1451576 – ipa cert-request failed to generate certificate from csr

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1451576 - ipa cert-request failed to generate certificate from csr

Summary: ipa cert-request failed to generate certificate from csr

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	fbarreto
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1392582
TreeView+	depends on / blocked

Reported:	2017-05-17 05:42 UTC by Abhijeet Kasurde
Modified:	2023-09-14 03:57 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ipa-4.5.4-8.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 16:40:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Fedora Pagure	freeipa issue 5919	0	None	None	None	2018-02-28 09:24:40 UTC
Red Hat Product Errata	RHBA-2018:0918	0	None	None	None	2018-04-10 16:41:35 UTC

Description Abhijeet Kasurde 2017-05-17 05:42:32 UTC

Description of problem:
ipa cert-request command fails to generate certificate using CSR generated by openssl.

[root@master1 ~]# openssl req -new -sha256 -key testuser1.key -out testuser1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MH
Locality Name (eg, city) [Default City]:PUNE
Organization Name (eg, company) [Default Company Ltd]:RED HAT
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:testuser1
Email Address []:testuser1

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@master1 ~]# ipa cert-request testuser1.csr --principal=testuser1
ipa: ERROR: invalid 'csr': DN emailAddress does not match any of user's email addresses

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-11.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Generate CSR using openssl command
2. Request certificate for user using ipa cert-request command

Actual results:
Error as above

Expected results:
Certificate generated by IPA for user.

Comment 3 Martin Babinsky 2017-05-19 12:49:35 UTC

Sounds like https://pagure.io/freeipa/issue/5919 for which a fix was pushed to master recently. Felipe, can you take a look on this BZ whether it has the same root cause? if yes we will backport the fix to RHEL ASAP.

Comment 4 fbarreto 2017-05-19 19:24:11 UTC

Hi Abhijeet,

I followed the steps that you provided, but I got the error [1] when running the cert-request command, am I missing something?


[1]
[root@kvm-02-guest08 1451576]# ipa cert-request testuser1.csr --principal=testuser1                      
ipa: ERROR: The principal for this request doesn't exist.

Comment 5 Fraser Tweedale 2017-05-22 03:23:48 UTC

Felipe, you have you have an IPA server with realm "TESTRELM.TEST" and
also create the user 'testuser1'.  Then it will find the principal and
you should be able to reproduce this issue.

Comment 6 fbarreto 2017-05-22 14:06:41 UTC

Fraser: thank you for helping, that is what was missing.

Martin: Yes, it's the same root cause. The PR for https://pagure.io/freeipa/issue/5919 fix this.

Comment 8 Abhijeet Kasurde 2017-06-08 09:44:40 UTC

Using this as a workaround - Let me know if it is correct 

[root@ipaserver01 ~]# cat testuser1.cnf
[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = testuser1

