Bug 1451576 - ipa cert-request failed to generate certificate from csr [NEEDINFO]
Summary: ipa cert-request failed to generate certificate from csr
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: fbarreto
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1392582
TreeView+ depends on / blocked
 
Reported: 2017-05-17 05:42 UTC by Abhijeet Kasurde
Modified: 2018-04-10 16:41 UTC (History)
10 users (show)

Fixed In Version: ipa-4.5.4-8.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 16:40:25 UTC
Target Upstream Version:
rcritten: needinfo? (jnovonj)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Fedora Pagure freeipa issue 5919 None None None 2018-02-28 09:24:40 UTC
Red Hat Product Errata RHBA-2018:0918 None None None 2018-04-10 16:41:35 UTC

Description Abhijeet Kasurde 2017-05-17 05:42:32 UTC
Description of problem:
ipa cert-request command fails to generate certificate using CSR generated by openssl.

[root@master1 ~]# openssl req -new -sha256 -key testuser1.key -out testuser1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MH
Locality Name (eg, city) [Default City]:PUNE
Organization Name (eg, company) [Default Company Ltd]:RED HAT
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:testuser1
Email Address []:testuser1@testrelm.test

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@master1 ~]# ipa cert-request testuser1.csr --principal=testuser1@TESTRELM.TEST
ipa: ERROR: invalid 'csr': DN emailAddress does not match any of user's email addresses

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-11.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Generate CSR using openssl command
2. Request certificate for user using ipa cert-request command

Actual results:
Error as above

Expected results:
Certificate generated by IPA for user.

Comment 3 Martin Babinsky 2017-05-19 12:49:35 UTC
Sounds like https://pagure.io/freeipa/issue/5919 for which a fix was pushed to master recently. Felipe, can you take a look on this BZ whether it has the same root cause? if yes we will backport the fix to RHEL ASAP.

Comment 4 fbarreto 2017-05-19 19:24:11 UTC
Hi Abhijeet,

I followed the steps that you provided, but I got the error [1] when running the cert-request command, am I missing something?


[1]
[root@kvm-02-guest08 1451576]# ipa cert-request testuser1.csr --principal=testuser1@TESTRELM.TEST                      
ipa: ERROR: The principal for this request doesn't exist.

Comment 5 Fraser Tweedale 2017-05-22 03:23:48 UTC
Felipe, you have you have an IPA server with realm "TESTRELM.TEST" and
also create the user 'testuser1'.  Then it will find the principal and
you should be able to reproduce this issue.

Comment 6 fbarreto 2017-05-22 14:06:41 UTC
Fraser: thank you for helping, that is what was missing.

Martin: Yes, it's the same root cause. The PR for https://pagure.io/freeipa/issue/5919 fix this.

Comment 8 Abhijeet Kasurde 2017-06-08 09:44:40 UTC
Using this as a workaround - Let me know if it is correct 

[root@ipaserver01 ~]# cat testuser1.cnf
[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = testuser1

