On 05/18/2015 06:16 AM, Andy Thompson wrote:
-----Original Message-----
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Monday, May 18, 2015 4:07 AM
To: Andy Thompson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] username case sensitivity
On Sun, May 17, 2015 at 10:26:45PM +0000, Andy Thompson wrote:
-----Original Message-----
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
boun...@redhat.com] On Behalf Of Jakub Hrozek
Sent: Sunday, May 17, 2015 5:23 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] username case sensitivity
On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote:
On (15/05/15 17:27), Andy Thompson wrote:
Is there a way to enforce case sensitivity for trusted AD users?
I am
trying to use username for ssh chroots and I can authenticated
with any case combination of <UsERname> but if ssh is set to match
on <username> then the chroot is not enforced and the user is
dropped to their usual home directory. I found a case_sensitive
option for sssd but it
does not
seem to have any affect. Running RHEL6.6 clients.
IPA domain is by default case sensitive.
So You will not change anything if you put "case_sensitive = true"
into domain section of sssd.conf.
But SSSD will create subdomains for each AD domain. It is
different id_provider therefore different default values are used
for subdomains and for AD provider it is case *insensitive* by default.
Currently there's no way how to change it for subdomains (AD
trusted
domains)
What are you using for the SSH matching? The way the case
insensitiveness is implemented in SSSD is that all usernames are
forcibly lowercased on output, so as long as SSH uses the standard
NSS calls, you should be good with using the lowecase usernames..
They were initially all in lower case and working when I tested and finalized
the setup. I passed the credentials off and they used mixed case and the
match stopped working.
What is "they" ? I guess not SSSD but grabbing the data directly from LDAP?
The match clauses in the sshd config were set to use lower case names. It is
using sssd, just a regular ipa client installation. If I logged in using
USERName insetad of username, the match clause did not work.
-andy
Do we have any follow up on this thread? Have we closed the loop and
filed a ticket.
I had couple complains of the similar matter during Red Hat Summit.
I seems that this is one of the emerging issues for the trust environments.
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
