On ke, 12 kesä 2019, Dmitry Perets via FreeIPA-users wrote: Can you share what queries correspond to these requests in dirsrv access log?
Yes, mistery continues...
WORKING:
[12/Jun/2019:12:31:25.546759725 +0200] conn=18810 op=2 SRCH base="cn=staged users,cn=accounts,cn=provisioning,dc=poc,dc=dcn,dc=telekom,dc=de" scope=1 filter="(objectClass=posixaccount)" attrs="telephoneNumber sshpubkeyfp ipaSshPubKey uid krbCanonicalName title loginShell uidNumber gidNumber sn homeDirectory mail krbPrincipalName givenName nsAccountLock" [12/Jun/2019:12:31:25.547320288 +0200] conn=18810 op=2 RESULT err=0 tag=101 nentries=1 etime=0.0000670253
NOT WORKING:
[12/Jun/2019:12:40:34.215947855 +0200] conn=112355 op=2 SRCH base="cn=staged users,cn=accounts,cn=provisioning,dc=ims,dc=dcn,dc=telekom,dc=de" scope=1 filter="(objectClass=posixaccount)" attrs="telephoneNumber sshpubkeyfp ipaSshPubKey uid krbCanonicalName title loginShell uidNumber gidNumber sn homeDirectory mail krbPrincipalName givenName nsAccountLock" [12/Jun/2019:12:40:34.217107077 +0200] conn=112355 op=2 RESULT err=0 tag=101 nentries=0 etime=0.0001317861
So: (1) In both cases, the filters are wrong (2) In one of the cases, it nevertheless works....
Btw on the WORKING server this manual query does NOT return results, as expected:
ldapsearch -x -D "uid=admin,cn=users,cn=accounts,dc=poc,dc=dcn,dc=telekom,dc=de" -W -b "cn=staged users,cn=accounts,cn=provisioning,dc=poc,dc=dcn,dc=telekom,dc=de" "(objectClass=posixaccount)"
So I have really no idea why the ipa stageuser-find succeeds, despite the wrong filter =(