What were you trying to do that didn't work?

Faillock is not considering the exact match (case) of AD user as it is on the AD server . For example if the user "TesT1234" exist on AD then the user can login on the RHEL client with any of the case combinations like Test1234, test1234, TeSt1234. And faillock considers the account as different to lock them as it is accessed. 

What is the impact of this issue to you?

May be a security breach, as it gives more chances for login attempt with a AD/domain user even if  faillock is configured for 3 denials.

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Reproduced as below:
====================

$ cat /etc/security/faillock.conf | grep -v -e "^#"
deny=2
unlock_time=1200
silent

$ authselect current
Profile ID: sssd
Enabled features:

• with-mkhomedir
• with-faillock

1] User "TesT1234" exist on AD .

$ id TesT1234
uid=851801186(test1234) gid=851800513(domain users) groups=851800513(domain users)

2] [root@ad-joined-rhel8 ~]# id test1234
uid=851801186(test1234) gid=851800513(domain users) groups=851800513(domain users)

3] Now when i tried to login using the string Test1234 with wrong password and this string for the user is locked:
--------
[root@ad-joined-rhel8 ~]# faillock --user Test1234
Test1234:
When                Type  Source                                           Valid
2024-09-26 09:18:53 RHOST ::1                                                  V
2024-09-26 09:18:57 RHOST ::1                                                  V

• But did not locked TesT1234 or test1234:
  [root@ad-joined-rhel8 ~]# faillock --user test1234
  test1234:
  When                Type  Source                                           Valid
  --------

4] But it can login using any of the other combinations like test1234, TesT1234:
--------
[root@ad-joined-rhel8 ~]# ssh test1234@localhost
test1234@localhost's password: 
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Thu Sep 26 09:03:35 2024 from ::1
[test1234@ad-joined-rhel8 ~]$ 

[root@ad-joined-rhel8 ~]# ssh TesT1234@localhost
TesT1234@localhost's password: 
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last failed login: Thu Sep 26 09:36:13 EDT 2024 from ::1 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Thu Sep 26 09:32:24 2024 from ::1
--------

Expected results

The AD user test1234  should be locked after N login attempts evem if it is access with any case combinations like TesT1234, Test1234 etc. 

Actual results

The AD user is able to login with other case(lower/upper) combinations