Issue

Issue: If user is using their email address in a case sensitive manner then it is not allowing to login. [root@uls-ot-sssd02 ~]# date ; ssh yash.agarwal@wdc.com@uls-ot-sssd02 ; date Tue Oct 10 02:00:20 UTC 2023 Password: Last login: Tue Oct 10 01:56:24 2023 from uls-ot-sssd02.ad.shared [7340386@uls-ot-sssd02 ~]$ date ; ssh Yash.Agarwal@wdc.com@uls-ot-sssd02 ; date Tue Oct 10 02:00:46 UTC 2023 Password: Password: Password: Yash.Agarwal@wdc.com@uls-ot-sssd02's password: [7340386@uls-ot-sssd02 ~]$ The '*@wdc.com' is found as an alias to the email address. Unfortunately, the email address is currently indexed as case-sensitive for searches. After the SSSD's cache is removed it has to be applied again. Expected results: If user is using their email address in a case sensitive manner then the log in should work after clearing the SSSD cache. Version-Release number of selected component (if applicable): sssd-1.16.5-10.el7_9.15.x86_64 WORKAROUND: [1] Verify that the 'mail' attribute is indexed case-sensitive, the command is" ~~~~~~~~~ ldbsearch -H /var/lib/sss/db/cache_ad.shared.ldb -b '@ATTRIBUTES' -s base ~~~~~~~~~ should return something similar to asq: Unable to register control with rootdse! # record 1 dn: @ATTRIBUTES canonicalUserPrincipalName: CASE_INSENSITIVE cn: CASE_INSENSITIVE dc: CASE_INSENSITIVE dn: CASE_INSENSITIVE ipHostNumber: CASE_INSENSITIVE ipNetworkNumber: CASE_INSENSITIVE objectclass: CASE_INSENSITIVE originalDN: CASE_INSENSITIVE userPrincipalName: CASE_INSENSITIVE distinguishedName: @ATTRIBUTES # returned 1 records # 1 entries # 0 referrals there should be no line starting with 'mail:' [2] create ldif file /tmp/ldb-mail.ldif with the following content: ~~~~~~~ dn: @ATTRIBUTES changetype: modify add: mail mail: CASE_INSENSITIVE ~~~~~~~~ [3] apply the change by calling: ~~~~~~~~ ldbmodify -H /var/lib/sss/db/cache_ad.shared.ldb  /tmp/ldb-mail.ldif ~~~~~~~~ [4] verify that now the 'mail' attribute is indexed case-insensitive: ~~~~~~~~~~~~ ldbsearch -H /var/lib/sss/db/cache_ipa.test.ldb -b '@ATTRIBUTES' -s base asq: Unable to register control with rootdse! # record 1 dn: @ATTRIBUTES canonicalUserPrincipalName: CASE_INSENSITIVE cn: CASE_INSENSITIVE dc: CASE_INSENSITIVE dn: CASE_INSENSITIVE ipHostNumber: CASE_INSENSITIVE ipNetworkNumber: CASE_INSENSITIVE objectclass: CASE_INSENSITIVE originalDN: CASE_INSENSITIVE userPrincipalName: CASE_INSENSITIVE mail: CASE_INSENSITIVE distinguishedName: @ATTRIBUTES # returned 1 records # 1 entries # 0 referrals ~~~~~~~~~~~~~ Now there is a line 'mail: CASE_INSENSITIVE' sssd.conf file: [sssd] domains = ad.shared #domains = wdc.com config_file_version = 2 services = nss, pam debug_level = 9 [nss] homedir_substring = /home debug_level = 9 [domain/ad.shared] ad_domain = ad.shared #ad_hostname = uls-ot-sssd02.wdc.com timeout = 150 krb5_realm = AD.SHARED realmd_tags = manages-system joined-with-samba  cache_credentials = True id_provider = ad krb5_store_password_if_offline = True krb5_auth_timeout = 30 default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = simple #simple_allow_users = yash.agarwal@wdc.com simple_allow_groups = it-infra-linux-support@ad.shared ad_gpo_ignore_unreadable = True ldap_user_principal = nosuchattr #full_name_format = %1$s ignore_group_members = true ad_enable_gc = False case_sensitive = False ldap_use_tokengroups = false dns_resolver_timeout = 60 dyndns_update = false #ad_server = ad.shared #dyndns_refresh_interval = 43200 #dyndns_update_ptr = false #dyndns_ttl = 3600 debug_level = 9

Release Notes

No. of Comments

Resolution

Done-Errata