On ke, 12 kesä 2019, Dmitry Perets via FreeIPA-users wrote:
Can you share
what queries correspond to these requests in dirsrv access
log?
Yes, mistery continues...
WORKING:
[12/Jun/2019:12:31:25.546759725 +0200] conn=18810 op=2 SRCH base="cn=staged
users,cn=accounts,cn=provisioning,dc=poc,dc=dcn,dc=telekom,dc=de" scope=1
filter="(objectClass=posixaccount)" attrs="telephoneNumber sshpubkeyfp
ipaSshPubKey uid krbCanonicalName title loginShell uidNumber gidNumber sn homeDirectory
mail krbPrincipalName givenName nsAccountLock"
[12/Jun/2019:12:31:25.547320288 +0200] conn=18810 op=2 RESULT err=0 tag=101 nentries=1
etime=0.0000670253
NOT WORKING:
[12/Jun/2019:12:40:34.215947855 +0200] conn=112355 op=2 SRCH base="cn=staged
users,cn=accounts,cn=provisioning,dc=ims,dc=dcn,dc=telekom,dc=de" scope=1
filter="(objectClass=posixaccount)" attrs="telephoneNumber sshpubkeyfp
ipaSshPubKey uid krbCanonicalName title loginShell uidNumber gidNumber sn homeDirectory
mail krbPrincipalName givenName nsAccountLock"
[12/Jun/2019:12:40:34.217107077 +0200] conn=112355 op=2 RESULT err=0 tag=101 nentries=0
etime=0.0001317861
So:
(1) In both cases, the filters are wrong
(2) In one of the cases, it nevertheless works....
Btw on the WORKING server this manual query does NOT return results, as expected:
ldapsearch -x -D "uid=admin,cn=users,cn=accounts,dc=poc,dc=dcn,dc=telekom,dc=de"
-W -b "cn=staged
users,cn=accounts,cn=provisioning,dc=poc,dc=dcn,dc=telekom,dc=de"
"(objectClass=posixaccount)"
So I have really no idea why the ipa stageuser-find succeeds, despite the wrong filter =(