On 6/13/19 6:46 PM, Dmitry Perets via FreeIPA-users wrote:
Dmitry Perets via FreeIPA-users wrote:
You might want to look for replication conflicts. Maybe one entry is hung up.
rob
Hi Rob, you mean on the WORKING IPA? Because indeed, now it looks more weird that one is WORKING rather than that the other is NOT WORKING...
I've tested on yet another one, this time running CentOS (!), also freeipa 4.6.4. And I see the same problem:
[13/Jun/2019:18:42:12.013877786 +0200] conn=189796 op=2 SRCH base="cn=staged users,cn=accounts,cn=provisioning,dc=dths37,dc=dcn,dc=telekom,dc=de" scope=1 filter="(objectClass=posixaccount)" attrs="telephoneNumber sshpubkeyfp ipaSshPubKey uid krbCanonicalName title loginShell uidNumber gidNumber sn homeDirectory mail krbPrincipalName givenName nsAccountLock" [13/Jun/2019:18:42:12.015946649 +0200] conn=189796 op=2 RESULT err=0 tag=101 nentries=0 etime=0.0002280480
So definitely it looks like a bug with IPA 4.6.4.
Hi Dmitry can you open a ticket for this issue? I reproduced on RHEL 7.6 and it happens because of the following code: container_filter = "(objectclass=posixaccount)" # provisioning system can create non posixaccount stage user # but then they have to create inetOrgPerson stage user stagefilter = filter.replace(container_filter, "(|%s(objectclass=inetOrgPerson))" % container_filter)
We should rather use container_filter = ldap.make_filter_from_attr('objectclass', 'posixaccount') because the filter has been hexlified previously.
On Fedora the same code works because we are using python3 instead of python2. In python2 isinstance('posixaccount', bytes) evaluates to True (and the filter is hexlified) but to False in python3 (and the filter is not hexlified).
flo
And why one of my IPAs nevertheless works - don't know, but maybe we can ignore it for now... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...