Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1781: Are Centrify DirectControl login names case sensitive?

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:07 AM

Applies to:

 

All versions of Centrify DirectControl on all platforms

 

Question:

 

Since the  UNIX operating system is case sensitve, thus logging in with the user account "rIcHaRd" is not the same as the account "richard".  On HPUX servers, users are permitted to log into HPUX servers reguardless of the case of the letters in the accounts name.

e.g. Richard == rIcHaRd == RICHARd == rICHARd 

Why is this the case?

 

Answer:

 

Centrify DirectControl supports a number of different login names, and they are processed in the following priority:

       1. Unix login (zone) name
       2. Active Directory sAMAccountName
       3. Active Directory userPrincipalName
       4. Active Directory displayName
       5. Active Directory CN (common name)

Unix names are case-sensitive, but Active Directory (ldap in general) values are not.  In this specific case, we strongly suspect that "rIJw" also matches one of the Active Directory name values listed above, hence while the match against the Unix name did indeed fail, it successfully matched against your samAccountName, and then discovered that the "rIJw" AD user is also a Unix user called "rijw".

As a quick test, you could change your Unix login name in the zone from "rijw" to "richard".   You would then find that attempting to login as the user "RICHARD" would fail as you expected.

Note numbers 4 and 5 can be disabled in the centrifydc.conf file setting the following properties to false:

    adclient.user.lookup.display: false
    adclient.user.lookup.cn: false

We recommend that new customers set these values to false to improve peformance.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.