freeipa

Clone
Source Code
GIT

#9395 Search for user by krbPrincipalExpiration not returning results
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by sknust.

Closed: fixed
Reopen Issue

Issue

ipa user-find does not return users if searching by the krbPrincipalExpiration date, i.e. ipa user-find --principal-expiration 20230801000000Z

Steps to Reproduce

  1. Create user with Kerberos principal expiration: ipa user-add --first=Test --last=User --noprivate --gidnumber=1000 --principal-expiration=20230801000000Z (adjust gidnumber as necessary
  2. Try to find user: ipa user-find --principal-expiration 20230801000000Z

Actual behavior

No results are returned

Expected behavior

The freshly created user is returned

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.9.11-5.module+el8.8.0+1277+af9ff11b.x86_64
ipa-client-4.9.11-5.module+el8.8.0+1277+af9ff11b.x86_64
389-ds-base-1.4.3.34-1.module+el8.7.0+1179+90e6c9fb.x86_64
package pki-ca is not installed
krb5-server-1.18.2-22.el8_7.x86_64

Additional info:

/var/log/httpd/error_log: 

[Tue Jun 13 14:48:10.555310 2023] [wsgi:error] [pid 758192:tid 140463461029632] [remote 129.70.xxx.xxx:43494] ipa: INFO: [jsonserver_session] admin@IPA.PHYSIK.UNI-BIELEFELD.DE: user_find/1(None, krbprincipalexpiration=datetime.datetime(2023, 8, 1, 0, 0), version='2.251', pkey_only=True): SUCCESS

/var/log/dirsrv/slapd-IPA-PHYSIK-UNI-BIELEFELD-DE/access:

[13/Jun/2023:14:48:10.470327189 +0200] conn=749766 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO
[13/Jun/2023:14:48:10.474683852 +0200] conn=749766 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000491344 optime=0.004376114 etime=0.004865928 dn="uid=admin,cn=users,cn=accounts,dc=ipa,dc=physik,dc=uni-bielefeld,dc=de"
[13/Jun/2023:14:48:10.478019206 +0200] conn=749766 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=ipa,dc=physik,dc=uni-bielefeld,dc=de" scope=0 filter="(objectClass=*)" attrs=ALL
[13/Jun/2023:14:48:10.478728967 +0200] conn=749766 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000146453 optime=0.000711221 etime=0.000855784
[13/Jun/2023:14:48:10.480634332 +0200] conn=749766 op=2 SRCH base="cn=users,cn=accounts,dc=ipa,dc=physik,dc=uni-bielefeld,dc=de" scope=1 filter="(&(krbPrincipalExpiration=2023-08-01 00:00:00)(objectClass=posixaccount))" attrs="uid ipaSshPubKey"
[13/Jun/2023:14:48:10.554557224 +0200] conn=749766 op=2 RESULT err=0 tag=101 nentries=0 wtime=0.000185916 optime=0.073926963 etime=0.074109319 notes=U details="Partially Unindexed Filter"
[13/Jun/2023:14:48:10.555795688 +0200] conn=749766 op=3 UNBIND
[13/Jun/2023:14:48:10.555831189 +0200] conn=749766 op=3 fd=74 closed error - U1

See also mailing list thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/3WIT5E6EOJPXRAMI5DUF56PRMMPXRQNF/

https://github.com/freeipa/freeipa/pull/6880 does not solve the issue

I can confirm that https://github.com/freeipa/freeipa/pull/6880 now fixes the issue for me.

Metadata Update from @ftrivino:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6880
- Issue assigned to abbra
2 years ago

master:

  • ef955c9 support more DateTime attributes in LDAP searches in IPA API

ipa-4-10:

  • 2d16dfa support more DateTime attributes in LDAP searches in IPA API

ipa-4-9:

  • 3498ac8 support more DateTime attributes in LDAP searches in IPA API

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Log in to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/6880
None
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.