On 05/18/2015 06:16 AM, Andy Thompson wrote:
-----Original Message-----
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Monday, May 18, 2015 4:07 AM
To: Andy Thompson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] username case sensitivity

On Sun, May 17, 2015 at 10:26:45PM +0000, Andy Thompson wrote:
-----Original Message-----
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
boun...@redhat.com] On Behalf Of Jakub Hrozek
Sent: Sunday, May 17, 2015 5:23 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] username case sensitivity

On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote:
On (15/05/15 17:27), Andy Thompson wrote:
Is there a way to enforce case sensitivity for trusted AD users?
I am
trying to use username for ssh chroots and I can authenticated
with any case combination of <UsERname> but if ssh is set to match
on <username> then the chroot is not enforced and the user is
dropped to their usual home directory.  I found a case_sensitive
option for sssd but it
does not
seem to have any affect.   Running RHEL6.6 clients.
IPA domain is by default case sensitive.
So You will not change anything if you put "case_sensitive = true"
into domain section of sssd.conf.

But SSSD will create subdomains for each AD domain. It is
different id_provider therefore different default values are used
for subdomains and for AD provider it is case *insensitive* by default.

Currently there's no way how to change it for subdomains (AD

What are you using for the SSH matching? The way the case
insensitiveness is implemented in SSSD is that all usernames are
forcibly lowercased on output, so as long as SSH uses the standard
NSS calls, you should be good with using the lowecase usernames..

They were initially all in lower case and working  when I tested and finalized
the setup.  I passed the credentials off and they used mixed case and the
match stopped working.

What is "they" ? I guess not SSSD but grabbing the data directly from LDAP?
The match clauses in the sshd config were set to use lower case names.  It is 
using sssd, just a regular ipa client installation.  If I logged in using 
USERName insetad of username, the match clause did not work.


Do we have any follow up on this thread? Have we closed the loop and filed a ticket.
I had couple complains of the similar matter during Red Hat Summit.
I seems that this is one of the emerging issues for the trust environments.

Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to