Hi guys,
We've been experimenting with putty v0.61 and windows SSO authentication. e.g. You log into windows with username "tim" and when then load up putty and try and connect to a RHEL6 machine, it passes along my Windows GSSAPI credentials and automatically logs me in to the RHEL6 box.
SSSD has been configured to talk to Active Directory like so:
[domain/KRB5DOMAIN] enumerate = True ldap_id_use_start_tls = False cache_credentials = True id_provider = ldap auth_provider = krb5 chpass_provider = krb5 debug_level = 1
ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_user_object_class = user ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_name = msSFU30Name ldap_user_member_of = msSFU30PosixMemberOf ldap_group_member = msSFU30PosixMember
access_provider = ldap ldap_uri = ldap://xxxx/ ldap_search_base = xxx ldap_user_search_base = xxx ldap_group_search_base = xxx ldap_sasl_mech = gssapi ldap_sasl_authid = xxx ldap_krb5_keytab = xxx ldap_krb5_init_creds = true ldap_tls_cacertdir = /etc/openldap/cacerts krb5_realm = xxx krb5_kpasswd = xxx krb5_server = xxx
What we're finding is Windows for some reason stores the username in UPPERCASE and passes the uppercase value in the GSSAPI credentials. However the username attribute in AD (msSFU30Name) stores the username in lowercase, which is the standard for Unix usernames and something we are very comfortable with.
Because the username comparison is case-sensitive, the user is denied access. If we hard-code the login name in putty to be lowercase it works, so I'm pretty sure the GSSAPI auth is working.
So, my question is: Is there a way to make the username comparison to LDAP case-insensitive? Or do we need to update our AD/LDAP to uppercase all the msSFU30Name attributes? Or is there another option?
I understand usernames should be compared case-sensitive to be POSIX compliant. I've just been asked to see if I can get this to work.
BTW I've been browsing trac and it looks like you were considering a "force_lowercase_names" config option at one point. Is this still under consideration? https://fedorahosted.org/sssd/ticket/246
Best regards,
Tim Gollschewsky.
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp". Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au. The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.