12 April,16 at 11:07 AM
Applies to:
All versions of Centrify DirectControl on all platforms
Question:
Since the UNIX operating system is case sensitve, thus logging in with the user account "rIcHaRd" is not the same as the account "richard". On HPUX servers, users are permitted to log into HPUX servers reguardless of the case of the letters in the accounts name.
e.g. Richard == rIcHaRd == RICHARd == rICHARd
Why is this the case?
Answer:
Centrify DirectControl supports a number of different login names, and they are processed in the following priority:
1. Unix login (zone) name
2. Active Directory sAMAccountName
3. Active Directory userPrincipalName
4. Active Directory displayName
5. Active Directory CN (common name)
Unix names are case-sensitive, but Active Directory (ldap in general) values are not. In this specific case, we strongly suspect that "rIJw" also matches one of the Active Directory name values listed above, hence while the match against the Unix name did indeed fail, it successfully matched against your samAccountName, and then discovered that the "rIJw" AD user is also a Unix user called "rijw".
As a quick test, you could change your Unix login name in the zone from "rijw" to "richard". You would then find that attempting to login as the user "RICHARD" would fail as you expected.
Note numbers 4 and 5 can be disabled in the centrifydc.conf file setting the following properties to false:
adclient.user.lookup.display: false
adclient.user.lookup.cn: false
We recommend that new customers set these values to false to improve peformance.