[Freeipa-users] username case sensitivity
Andy Thompson
Andy.Thompson at e-tcc.com
Mon May 18 10:16:37 UTC 2015
> -----Original Message-----
> From: Jakub Hrozek [mailto:jhrozek at redhat.com]
> Sent: Monday, May 18, 2015 4:07 AM
> To: Andy Thompson
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] username case sensitivity
>
> On Sun, May 17, 2015 at 10:26:45PM +0000, Andy Thompson wrote:
> > > -----Original Message-----
> > > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> > > bounces at redhat.com] On Behalf Of Jakub Hrozek
> > > Sent: Sunday, May 17, 2015 5:23 PM
> > > To: freeipa-users at redhat.com
> > > Subject: Re: [Freeipa-users] username case sensitivity
> > >
> > > On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote:
> > > > On (15/05/15 17:27), Andy Thompson wrote:
> > > > >Is there a way to enforce case sensitivity for trusted AD users?
> > > > >I am
> > > > trying to use username for ssh chroots and I can authenticated
> > > > with any case combination of <UsERname> but if ssh is set to match
> > > > on <username> then the chroot is not enforced and the user is
> > > > dropped to their usual home directory. I found a case_sensitive
> > > > option for sssd but it
> > > does not
> > > > seem to have any affect. Running RHEL6.6 clients.
> > > > >
> > > >
> > > > IPA domain is by default case sensitive.
> > > > So You will not change anything if you put "case_sensitive = true"
> > > > into domain section of sssd.conf.
> > > >
> > > > But SSSD will create subdomains for each AD domain. It is
> > > > different id_provider therefore different default values are used
> > > > for subdomains and for AD provider it is case *insensitive* by default.
> > > >
> > > > Currently there's no way how to change it for subdomains (AD
> > > > trusted
> > > > domains)
> > > >
> > >
> > > What are you using for the SSH matching? The way the case
> > > insensitiveness is implemented in SSSD is that all usernames are
> > > forcibly lowercased on output, so as long as SSH uses the standard
> > > NSS calls, you should be good with using the lowecase usernames..
> > >
> >
> > They were initially all in lower case and working when I tested and finalized
> the setup. I passed the credentials off and they used mixed case and the
> match stopped working.
>
> What is "they" ? I guess not SSSD but grabbing the data directly from LDAP?
The match clauses in the sshd config were set to use lower case names. It is using sssd, just a regular ipa client installation. If I logged in using USERName insetad of username, the match clause did not work.
-andy
More information about the Freeipa-users
mailing list