I've done a bit more digging and sssd handles the request differently when it's mixed case versus all lowercase...when it's mixed case, I see this search string in the logs

(Mon Nov 13 22:50:11:092700 2017) [sssd[be[exnet]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(krbPrincipalName=User1@example.com)(mail=User1@my.domain.com)(krbPrincipalName=User1\\@example.com@MY.DOMAIN.COM))(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,ou=production,ou=Customers,dc=my,dc=domain,dc=com].

but when it's all lowcase it seems to go down a completely different path as I never see that sdap_get_generic_ext_step​ for it...

Why would changing the login case cause this behavior?

Note: auth_provider, id_provider, and access_provider are all set to ldap.  Not sure why krbPrincipalName is even showing in the ldap search...however, if I remove the krb properties from sssd.conf, then email doesn't work at all.  This used to work.  The only thing that has changed that I am aware of is the version of SSSD on the system.


From: Galen Johnson
Sent: Friday, November 10, 2017 9:53 AM
To: End-user discussions about the System Security Services Daemon
Subject: case sensitive email


We've recently noticed that users logging in using emails are having issues when they use camel case but it works fine when all lower case.  We haven't changed the configs so

case_sensitive = preserving​

has not changed.  Could the behavior have changed with a recent update.  We are running version 1.15.2 (sssd-1.15.2-50.el7_4.6.x86_64​).  This did not used to be the behavior.  Is there some other config that we now need to enable to allow the previous behavior?