[ exts ]
subjectAltName=@alt_section

[alt_section]
email=testuser1@testrelm.test
[root@ipaserver01 ~]# openssl req -new -newkey rsa:2048 -keyout testuser1.key -sha256 -nodes -out testuser1.csr -config testuser1.cnf
Generating a 2048 bit RSA private key
.....+++
.........................+++
writing new private key to 'testuser1.key'
-----
[root@ipaserver01 ~]# openssl req -text -noout -in testuser1.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=testuser1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b5:58:e8:fd:25:cc:61:79:21:a1:a6:b7:6b:ae:
                    39:78:0d:e7:d2:d7:8b:84:a0:89:d5:4e:dd:77:e9:
                    a8:cb:d6:3e:37:db:59:2a:90:6b:94:2e:e3:78:88:
                    34:0c:32:87:f3:69:10:28:ea:6b:e5:76:38:e0:16:
                    48:d7:22:b8:80:a7:15:e9:42:ac:31:bf:2e:7d:4a:
                    eb:33:bf:de:a5:eb:f0:d1:62:8e:34:b3:10:1e:d1:
                    9d:b1:0d:0a:f5:df:d3:b5:d4:87:f6:25:8e:9d:5f:
                    80:67:7b:c7:31:3e:39:78:de:a8:34:8c:50:ab:a2:
                    86:1c:94:39:85:6b:e2:aa:19:ce:61:e5:c9:2a:17:
                    14:df:58:2b:04:7d:41:de:6b:95:25:4d:0e:a3:6c:
                    2e:cb:33:8c:56:a1:da:38:b4:09:ed:04:f8:9a:d9:
                    13:8d:b6:c7:eb:8c:f0:fd:1d:64:ae:80:7a:da:4c:
                    1d:f4:a5:82:b9:51:4a:cc:90:8d:d9:d8:79:b2:4c:
                    34:75:21:47:8c:e5:9c:5a:17:60:88:64:27:d4:da:
                    db:37:36:52:8d:61:af:0f:68:3a:69:3e:12:21:fc:
                    97:e7:a7:27:1b:53:20:a1:da:e0:56:8b:e1:1c:f9:
                    92:46:90:a6:4c:88:88:bc:be:66:a4:f9:88:96:e4:
                    60:9f
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                email:testuser1@testrelm.test
    Signature Algorithm: sha256WithRSAEncryption
         af:e3:a2:b1:bb:6e:7c:ce:53:f1:ec:5a:66:5f:0d:fe:aa:94:
         9e:f0:4f:35:8e:1b:86:bb:f9:89:50:22:6a:9a:fc:c4:bc:3d:
         66:98:36:fb:34:b4:81:62:08:1a:2f:32:cd:6e:9b:2a:fd:ac:
         75:27:5c:40:03:67:6b:15:ce:06:ef:20:84:d1:f1:40:61:53:
         08:c6:8d:ad:fd:5a:1f:5b:9e:04:5a:46:c1:42:4b:87:e7:07:
         a1:28:07:f7:87:c0:7e:64:ab:b1:a8:c7:8b:16:be:2c:e5:48:
         0a:8d:b9:35:c1:05:0f:4b:55:83:7c:7f:7e:4c:f7:5e:46:35:
         1c:33:23:2d:61:0b:49:b0:d7:f1:ee:50:01:71:b3:32:23:fc:
         20:7b:ee:87:a0:b9:3e:2e:ab:81:02:d4:e1:f4:b4:c8:c7:81:
         a7:e8:df:2d:44:b1:b6:d5:fc:d2:aa:b1:82:10:0e:24:40:9c:
         ba:09:52:d8:7a:68:97:84:db:50:4f:87:c8:77:98:a8:68:77:
         ce:7a:68:bc:dd:34:f9:69:89:55:bb:84:cd:f4:93:45:98:f5:
         f8:4c:11:c8:71:92:16:7f:9a:89:40:6b:4a:23:fe:c0:60:eb:
         1f:31:25:73:5c:87:0d:c0:3f:3b:19:b9:fb:10:27:0b:69:66:
         d6:4b:6f:ca
[root@ipaserver01 ~]# echo Secret123 | kinit admin
Password for admin@TESTRELM.TEST:
[root@ipaserver01 ~]# echo Password1 | ipa user-add --first testuser1 --last testuser1 testuser1 --password
----------------------
Added user "testuser1"
----------------------
  User login: testuser1
  First name: testuser1
  Last name: testuser1
  Full name: testuser1 testuser1
  Display name: testuser1 testuser1
  Initials: tt
  Home directory: /home/testuser1
  GECOS: testuser1 testuser1
  Login shell: /bin/sh
  Principal name: testuser1@TESTRELM.TEST
  Principal alias: testuser1@TESTRELM.TEST
  Email address: testuser1@testrelm.test
  UID: 937000001
  GID: 937000001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@ipaserver01 ~]# ipa cert-request --principal=testuser1 testuser1.csr
  Issuing CA: ipa
  Certificate: MIIEMzCCAxugAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNjA4MDkzODMyWhcNMTkwNjA5MDkzODMyWjAsMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRIwEAYDVQQDDAl0ZXN0dXNlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1WOj9JcxheSGhprdrrjl4DefS14uEoInVTt136ajL1j4321kqkGuULuN4iDQMMofzaRAo6mvldjjgFkjXIriApxXpQqwxvy59Suszv96l6/DRYo40sxAe0Z2xDQr139O11If2JY6dX4Bne8cxPjl43qg0jFCrooYclDmFa+KqGc5h5ckqFxTfWCsEfUHea5UlTQ6jbC7LM4xWodo4tAntBPia2RONtsfrjPD9HWSugHraTB30pYK5UUrMkI3Z2HmyTDR1IUeM5ZxaF2CIZCfU2ts3NlKNYa8PaDppPhIh/JfnpycbUyCh2uBWi+Ec+ZJGkKZMiIi8vmak+YiW5GCfAgMBAAGjggFSMIIBTjAfBgNVHSMEGDAWgBShPgrfTF777ZnmsW0Mb+jiux7EAzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweAYDVR0fBHEwbzBtoDWgM4YxaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUsapm5e3WZ8JUjHBs4pAZcwhGeD0wIgYDVR0RBBswGYEXdGVzdHVzZXIxQHRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBACkiPHSPPZYR8hnM/sPJpl6R2hqy0q3yLGQfcT9+T

