Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1781: Are Centrify DirectControl login names case sensitive?

Auditing and Monitoring Service ,   Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:07 AM

Applies to:

 

All versions of Centrify DirectControl on all platforms

 

Question:

 

Since the  UNIX operating system is case sensitve, thus logging in with the user account "rIcHaRd" is not the same as the account "richard".  On HPUX servers, users are permitted to log into HPUX servers reguardless of the case of the letters in the accounts name.

e.g. Richard == rIcHaRd == RICHARd == rICHARd 

Why is this the case?

 

Answer:

 

Centrify DirectControl supports a number of different login names, and they are processed in the following priority:

       1. Unix login (zone) name
       2. Active Directory sAMAccountName
       3. Active Directory userPrincipalName
       4. Active Directory displayName
       5. Active Directory CN (common name)

Unix names are case-sensitive, but Active Directory (ldap in general) values are not.  In this specific case, we strongly suspect that "rIJw" also matches one of the Active Directory name values listed above, hence while the match against the Unix name did indeed fail, it successfully matched against your samAccountName, and then discovered that the "rIJw" AD user is also a Unix user called "rijw".

As a quick test, you could change your Unix login name in the zone from "rijw" to "richard".   You would then find that attempting to login as the user "RICHARD" would fail as you expected.

Note numbers 4 and 5 can be disabled in the centrifydc.conf file setting the following properties to false:

    adclient.user.lookup.display: false
    adclient.user.lookup.cn: false

We recommend that new customers set these values to false to improve peformance.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-5180: Does PowerShell module support with DirectControl in classic zones? articleKB-3925: How to add Centrify parameter to a group policy article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III