread? Have we closed the loop and 
filed a ticket.
I had couple complains of the similar matter during Red Hat Summit.
I seems that this is one of the emerging issues for the trust environments.

-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list