On Wed, Sep 25, 2019 at 06:25:06PM -0500, Spike White wrote:
Yes, true statement.
We also do not own AD -- only the Linux builds. The AD admins insist on
camel-case for group names and user names.
Yes, AD and Windows are case-insensitive. But Linux and Kerberos are not.
I know these logins by default are translated into lower-case names (which
is what we desire anyway). I forget which sssd setting does this
auto-lower-casing.
case_sensitive = true|false|preserving
false is the default for AD in the sense that everything is lowercased
and names match in case-insensitive manner.
true is the default for generic LDAP, names are returned in the original
case and must be matched in the original case
preserving is a little in between in the sense that the original case is
returned but you can match on any case.
BTW, that would be a cool RFE for pam_sss.so to return cache entries if
sssd service down or wedged. I imagine it'd be a flag on the auth
pam_sss.so line that you're add to enable this.
Do you think it is needed over the case_sensitive option?