[ exts ]
subjectAltName=@alt_section

[alt_section]
email=testuser1
[root@ipaserver01 ~]# openssl req -new -newkey rsa:2048 -keyout testuser1.key -sha256 -nodes -out testuser1.csr -config testuser1.cnf
Generating a 2048 bit RSA private key
.....+++
.........................+++
writing new private key to 'testuser1.key'
-----
[root@ipaserver01 ~]# openssl req -text -noout -in testuser1.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=testuser1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b5:58:e8:fd:25:cc:61:79:21:a1:a6:b7:6b:ae:
                    39:78:0d:e7:d2:d7:8b:84:a0:89:d5:4e:dd:77:e9:
                    a8:cb:d6:3e:37:db:59:2a:90:6b:94:2e:e3:78:88:
                    34:0c:32:87:f3:69:10:28:ea:6b:e5:76:38:e0:16:
                    48:d7:22:b8:80:a7:15:e9:42:ac:31:bf:2e:7d:4a:
                    eb:33:bf:de:a5:eb:f0:d1:62:8e:34:b3:10:1e:d1:
                    9d:b1:0d:0a:f5:df:d3:b5:d4:87:f6:25:8e:9d:5f:
                    80:67:7b:c7:31:3e:39:78:de:a8:34:8c:50:ab:a2:
                    86:1c:94:39:85:6b:e2:aa:19:ce:61:e5:c9:2a:17:
                    14:df:58:2b:04:7d:41:de:6b:95:25:4d:0e:a3:6c:
                    2e:cb:33:8c:56:a1:da:38:b4:09:ed:04:f8:9a:d9:
                    13:8d:b6:c7:eb:8c:f0:fd:1d:64:ae:80:7a:da:4c:
                    1d:f4:a5:82:b9:51:4a:cc:90:8d:d9:d8:79:b2:4c:
                    34:75:21:47:8c:e5:9c:5a:17:60:88:64:27:d4:da:
                    db:37:36:52:8d:61:af:0f:68:3a:69:3e:12:21:fc:
                    97:e7:a7:27:1b:53:20:a1:da:e0:56:8b:e1:1c:f9:
                    92:46:90:a6:4c:88:88:bc:be:66:a4:f9:88:96:e4:
                    60:9f
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                email:testuser1
    Signature Algorithm: sha256WithRSAEncryption
         af:e3:a2:b1:bb:6e:7c:ce:53:f1:ec:5a:66:5f:0d:fe:aa:94:
         9e:f0:4f:35:8e:1b:86:bb:f9:89:50:22:6a:9a:fc:c4:bc:3d:
         66:98:36:fb:34:b4:81:62:08:1a:2f:32:cd:6e:9b:2a:fd:ac:
         75:27:5c:40:03:67:6b:15:ce:06:ef:20:84:d1:f1:40:61:53:
         08:c6:8d:ad:fd:5a:1f:5b:9e:04:5a:46:c1:42:4b:87:e7:07:
         a1:28:07:f7:87:c0:7e:64:ab:b1:a8:c7:8b:16:be:2c:e5:48:
         0a:8d:b9:35:c1:05:0f:4b:55:83:7c:7f:7e:4c:f7:5e:46:35:
         1c:33:23:2d:61:0b:49:b0:d7:f1:ee:50:01:71:b3:32:23:fc:
         20:7b:ee:87:a0:b9:3e:2e:ab:81:02:d4:e1:f4:b4:c8:c7:81:
         a7:e8:df:2d:44:b1:b6:d5:fc:d2:aa:b1:82:10:0e:24:40:9c:
         ba:09:52:d8:7a:68:97:84:db:50:4f:87:c8:77:98:a8:68:77:
         ce:7a:68:bc:dd:34:f9:69:89:55:bb:84:cd:f4:93:45:98:f5:
         f8:4c:11:c8:71:92:16:7f:9a:89:40:6b:4a:23:fe:c0:60:eb:
         1f:31:25:73:5c:87:0d:c0:3f:3b:19:b9:fb:10:27:0b:69:66:
         d6:4b:6f:ca
[root@ipaserver01 ~]# echo Secret123 | kinit admin
Password for admin:
[root@ipaserver01 ~]# echo Password1 | ipa user-add --first testuser1 --last testuser1 testuser1 --password
----------------------
Added user "testuser1"
----------------------
  User login: testuser1
  First name: testuser1
  Last name: testuser1
  Full name: testuser1 testuser1
  Display name: testuser1 testuser1
  Initials: tt
  Home directory: /home/testuser1
  GECOS: testuser1 testuser1
  Login shell: /bin/sh
  Principal name: testuser1
  Principal alias: testuser1
  Email address: testuser1
  UID: 937000001
  GID: 937000001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@ipaserver01 ~]# ipa cert-request --principal=testuser1 testuser1.csr
  Issuing CA: ipa
  Certificate: MIIEMzCCAxugAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNjA4MDkzODMyWhcNMTkwNjA5MDkzODMyWjAsMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRIwEAYDVQQDDAl0ZXN0dXNlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1WOj9JcxheSGhprdrrjl4DefS14uEoInVTt136ajL1j4321kqkGuULuN4iDQMMofzaRAo6mvldjjgFkjXIriApxXpQqwxvy59Suszv96l6/DRYo40sxAe0Z2xDQr139O11If2JY6dX4Bne8cxPjl43qg0jFCrooYclDmFa+KqGc5h5ckqFxTfWCsEfUHea5UlTQ6jbC7LM4xWodo4tAntBPia2RONtsfrjPD9HWSugHraTB30pYK5UUrMkI3Z2HmyTDR1IUeM5ZxaF2CIZCfU2ts3NlKNYa8PaDppPhIh/JfnpycbUyCh2uBWi+Ec+ZJGkKZMiIi8vmak+YiW5GCfAgMBAAGjggFSMIIBTjAfBgNVHSMEGDAWgBShPgrfTF777ZnmsW0Mb+jiux7EAzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweAYDVR0fBHEwbzBtoDWgM4YxaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUsapm5e3WZ8JUjHBs4pAZcwhGeD0wIgYDVR0RBBswGYEXdGVzdHVzZXIxQHRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBACkiPHSPPZYR8hnM/sPJpl6R2hqy0q3yLGQfcT9+T

Comment 12 Jorge Novo 2017-12-06 13:57:06 UTC

Hi,

  This is my first question, please be patience.

