[Freeipa-users] username case sensitivity

[Jakub Hrozek]

On Sun, May 17, 2015 at 10:26:45PM +0000, Andy Thompson wrote:
> > -----Original Message-----
> > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> > bounces at redhat.com] On Behalf Of Jakub Hrozek
> > Sent: Sunday, May 17, 2015 5:23 PM
> > To: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] username case sensitivity
> > 
> > On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote:
> > > On (15/05/15 17:27), Andy Thompson wrote:
> > > >Is there a way to enforce case sensitivity for trusted AD users?  I
> > > >am
> > > trying to use username for ssh chroots and I can authenticated with
> > > any case combination of <UsERname> but if ssh is set to match on
> > > <username> then the chroot is not enforced and the user is dropped to
> > > their usual home directory.  I found a case_sensitive option for sssd but it
> > does not
> > > seem to have any affect.   Running RHEL6.6 clients.
> > > >
> > >
> > > IPA domain is by default case sensitive.
> > > So You will not change anything if you put "case_sensitive = true"
> > > into domain section of sssd.conf.
> > >
> > > But SSSD will create subdomains for each AD domain. It is different
> > > id_provider therefore different default values are used for subdomains
> > > and for AD provider it is case *insensitive* by default.
> > >
> > > Currently there's no way how to change it for subdomains (AD trusted
> > > domains)
> > >
> > 
> > What are you using for the SSH matching? The way the case insensitiveness is
> > implemented in SSSD is that all usernames are forcibly lowercased on output,
> > so as long as SSH uses the standard NSS calls, you should be good with using
> > the lowecase usernames..
> > 
> 
> They were initially all in lower case and working  when I tested and finalized the setup.  I passed the credentials off and they used mixed case and the match stopped working.

What is "they" ? I guess not SSSD but grabbing the data directly from
LDAP?