If 'ipa stageuser-find' doesn't find it, you can enable server-side debugging and retry, then you should see debug output in error_log.
Create /etc/ipa/server.conf
[global] debug = True
and restart httpd, then retry.
Weirdly enough:
[Wed Jun 12 11:03:38.648863 2019] [:error] [pid 17432] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Jun 12 11:03:38.648999 2019] [:error] [pid 17432] ipa: DEBUG: WSGI jsonserver.__call__: [Wed Jun 12 11:03:38.649064 2019] [:error] [pid 17432] ipa: DEBUG: KerberosWSGIExecutioner.__call__: [Wed Jun 12 11:03:38.668898 2019] [:error] [pid 17432] ipa: DEBUG: Created connection context.ldap2_140302443346704 [Wed Jun 12 11:03:38.669013 2019] [:error] [pid 17432] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Wed Jun 12 11:03:38.676281 2019] [:error] [pid 17432] ipa: DEBUG: raw: stageuser_find(None, version=u'2.230') [Wed Jun 12 11:03:38.676646 2019] [:error] [pid 17432] ipa: DEBUG: stageuser_find(None, all=False, raw=False, version=u'2.230', no_members=True, pkey_only=False) [Wed Jun 12 11:03:38.679558 2019] [:error] [pid 17432] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IMS-DCN-TELEKOM-DE.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f9ab4b82ea8> [Wed Jun 12 11:03:39.016496 2019] [:error] [pid 17432] ipa: DEBUG: stageuser_find: pre_callback new filter=(objectclass=\70\6f\73\69\78\61\63\63\6f\75\6e\74) [Wed Jun 12 11:03:39.019307 2019] [:error] [pid 17432] ipa: INFO: [jsonserver_kerb] admin@IMS.DCN.TELEKOM.DE: stageuser_find/1(None, version=u'2.230'): SUCCESS [Wed Jun 12 11:03:39.020103 2019] [:error] [pid 17432] ipa: DEBUG: Destroyed connection context.ldap2_140302443346704
Somehow the filter is not replaced...??? still (objectclass=posixaccount): [Wed Jun 12 11:03:39.016496 2019] [:error] [pid 17432] ipa: DEBUG: stageuser_find: pre_callback new filter=(objectclass=\70\6f\73\69\78\61\63\63\6f\75\6e\74)
In the code it looks pretty much hardcoded, so how is that possible that it doesn't work...?
Btw part of which package is that particular code? I have ipa-server 4.6.4 everywhere (RHEL distribution), but maybe some other package is wrong..?
--- Regards, Dmitry Perets