Comment 12 Jorge Novo 2017-12-06 13:57:06 UTC
Hi,

  This is my first question, please be patience.

The workaround seems not working, My CSR says:

---------- 8< ----------- 8< -----------
Common Name: jnovo@micasa.local
Subject Alternative Names: jnovo@micasa.local
Organization: MiCasa
Organization Unit: MiCasa Infraestructuras
Locality: Madrid
State: Comunidad Autonoma de Madrid
Country: ES
Email: jnovo@micasa.local
---------- >8 ----------- >8 -----------



[root@freeipa ipa-server]# ipa cert-request --principal=jnovo jnovo@micasa.local.csr
ipa: ERROR: an internal error has occurred
[root@freeipa ipa-server]#

Comment 13 Rob Crittenden 2017-12-06 15:20:50 UTC
This may not be related to the original issue but you'd need to look in the Apache error log for more details on the failure, /var/log/httpd/error_log on the IPA master.

Comment 14 Nikhil Dehadrai 2017-12-19 11:47:32 UTC
IPA version: ipa-server-4.5.4-7.el7.x86_64

Tested the bug with following observations:
1. Setup IPA master at latest version ( in my case RHEL 7.5)
2. Create a test user (in my case user named 'testuser')
3. create a directory on the system by the newly created user in step2. (in my case i created directory at '/root/testuser')
# cd /root/testuser
4. Create a new file named 'testuser.inf' for key creation with following contents.

[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "testuser"

[ exts ]
subjectAltName=email:testuser@testrelm.test

5. Create key file using the inf file created in step4.
# openssl genrsa -out testuser.key 2048

6. Create csr using the key file created in step5.
# openssl req -new -sha256 -key testuser.key -out testuser.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MH
Locality Name (eg, city) [Default City]:PUNE
Organization Name (eg, company) [Default Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:testuser
Email Address []:testuser@testrelm.test

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@auto-hv-01-guest03 testuser]# ls -l
total 12
-rw-r--r--. 1 root root 1041 Dec 19 06:24 testuser.csr
-rw-r--r--. 1 root root  170 Dec 19 06:19 testuser.inf
-rw-r--r--. 1 root root 1679 Dec 19 06:20 testuser.key

