[Freeipa-users] username case sensitivity
Jakub Hrozek
jhrozek at redhat.com
Mon Jun 29 08:17:33 UTC 2015
On Fri, Jun 26, 2015 at 09:12:53PM -0400, Dmitri Pal wrote:
> On 05/18/2015 06:16 AM, Andy Thompson wrote:
> >>-----Original Message-----
> >>From: Jakub Hrozek [mailto:jhrozek at redhat.com]
> >>Sent: Monday, May 18, 2015 4:07 AM
> >>To: Andy Thompson
> >>Cc: freeipa-users at redhat.com
> >>Subject: Re: [Freeipa-users] username case sensitivity
> >>
> >>On Sun, May 17, 2015 at 10:26:45PM +0000, Andy Thompson wrote:
> >>>>-----Original Message-----
> >>>>From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> >>>>bounces at redhat.com] On Behalf Of Jakub Hrozek
> >>>>Sent: Sunday, May 17, 2015 5:23 PM
> >>>>To: freeipa-users at redhat.com
> >>>>Subject: Re: [Freeipa-users] username case sensitivity
> >>>>
> >>>>On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote:
> >>>>>On (15/05/15 17:27), Andy Thompson wrote:
> >>>>>>Is there a way to enforce case sensitivity for trusted AD users?
> >>>>>>I am
> >>>>>trying to use username for ssh chroots and I can authenticated
> >>>>>with any case combination of <UsERname> but if ssh is set to match
> >>>>>on <username> then the chroot is not enforced and the user is
> >>>>>dropped to their usual home directory. I found a case_sensitive
> >>>>>option for sssd but it
> >>>>does not
> >>>>>seem to have any affect. Running RHEL6.6 clients.
> >>>>>IPA domain is by default case sensitive.
> >>>>>So You will not change anything if you put "case_sensitive = true"
> >>>>>into domain section of sssd.conf.
> >>>>>
> >>>>>But SSSD will create subdomains for each AD domain. It is
> >>>>>different id_provider therefore different default values are used
> >>>>>for subdomains and for AD provider it is case *insensitive* by default.
> >>>>>
> >>>>>Currently there's no way how to change it for subdomains (AD
> >>>>>trusted
> >>>>>domains)
> >>>>>
> >>>>What are you using for the SSH matching? The way the case
> >>>>insensitiveness is implemented in SSSD is that all usernames are
> >>>>forcibly lowercased on output, so as long as SSH uses the standard
> >>>>NSS calls, you should be good with using the lowecase usernames..
> >>>>
> >>>They were initially all in lower case and working when I tested and finalized
> >>the setup. I passed the credentials off and they used mixed case and the
> >>match stopped working.
> >>
> >>What is "they" ? I guess not SSSD but grabbing the data directly from LDAP?
> >The match clauses in the sshd config were set to use lower case names. It is using sssd, just a regular ipa client installation. If I logged in using USERName insetad of username, the match clause did not work.
> >
> >-andy
> >
> Do we have any follow up on this thread? Have we closed the loop and filed a
> ticket.
> I had couple complains of the similar matter during Red Hat Summit.
> I seems that this is one of the emerging issues for the trust environments.
I wonder if it's still an issue with 1.12.x and the Kerberos plugin
Sumit wrote. Do we have a way to track these requests?
Andy, if you have some test machines, could you give 6.7 a try?
More information about the Freeipa-users
mailing list