Hi,
I observe a weird problem, trying to figure out how it could happen...
On one of my IPA installations, IPA doesn't recognize stage users, UNLESS they include objectClass posixaccount. For example, below output shows a staged user that I've manually added with "ldapmodify", but as you can see, it is not found with "ipa stageuser-find":
``` $ ldapsearch -Y GSSAPI uid=atest SASL/GSSAPI authentication started SASL username: admin@IMS.DCN.EXAMPLE.DE SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=ims,dc=dcn,dc=example,dc=de> (default) with scope subtree # filter: uid=atest # requesting: ALL #
# atest, staged users, accounts, provisioning, ims.dcn.example.de dn: uid=atest,cn=staged users,cn=accounts,cn=provisioning,dc=ims,dc=dcn,dc=ex ample,dc=de objectClass: top objectClass: inetorgperson objectClass: organizationalPerson objectClass: person uid: atest sn: atest givenName: atest cn: atest
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1 ``` ``` $ ipa stageuser-find WARNING: yacc table file version is out of date --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- ```
This user will be recognized, if I add the following attributes:
objectClass: posixaccount uidNumber: -1 gidNumber: -1 homeDirectory: /home/atest
But this is not supposed to be so... and in fact, on another IPA installation (totally separate) I don't see this constraint. The same LDIF (just different base DN) gets properly recognized as staged user! I was comparing the entire cn=config and the IPA server configuration section, but I cannot find what setting can possibly affect this...
Can you help with an idea please?