The workaround seems not working, My CSR says:

---------- 8< ----------- 8< -----------
Common Name: jnovo
Subject Alternative Names: jnovo
Organization: MiCasa
Organization Unit: MiCasa Infraestructuras
Locality: Madrid
State: Comunidad Autonoma de Madrid
Country: ES
Email: jnovo
---------- >8 ----------- >8 -----------



[root@freeipa ipa-server]# ipa cert-request --principal=jnovo jnovo.csr
ipa: ERROR: an internal error has occurred
[root@freeipa ipa-server]#

Comment 13 Rob Crittenden 2017-12-06 15:20:50 UTC

This may not be related to the original issue but you'd need to look in the Apache error log for more details on the failure, /var/log/httpd/error_log on the IPA master.

Comment 14 Nikhil Dehadrai 2017-12-19 11:47:32 UTC

IPA version: ipa-server-4.5.4-7.el7.x86_64

Tested the bug with following observations:
1. Setup IPA master at latest version ( in my case RHEL 7.5)
2. Create a test user (in my case user named 'testuser')
3. create a directory on the system by the newly created user in step2. (in my case i created directory at '/root/testuser')
# cd /root/testuser
4. Create a new file named 'testuser.inf' for key creation with following contents.

[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "testuser"

[ exts ]
subjectAltName=email:testuser

5. Create key file using the inf file created in step4.
# openssl genrsa -out testuser.key 2048

6. Create csr using the key file created in step5.
# openssl req -new -sha256 -key testuser.key -out testuser.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MH
Locality Name (eg, city) [Default City]:PUNE
Organization Name (eg, company) [Default Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:testuser
Email Address []:testuser

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@auto-hv-01-guest03 testuser]# ls -l
total 12
-rw-r--r--. 1 root root 1041 Dec 19 06:24 testuser.csr
-rw-r--r--. 1 root root  170 Dec 19 06:19 testuser.inf
-rw-r--r--. 1 root root 1679 Dec 19 06:20 testuser.key

7. Now run ipa cert-request using csr generated in step6.
# ipa cert-request testuser.csr --principal=testuser
ipa: ERROR: invalid 'csr': DN emailAddress does not match any of user's email addresses

From the above observation in step7, we are still seeing the original issue mentioned at Comment#0 (Description), thus marking status to "ASSIGNED"

Comment 17 Christian Heimes 2018-01-09 17:12:16 UTC

I opened https://github.com/freeipa/freeipa/pull/1450 to backport https://github.com/freeipa/freeipa/pull/736/commits/6eb1169e3eab36678a2640718a7204a72247be91 to 4.5.

Comment 20 Nikhil Dehadrai 2018-01-23 04:57:03 UTC

IPA-Server-Version: ipa-server-4.5.4-8.el7.x86_64

Tested the bug on the basis of below observations:
Tested the bug with following observations:
1. Setup IPA master at latest version ( in my case RHEL 7.5- ipa-server-4.5.4-8.el7.x86_64)

2. Create a test user (in my case user named 'testuser')
# ipa user-add --first=test --last=user testuser

3. create a directory on the system by the newly created user in step2. (in my case i created directory at '/root/testuser')
# cd /root/testuser

4. Create a new file named 'testuser.inf' for key creation with following contents.

[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "testuser"

[ exts ]
subjectAltName=email:testuser

5. Create key file using the inf file created in step4.
# openssl genrsa -out testuser.key 2048

6. Create csr using the key file created in step5.
# openssl req -new -sha256 -key testuser.key -out testuser.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MH
Locality Name (eg, city) [Default City]:PUNE
Organization Name (eg, company) [Default Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:testuser
Email Address []:testuser

