It's possible that whatever is causing this is in the nss module since it appears that the lowercase address is found where mixed case is not. Previous comment pertained to domain logs. Just browsed the nss log. Still stymied...
Ignore the comment about the query missing. I started fresh and see the same query where the only difference is the case...however, where the mixed case fails, the lowcase continues. Even at debug level 10 I'm not seeing anything obvious as to why it moves
on for the lowcase example. Up to that point the logs are essentially identical.
I've done a bit more digging and sssd handles the request differently when it's mixed case versus all lowercase...when it's mixed case, I see this search string in the logs
(Mon Nov 13 22:50:11:092700 2017) [sssd[be[exnet]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(krbPrincipalName=User1@example.com)(mail=User1@my.domain.com)(krbPrincipalName=User1\\@example.com@MY.DOMAIN.COM))(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,ou=production,ou=Customers,dc=my,dc=domain,dc=com].
but when it's all lowcase it seems to go down a completely different path as I never see that sdap_get_generic_ext_step for it...
Why would changing the login case cause this behavior?
Note: auth_provider, id_provider, and access_provider are all set to ldap. Not sure why krbPrincipalName is even showing in the ldap search...however, if I remove the krb properties from sssd.conf, then email doesn't work at all. This used to work. The
only thing that has changed that I am aware of is the version of SSSD on the system.
We've recently noticed that users logging in using emails are having issues when they use camel case but it works fine when all lower case. We haven't changed the configs so
case_sensitive = preserving
has not changed. Could the behavior have changed with a recent update. We are running version 1.15.2 (sssd-1.15.2-50.el7_4.6.x86_64). This did not used to be the behavior. Is there some other config that we now need to enable to allow the previous behavior?