On ke, 12 kesä 2019, Dmitry Perets via FreeIPA-users wrote:
If 'ipa stageuser-find' doesn't find it, you can enable server-side debugging and retry, then you should see debug output in error_log.
Create /etc/ipa/server.conf
[global] debug = True
and restart httpd, then retry.
Weirdly enough:
[Wed Jun 12 11:03:38.648863 2019] [:error] [pid 17432] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Jun 12 11:03:38.648999 2019] [:error] [pid 17432] ipa: DEBUG: WSGI jsonserver.__call__: [Wed Jun 12 11:03:38.649064 2019] [:error] [pid 17432] ipa: DEBUG: KerberosWSGIExecutioner.__call__: [Wed Jun 12 11:03:38.668898 2019] [:error] [pid 17432] ipa: DEBUG: Created connection context.ldap2_140302443346704 [Wed Jun 12 11:03:38.669013 2019] [:error] [pid 17432] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Wed Jun 12 11:03:38.676281 2019] [:error] [pid 17432] ipa: DEBUG: raw: stageuser_find(None, version=u'2.230') [Wed Jun 12 11:03:38.676646 2019] [:error] [pid 17432] ipa: DEBUG: stageuser_find(None, all=False, raw=False, version=u'2.230', no_members=True, pkey_only=False) [Wed Jun 12 11:03:38.679558 2019] [:error] [pid 17432] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IMS-DCN-TELEKOM-DE.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f9ab4b82ea8> [Wed Jun 12 11:03:39.016496 2019] [:error] [pid 17432] ipa: DEBUG: stageuser_find: pre_callback new filter=(objectclass=\70\6f\73\69\78\61\63\63\6f\75\6e\74) [Wed Jun 12 11:03:39.019307 2019] [:error] [pid 17432] ipa: INFO: [jsonserver_kerb] admin@IMS.DCN.TELEKOM.DE: stageuser_find/1(None, version=u'2.230'): SUCCESS [Wed Jun 12 11:03:39.020103 2019] [:error] [pid 17432] ipa: DEBUG: Destroyed connection context.ldap2_140302443346704
Somehow the filter is not replaced...??? still (objectclass=posixaccount): [Wed Jun 12 11:03:39.016496 2019] [:error] [pid 17432] ipa: DEBUG: stageuser_find: pre_callback new filter=(objectclass=\70\6f\73\69\78\61\63\63\6f\75\6e\74)
The print above shows binary values. May be that's the problem -- it is not matching unicode and non-unicode and thus failing?
Can you try the following on IPA master itself:
# kinit admin Password for admin@EXAMPLE.COM: # ipa -e in_server=True -e debug=True console
[... some debug output ...]
ipa: DEBUG: Created connection context.ldap2_139989835691680 ipa: DEBUG: raw: console(None, version='2.233') ipa: DEBUG: console(None, version='2.233') (Custom IPA interactive Python console) api: IPA API object pp: pretty printer
api.Command.stageuser_find()
ipa: DEBUG: raw: stageuser_find(None, version='2.233') ipa: DEBUG: stageuser_find(None, all=False, raw=False, version='2.233', no_members=True, pkey_only=False) ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f51ec6db7b8> ipa: DEBUG: stageuser_find: pre_callback new filter=(|(objectclass=posixaccount)(objectclass=inetOrgPerson)) {'result': [{'mail': ['foobar1@example.com'], 'sn': ['bar'], 'uidnumber': ['-1'], 'loginshell': ['/bin/sh'], 'nsaccountlock': True, 'krbcanonicalname': [ipapython.kerberos.Principal('foobar1@EXAMPLE.COM')], 'givenname': ['ff'], 'uid': ['foobar1'], 'krbprincipalname': [ipapython.kerberos.Principal('foobar1@EXAMPLE.COM')], 'homedirectory': ['/home/foobar1'], 'gidnumber': ['-1'], 'dn': ipapython.dn.DN('uid=foobar1,cn=staged users,cn=accounts,cn=provisioning,dc=example,dc=com')}, {'mail': ['tuser@example.com'], 'sn': ['user'], 'uidnumber': ['-1'], 'loginshell': ['/bin/sh'], 'nsaccountlock': True, 'krbcanonicalname': [ipapython.kerberos.Principal('tuser@EXAMPLE.COM')], 'givenname': ['tim'], 'uid': ['tuser'], 'krbprincipalname': [ipapython.kerberos.Principal('tuser@EXAMPLE.COM')], 'homedirectory': ['/home/tuser'], 'gidnumber': ['-1'], 'dn': ipapython.dn.DN('uid=tuser,cn=staged users,cn=accounts,cn=provisioning,dc=example,dc=com')}], 'count': 2, 'truncated': False, 'messages': [{'type': 'warning', 'name': 'VersionMissing', 'message': "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.233", 'code': 13001, 'data': {'server_version': '2.233'}}], 'summary': '2 users matched'}
Basically, I'm looking at seeing if Python interactive console will show you the same garbage in the filter text or not. If yes, then it looks like there is a bit of uncleaned unicode/str code checks in 4.6.
In the code it looks pretty much hardcoded, so how is that possible that it doesn't work...?
Btw part of which package is that particular code? I have ipa-server 4.6.4 everywhere (RHEL distribution), but maybe some other package is wrong..?
It is part of python-ipaserver (or python{2,3}-ipaserver).