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@hp-microservergen8-01 testuser]# ls -l
total 12
-rw-r--r--. 1 root root 1041 Jan 22 23:50 testuser.csr
-rw-r--r--. 1 root root  170 Jan 22 23:48 testuser.inf
-rw-r--r--. 1 root root 1675 Jan 22 23:48 testuser.key
[root@hp-microservergen8-01 testuser]# ipa cert-request testuser.csr --principal=testuser
  Issuing CA: ipa
  Certificate: MIIEDjCCAvagAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwMTIzMDQ1MDIyWhcNMjAwMTI0MDQ1MDIyWjArMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMREwDwYDVQQDDAh0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP4eX/h7gK1+7CPlZ/C4O4yImECxG/QpKCrwzIKKQ0wZxLEqhE2L4SuffAbK80gIAw7odOCf2fB9KLmkYntaWzhpM/tAQURQc3NDBWCwnFwgwU4r9TilXjbe45DGrlXSVdYudriNlY5Jyx5HgLBIfnZkLnofNnSFxoHTl0B5qnn5UH7av7cVkZ74uc7ergDYzsQmbyjL+zkEvLn4Zuler5fkI3HBrxMmXIhqx7Phdq32gQSAwBCruA9YAiQ7sp4rkAj6H90RH9Nhy2/fbU0fAEqNKBcT7OOVlThnIcMFk1NtIxdGSS5pHRhu3pF0NXYaFTczIkLLvH3drbypGYU4uMCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFDL2I1OnbctxXAoTWmp11mHt78mXMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBS+LMvJhDL7upfVy+Zb3iD0JtVx+zANBgkqhkiG9w0BAQsFAAOCAQEAikCuKOsTCPFNhFXQ84JKna5IL7NQXCs+DipMfv5Pcyz+qVq3GVJBTg2fGmFXtr3lTlAwJ6a8EERm4oyqOgTkolyCyKGACNZbiFD3iMVQg19Em0nbM5TscgsiP4GZMxQQMACjVqagKjVCJmtGJNJqd52yigb9BX5g46XIRbp8E4wTZoAft4jANpz5ZgRg1J2Q3ryIPay/5Mkyok5O2/fvKzuWAR3kfM5FTTdUq3qRzaLq7+JP5MscArDmrU3oyhYbDUSbAYwjXAPuyPtK+DMYys2oS6+amaxAZkFYsAXjdoutPJXH18NHlsTkIyyIYxEe3BGR8dxj/KIcwGsJ7cWauw==
  Subject: CN=testuser,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Jan 23 04:50:22 2018 UTC
  Not After: Fri Jan 24 04:50:22 2020 UTC
  Serial number: 11
  Serial number (hex): 0xB
[root@hp-microservergen8-01 testuser]# rpm -q ipa-server
ipa-server-4.5.4-8.el7.x86_64
[root@hp-microservergen8-01 testuser]#
[root@hp-microservergen8-01 testuser]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@hp-microservergen8-01 testuser]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@hp-microservergen8-01 testuser]# kinit admin
Password for admin: 

[root@hp-microservergen8-01 testuser]# ipa user-find testuser --all
--------------
1 user matched
--------------
  dn: uid=testuser,cn=users,cn=accounts,dc=testrelm,dc=test
  User login: testuser
  First name: test
  Last name: user
  Full name: test user
  Display name: test user
  Initials: tu
  Home directory: /home/testuser
  GECOS: test user
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 952800001
  GID: 952800001
  Certificate: MIIEDjCCAvagAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwMTIzMDQ1MDIyWhcNMjAwMTI0MDQ1MDIyWjArMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMREwDwYDVQQDDAh0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP4eX/h7gK1+7CPlZ/C4O4yImECxG/QpKCrwzIKKQ0wZxLEqhE2L4SuffAbK80gIAw7odOCf2fB9KLmkYntaWzhpM/tAQURQc3NDBWCwnFwgwU4r9TilXjbe45DGrlXSVdYudriNlY5Jyx5HgLBIfnZkLnofNnSFxoHTl0B5qnn5UH7av7cVkZ74uc7ergDYzsQmbyjL+zkEvLn4Zuler5fkI3HBrxMmXIhqx7Phdq32gQSAwBCruA9YAiQ7sp4rkAj6H90RH9Nhy2/fbU0fAEqNKBcT7OOVlThnIcMFk1NtIxdGSS5pHRhu3pF0NXYaFTczIkLLvH3drbypGYU4uMCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFDL2I1OnbctxXAoTWmp11mHt78mXMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBS+LMvJhDL7upfVy+Zb3iD0JtVx+zANBgkqhkiG9w0BAQsFAAOCAQEAikCuKOsTCPFNhFXQ84JKna5IL7NQXCs+DipMfv5Pcyz+qVq3GVJBTg2fGmFXtr3lTlAwJ6a8EERm4oyqOgTkolyCyKGACNZbiFD3iMVQg19Em0nbM5TscgsiP4GZMxQQMACjVqagKjVCJmtGJNJqd52yigb9BX5g46XIRbp8E4wTZoAft4jANpz5ZgRg1J2Q3ryIPay/5Mkyok5O2/fvKzuWAR3kfM5FTTdUq3qRzaLq7+JP5MscArDmrU3oyhYbDUSbAYwjXAPuyPtK+DMYys2oS6+amaxAZkFYsAXjdoutPJXH18NHlsTkIyyIYxEe3BGR8dxj/KIcwGsJ7cWauw==
  Account disabled: False
  Preserved user: False
  Member of groups: ipausers
  ipauniqueid: 865f2716-fff8-11e7-b7fd-a0481cb83924
  mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=testrelm,dc=test
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux,
               krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry
----------------------------
Number of entries returned 1
----------------------------
[root@hp-microservergen8-01 testuser]# 


Thus on the basis of above observations, the issue mentioned in description and comment#14 is not observed, thus marking the status of this bug to "VERIFIED".

Comment 23 errata-xmlrpc 2018-04-10 16:40:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918

Comment 24 Red Hat Bugzilla 2023-09-14 03:57:42 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.