7. Now run ipa cert-request using csr generated in step6.
# ipa cert-request testuser.csr --principal=testuser@TESTRELM.TEST
ipa: ERROR: invalid 'csr': DN emailAddress does not match any of user's email addresses

From the above observation in step7, we are still seeing the original issue mentioned at Comment#0 (Description), thus marking status to "ASSIGNED"

Comment 20 Nikhil Dehadrai 2018-01-23 04:57:03 UTC
IPA-Server-Version: ipa-server-4.5.4-8.el7.x86_64

Tested the bug on the basis of below observations:
Tested the bug with following observations:
1. Setup IPA master at latest version ( in my case RHEL 7.5- ipa-server-4.5.4-8.el7.x86_64)

2. Create a test user (in my case user named 'testuser')
# ipa user-add --first=test --last=user testuser

3. create a directory on the system by the newly created user in step2. (in my case i created directory at '/root/testuser')
# cd /root/testuser

4. Create a new file named 'testuser.inf' for key creation with following contents.

[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "testuser"

[ exts ]
subjectAltName=email:testuser@testrelm.test

5. Create key file using the inf file created in step4.
# openssl genrsa -out testuser.key 2048

6. Create csr using the key file created in step5.
# openssl req -new -sha256 -key testuser.key -out testuser.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MH
Locality Name (eg, city) [Default City]:PUNE
Organization Name (eg, company) [Default Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:testuser
Email Address []:testuser@testrelm.test

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@hp-microservergen8-01 testuser]# ls -l
total 12
-rw-r--r--. 1 root root 1041 Jan 22 23:50 testuser.csr
-rw-r--r--. 1 root root  170 Jan 22 23:48 testuser.inf
-rw-r--r--. 1 root root 1675 Jan 22 23:48 testuser.key
[root@hp-microservergen8-01 testuser]# ipa cert-request testuser.csr --principal=testuser@TESTRELM.TEST
  Issuing CA: ipa
  Certificate: MIIEDjCCAvagAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwMTIzMDQ1MDIyWhcNMjAwMTI0MDQ1MDIyWjArMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMREwDwYDVQQDDAh0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP4eX/h7gK1+7CPlZ/C4O4yImECxG/QpKCrwzIKKQ0wZxLEqhE2L4SuffAbK80gIAw7odOCf2fB9KLmkYntaWzhpM/tAQURQc3NDBWCwnFwgwU4r9TilXjbe45DGrlXSVdYudriNlY5Jyx5HgLBIfnZkLnofNnSFxoHTl0B5qnn5UH7av7cVkZ74uc7ergDYzsQmbyjL+zkEvLn4Zuler5fkI3HBrxMmXIhqx7Phdq32gQSAwBCruA9YAiQ7sp4rkAj6H90RH9Nhy2/fbU0fAEqNKBcT7OOVlThnIcMFk1NtIxdGSS5pHRhu3pF0NXYaFTczIkLLvH3drbypGYU4uMCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFDL2I1OnbctxXAoTWmp11mHt78mXMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBS+LMvJhDL7upfVy+Zb3iD0JtVx+zANBgkqhkiG9w0BAQsFAAOCAQEAikCuKOsTCPFNhFXQ84JKna5IL7NQXCs+DipMfv5Pcyz+qVq3GVJBTg2fGmFXtr3lTlAwJ6a8EERm4oyqOgTkolyCyKGACNZbiFD3iMVQg19Em0nbM5TscgsiP4GZMxQQMACjVqagKjVCJmtGJNJqd52yigb9BX5g46XIRbp8E4wTZoAft4jANpz5ZgRg1J2Q3ryIPay/5Mkyok5O2/fvKzuWAR3kfM5FTTdUq3qRzaLq7+JP5MscArDmrU3oyhYbDUSbAYwjXAPuyPtK+DMYys2oS6+amaxAZkFYsAXjdoutPJXH18NHlsTkIyyIYxEe3BGR8dxj/KIcwGsJ7cWauw==
  Subject: CN=testuser,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Jan 23 04:50:22 2018 UTC
  Not After: Fri Jan 24 04:50:22 2020 UTC
  Serial number: 11
  Serial number (hex): 0xB
[root@hp-microservergen8-01 testuser]# rpm -q ipa-server
ipa-server-4.5.4-8.el7.x86_64
[root@hp-microservergen8-01 testuser]#
[root@hp-microservergen8-01 testuser]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@hp-microservergen8-01 testuser]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@hp-microservergen8-01 testuser]# kinit admin
Password for admin@TESTRELM.TEST: 

