Dear all,
I'm running CentOS 7.3 with SSSD. I'm using sssd-ad to talk to an AD backend. Group names in the AD contain capitals.
When sssd-ad is working normally, group names returned are all lowercase. However, when the AD backend goes offline, group names returned from the SSSD cache contain capitals.
The change in case breaks stuff (sshd's AllowGroups, for one).
Has anybody else seen this behavior? Is there a way to make the group names uniform, whether they come from sssd-ad or the cache?
Best,
Robbert
On Fri, 20 Jan 2017, Robbert Eggermont wrote:
Dear all,
I'm running CentOS 7.3 with SSSD. I'm using sssd-ad to talk to an AD backend. Group names in the AD contain capitals.
When sssd-ad is working normally, group names returned are all lowercase. However, when the AD backend goes offline, group names returned from the SSSD cache contain capitals.
The change in case breaks stuff (sshd's AllowGroups, for one).
Has anybody else seen this behavior? Is there a way to make the group names uniform, whether they come from sssd-ad or the cache?
case_sensitive = Preserving
This way you get capitalisation on what's reported when it's connected and not AFAIK.
jh
Hi John,
Thanks for pointing me to case_sensitive, that indeed is the cause: the default for "case_sensitive" is "True", but for the AD provider "True" is invalid(??), so it defaults to "False"(???)!
Good news is that with both "case_sensitive = False" and "case_sensitive = Preserving" the results from AD and cache are identical (lowercase and case-preserving, respectively).
Since this (opposite defaults) is broken by design, I hope the AD provider will be fixed so it follows the general default.
Thanks,
Robbert
On 20-01-17 10:58, John Hodrien wrote:
On Fri, 20 Jan 2017, Robbert Eggermont wrote:
When sssd-ad is working normally, group names returned are all lowercase. However, when the AD backend goes offline, group names returned from the SSSD cache contain capitals.
case_sensitive = Preserving
This way you get capitalisation on what's reported when it's connected and not
On 01/20/2017 04:13 AM, Robbert Eggermont wrote:
Since this (opposite defaults) is broken by design, I hope the AD provider will be fixed so it follows the general default.
I find filing bug reports generally more effective than hoping, and submitting patches more effective still.
On 20-01-17 16:35, Gordon Messmer wrote:
I find filing bug reports generally more effective than hoping, and submitting patches more effective still.
I did already file a bug report. Since this involves a change in definition I'll wait for input before starting on a patch. ;-)
-
Gordon Messmer -
John Hodrien -
Robbert Eggermont