Hi,
I observe a weird problem, trying to figure out how it could happen...
On one of my IPA installations, IPA doesn't recognize stage users, UNLESS they include objectClass posixaccount.
For example, below output shows a staged user that I've manually added with "ldapmodify", but as you can see, it is not found with "ipa stageuser-find":
```
$ ldapsearch -Y GSSAPI uid=atest
SASL/GSSAPI authentication started
SASL username: admin(a)IMS.DCN.EXAMPLE.DE
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ims,dc=dcn,dc=example,dc=de> (default) with scope subtree
# filter: uid=atest
# requesting: ALL
#
# atest, staged users, accounts, provisioning, ims.dcn.example.de
dn: uid=atest,cn=staged users,cn=accounts,cn=provisioning,dc=ims,dc=dcn,dc=ex
ample,dc=de
objectClass: top
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
uid: atest
sn: atest
givenName: atest
cn: atest
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
```
```
$ ipa stageuser-find
WARNING: yacc table file version is out of date
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
```
This user will be recognized, if I add the following attributes:
objectClass: posixaccount
uidNumber: -1
gidNumber: -1
homeDirectory: /home/atest
But this is not supposed to be so... and in fact, on another IPA installation (totally separate) I don't see this constraint. The same LDIF (just different base DN) gets properly recognized as staged user!
I was comparing the entire cn=config and the IPA server configuration section, but I cannot find what setting can possibly affect this...
Can you help with an idea please?