> -----Original Message----- > From: Jakub Hrozek [mailto:[email protected]] > Sent: Monday, May 18, 2015 4:07 AM > To: Andy Thompson > Cc: [email protected] > Subject: Re: [Freeipa-users] username case sensitivity > > On Sun, May 17, 2015 at 10:26:45PM +0000, Andy Thompson wrote: > > > -----Original Message----- > > > From: [email protected] [mailto:freeipa-users- > > > [email protected]] On Behalf Of Jakub Hrozek > > > Sent: Sunday, May 17, 2015 5:23 PM > > > To: [email protected] > > > Subject: Re: [Freeipa-users] username case sensitivity > > > > > > On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > > > > On (15/05/15 17:27), Andy Thompson wrote: > > > > >Is there a way to enforce case sensitivity for trusted AD users? > > > > >I am > > > > trying to use username for ssh chroots and I can authenticated > > > > with any case combination of <UsERname> but if ssh is set to match > > > > on <username> then the chroot is not enforced and the user is > > > > dropped to their usual home directory. I found a case_sensitive > > > > option for sssd but it > > > does not > > > > seem to have any affect. Running RHEL6.6 clients. > > > > > > > > > > > > > IPA domain is by default case sensitive. > > > > So You will not change anything if you put "case_sensitive = true" > > > > into domain section of sssd.conf. > > > > > > > > But SSSD will create subdomains for each AD domain. It is > > > > different id_provider therefore different default values are used > > > > for subdomains and for AD provider it is case *insensitive* by default. > > > > > > > > Currently there's no way how to change it for subdomains (AD > > > > trusted > > > > domains) > > > > > > > > > > What are you using for the SSH matching? The way the case > > > insensitiveness is implemented in SSSD is that all usernames are > > > forcibly lowercased on output, so as long as SSH uses the standard > > > NSS calls, you should be good with using the lowecase usernames.. > > > > > > > They were initially all in lower case and working when I tested and > > finalized > the setup. I passed the credentials off and they used mixed case and the > match stopped working. > > What is "they" ? I guess not SSSD but grabbing the data directly from LDAP?
The match clauses in the sshd config were set to use lower case names. It is using sssd, just a regular ipa client installation. If I logged in using USERName insetad of username, the match clause did not work. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
