On ke, 12 kesä 2019, Dmitry Perets via FreeIPA-users wrote:
Hi,
I observe a weird problem, trying to figure out how it could happen...
On one of my IPA installations, IPA doesn't recognize stage users, UNLESS they include objectClass posixaccount. For example, below output shows a staged user that I've manually added with "ldapmodify", but as you can see, it is not found with "ipa stageuser-find":
$ ldapsearch -Y GSSAPI uid=atest SASL/GSSAPI authentication started SASL username: admin@IMS.DCN.EXAMPLE.DE SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=ims,dc=dcn,dc=example,dc=de> (default) with scope subtree # filter: uid=atest # requesting: ALL # # atest, staged users, accounts, provisioning, ims.dcn.example.de dn: uid=atest,cn=staged users,cn=accounts,cn=provisioning,dc=ims,dc=dcn,dc=ex ample,dc=de objectClass: top objectClass: inetorgperson objectClass: organizationalPerson objectClass: person uid: atest sn: atest givenName: atest cn: atest # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1
$ ipa stageuser-find WARNING: yacc table file version is out of date --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ----------------------------
This user will be recognized, if I add the following attributes:
objectClass: posixaccount uidNumber: -1 gidNumber: -1 homeDirectory: /home/atest
But this is not supposed to be so... and in fact, on another IPA installation (totally separate) I don't see this constraint. The same LDIF (just different base DN) gets properly recognized as staged user! I was comparing the entire cn=config and the IPA server configuration section, but I cannot find what setting can possibly affect this...
Yes, this should not happen. 'ipa stageuser-find' actually replaces a search filter that a baseuser object is using '(objectclass=posixaccount)' by the following one:
(|(objectclass=posixaccount)(objectclass=inetOrgPerson))
https://pagure.io/freeipa/blob/ipa-4-6/f/ipaserver/plugins/stageuser.py#_447
If 'ipa stageuser-find' doesn't find it, you can enable server-side debugging and retry, then you should see debug output in error_log.
Create /etc/ipa/server.conf
[global] debug = True
and restart httpd, then retry.