Identity Management administration framework API contains two checks to verify that a request on its API can be passed further:
1. A check to see if the client API version is not higher than the server API version. If it is, the request is rejected.
2. A check to see if the client API request does not use an attribute or a parameter unknown to the server. If it does, the request is rejected.
However, the Identity Management server performs the checks in an incorrect order: first, the attribute and parameter check is done and after that, the API version check is done. As a consequence, when a new client (for example, Red Hat Enterprise Linux 6.5) runs the ipa administration tool against a server with an earlier operating system (for example, Red Hat Enterprise Linux 6.4), the command returns a confusing error message; for example, instead of stating API compatibility, ipa outputs the following message:
$ ipa user-show admin
ipa: ERROR: Unknown option: no_members