-
Bug
-
Resolution: Done-Errata
-
Minor
-
rhel-7.9
-
sssd-2.9.4-2.el9
-
None
-
None
-
rhel-sst-idm-sssd
-
ssg_idm
-
24
-
25
-
0
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
Pass
-
Automated
-
None
Issue:
If user is using their email address in a case sensitive manner then it is not allowing to login.
[root@uls-ot-sssd02 ~]# date ; ssh yash.agarwal@wdc.com@uls-ot-sssd02 ; date
Tue Oct 10 02:00:20 UTC 2023
Password:
Last login: Tue Oct 10 01:56:24 2023 from uls-ot-sssd02.ad.shared
[7340386@uls-ot-sssd02 ~]$ date ; ssh Yash.Agarwal@wdc.com@uls-ot-sssd02 ; date
Tue Oct 10 02:00:46 UTC 2023
Password:
Password:
Password:
Yash.Agarwal@wdc.com@uls-ot-sssd02's password:
[7340386@uls-ot-sssd02 ~]$
The '*@wdc.com' is found as an alias to the email address. Unfortunately, the email address is currently indexed as case-sensitive for searches.
After the SSSD's cache is removed it has to be applied again.
Expected results: If user is using their email address in a case sensitive manner then the log in should work after clearing the SSSD cache.
Version-Release number of selected component (if applicable):
sssd-1.16.5-10.el7_9.15.x86_64
WORKAROUND:
[1] Verify that the 'mail' attribute is indexed case-sensitive, the command is"
~~~~~~~~~
ldbsearch -H /var/lib/sss/db/cache_ad.shared.ldb -b '@ATTRIBUTES' -s base
~~~~~~~~~
should return something similar to
asq: Unable to register control with rootdse!
# record 1
dn: @ATTRIBUTES
canonicalUserPrincipalName: CASE_INSENSITIVE
cn: CASE_INSENSITIVE
dc: CASE_INSENSITIVE
dn: CASE_INSENSITIVE
ipHostNumber: CASE_INSENSITIVE
ipNetworkNumber: CASE_INSENSITIVE
objectclass: CASE_INSENSITIVE
originalDN: CASE_INSENSITIVE
userPrincipalName: CASE_INSENSITIVE
distinguishedName: @ATTRIBUTES
# returned 1 records
# 1 entries
# 0 referrals
there should be no line starting with 'mail:'
[2] create ldif file /tmp/ldb-mail.ldif with the following content:
~~~~~~~
dn: @ATTRIBUTES
changetype: modify
add: mail
mail: CASE_INSENSITIVE
~~~~~~~~
[3] apply the change by calling:
~~~~~~~~
ldbmodify -H /var/lib/sss/db/cache_ad.shared.ldb /tmp/ldb-mail.ldif
~~~~~~~~
[4] verify that now the 'mail' attribute is indexed case-insensitive:
~~~~~~~~~~~~
ldbsearch -H /var/lib/sss/db/cache_ipa.test.ldb -b '@ATTRIBUTES' -s base
asq: Unable to register control with rootdse!
# record 1
dn: @ATTRIBUTES
canonicalUserPrincipalName: CASE_INSENSITIVE
cn: CASE_INSENSITIVE
dc: CASE_INSENSITIVE
dn: CASE_INSENSITIVE
ipHostNumber: CASE_INSENSITIVE
ipNetworkNumber: CASE_INSENSITIVE
objectclass: CASE_INSENSITIVE
originalDN: CASE_INSENSITIVE
userPrincipalName: CASE_INSENSITIVE
mail: CASE_INSENSITIVE
distinguishedName: @ATTRIBUTES
# returned 1 records
# 1 entries
# 0 referrals
~~~~~~~~~~~~~
Now there is a line 'mail: CASE_INSENSITIVE'
sssd.conf file:
[sssd]
domains = ad.shared
#domains = wdc.com
config_file_version = 2
services = nss, pam
debug_level = 9
[nss]
homedir_substring = /home
debug_level = 9
[domain/ad.shared]
ad_domain = ad.shared
#ad_hostname = uls-ot-sssd02.wdc.com
timeout = 150
krb5_realm = AD.SHARED
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
krb5_auth_timeout = 30
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
#simple_allow_users = yash.agarwal@wdc.com
simple_allow_groups = it-infra-linux-support@ad.shared
ad_gpo_ignore_unreadable = True
ldap_user_principal = nosuchattr
#full_name_format = %1$s
ignore_group_members = true
ad_enable_gc = False
case_sensitive = False
ldap_use_tokengroups = false
dns_resolver_timeout = 60
dyndns_update = false
#ad_server = ad.shared
#dyndns_refresh_interval = 43200
#dyndns_update_ptr = false
#dyndns_ttl = 3600
debug_level = 9
- links to
-
RHBA-2023:121961
sssd bug fix and enhancement update
- mentioned on