[root@hp-microservergen8-01 testuser]# ipa user-find testuser --all
--------------
1 user matched
--------------
  dn: uid=testuser,cn=users,cn=accounts,dc=testrelm,dc=test
  User login: testuser
  First name: test
  Last name: user
  Full name: test user
  Display name: test user
  Initials: tu
  Home directory: /home/testuser
  GECOS: test user
  Login shell: /bin/sh
  Principal name: testuser@TESTRELM.TEST
  Principal alias: testuser@TESTRELM.TEST
  Email address: testuser@testrelm.test
  UID: 952800001
  GID: 952800001
  Certificate: MIIEDjCCAvagAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwMTIzMDQ1MDIyWhcNMjAwMTI0MDQ1MDIyWjArMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMREwDwYDVQQDDAh0ZXN0dXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP4eX/h7gK1+7CPlZ/C4O4yImECxG/QpKCrwzIKKQ0wZxLEqhE2L4SuffAbK80gIAw7odOCf2fB9KLmkYntaWzhpM/tAQURQc3NDBWCwnFwgwU4r9TilXjbe45DGrlXSVdYudriNlY5Jyx5HgLBIfnZkLnofNnSFxoHTl0B5qnn5UH7av7cVkZ74uc7ergDYzsQmbyjL+zkEvLn4Zuler5fkI3HBrxMmXIhqx7Phdq32gQSAwBCruA9YAiQ7sp4rkAj6H90RH9Nhy2/fbU0fAEqNKBcT7OOVlThnIcMFk1NtIxdGSS5pHRhu3pF0NXYaFTczIkLLvH3drbypGYU4uMCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFDL2I1OnbctxXAoTWmp11mHt78mXMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBS+LMvJhDL7upfVy+Zb3iD0JtVx+zANBgkqhkiG9w0BAQsFAAOCAQEAikCuKOsTCPFNhFXQ84JKna5IL7NQXCs+DipMfv5Pcyz+qVq3GVJBTg2fGmFXtr3lTlAwJ6a8EERm4oyqOgTkolyCyKGACNZbiFD3iMVQg19Em0nbM5TscgsiP4GZMxQQMACjVqagKjVCJmtGJNJqd52yigb9BX5g46XIRbp8E4wTZoAft4jANpz5ZgRg1J2Q3ryIPay/5Mkyok5O2/fvKzuWAR3kfM5FTTdUq3qRzaLq7+JP5MscArDmrU3oyhYbDUSbAYwjXAPuyPtK+DMYys2oS6+amaxAZkFYsAXjdoutPJXH18NHlsTkIyyIYxEe3BGR8dxj/KIcwGsJ7cWauw==
  Account disabled: False
  Preserved user: False
  Member of groups: ipausers
  ipauniqueid: 865f2716-fff8-11e7-b7fd-a0481cb83924
  mepmanagedentry: cn=testuser,cn=groups,cn=accounts,dc=testrelm,dc=test
  objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux,
               krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry
----------------------------
Number of entries returned 1
----------------------------
[root@hp-microservergen8-01 testuser]# 


Thus on the basis of above observations, the issue mentioned in description and comment#14 is not observed, thus marking the status of this bug to "VERIFIED".

Comment 23 errata-xmlrpc 2018-04-10 16:40:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918


Note You need to log in before you can comment on or make changes to this bug.