Hi,

On Tue, Dec 20, 2022 at 2:20 AM junhou he via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hi,
tail -f /var/log/pki/pki-tomcat/ca/debug.2022-12-20.log
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=INVALID)
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating valid certs to expired
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=VALID)
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: dn: cn=2,ou=certificateRepository,ou=ca,o=ipaca
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating revoked certs to expired
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=REVOKED)
2022-12-20 08:49:32 [Timer-0] INFO: SessionTimer: checking security domain sessions
2022-12-20 08:52:50 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-5] INFO: Getting certificate 0x1
2022-12-20 08:52:50 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-5] INFO: LDAPSession: reading cn=1,ou=certificateRepository, ou=ca,o=ipaca

From this log it looks like the ipa cert-show 1 op was done at 08:52:50 but the directory server logs below do not cover this timestamp.

It's not possible to check with those logs if the mapping of the certificate to a user entry succeeded or failed. Do you still have the logs in /var/log/dirsrv/slapd-WINGON-HK/access (or one of the rotated logs) corresponding to this date?

flo

2022-12-20 08:54:32 [Timer-0] INFO: SessionTimer: checking security domain sessions
2022-12-20 08:54:35 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Updating serial number counter
2022-12-20 08:54:35 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking serial number ranges
2022-12-20 08:54:35 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: Checking request ID ranges
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating cert status
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating invalid certs to valid
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=INVALID)
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating valid certs to expired
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=VALID)
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: dn: cn=2,ou=certificateRepository,ou=ca,o=ipaca
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating revoked certs to expired
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=REVOKED)

tail -f /var/log/dirsrv/slapd-WINGON-HK/access
[20/Dec/2022:09:02:42.692704846 +0800] conn=2900 op=5 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[20/Dec/2022:09:02:42.693154479 +0800] conn=2900 op=5 RESULT err=0 tag=120 nentries=0 wtime=0.000085573 optime=0.000458433 etime=0.000543125
[20/Dec/2022:09:02:42.697272544 +0800] conn=2900 op=6 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[20/Dec/2022:09:02:42.698855885 +0800] conn=2900 op=6 RESULT err=0 tag=120 nentries=0 wtime=0.000073994 optime=0.001572452 etime=0.001643806
[20/Dec/2022:09:02:42.700657032 +0800] conn=2900 op=7 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[20/Dec/2022:09:02:42.700962545 +0800] conn=2900 op=7 RESULT err=0 tag=120 nentries=0 wtime=0.000139301 optime=0.000318407 etime=0.000456836
[20/Dec/2022:09:02:42.705290181 +0800] conn=2900 op=8 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[20/Dec/2022:09:02:42.707796203 +0800] conn=2900 op=8 RESULT err=0 tag=120 nentries=0 wtime=0.000185974 optime=0.002508316 etime=0.002691736
[20/Dec/2022:09:03:42.726943689 +0800] conn=2900 op=9 UNBIND
[20/Dec/2022:09:03:42.727016226 +0800] conn=2900 op=9 fd=124 closed error - U1
[20/Dec/2022:09:04:31.059429193 +0800] conn=2901 fd=77 slot=77 connection from 10.100.0.213 to 10.100.0.213
[20/Dec/2022:09:04:31.062126284 +0800] conn=2901 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO
[20/Dec/2022:09:04:31.064368644 +0800] conn=2901 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000254605 optime=0.002247116 etime=0.002500343 dn="uid=admin,cn=users,cn=accounts,dc=wingon,dc=hk"
[20/Dec/2022:09:04:31.067358291 +0800] conn=2901 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" attrs=ALL
[20/Dec/2022:09:04:31.067884679 +0800] conn=2901 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000120718 optime=0.000535934 etime=0.000654762
[20/Dec/2022:09:04:31.069260735 +0800] conn=2901 op=2 SRCH base="cn=masters,cn=ipa,cn=etc,dc=wingon,dc=hk" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL
[20/Dec/2022:09:04:31.069847504 +0800] conn=2901 op=2 RESULT err=0 tag=101 nentries=1 wtime=0.000123265 optime=0.000588648 etime=0.000709935
[20/Dec/2022:09:04:31.088542693 +0800] conn=19 op=5331 SRCH base="cn=1,ou=certificateRepository,ou=ca,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL
[20/Dec/2022:09:04:31.088794885 +0800] conn=19 op=5331 RESULT err=0 tag=101 nentries=1 wtime=0.000131894 optime=0.000253526 etime=0.000383435
[20/Dec/2022:09:04:31.100233153 +0800] conn=2901 op=3 EXT oid="1.3.6.1.4.1.4203.1.11.3" name="whoami-plugin"
[20/Dec/2022:09:04:31.100297979 +0800] conn=2901 op=3 RESULT err=0 tag=120 nentries=0 wtime=0.000092504 optime=0.000078842 etime=0.000169340
[20/Dec/2022:09:04:31.100582540 +0800] conn=2901 op=4 SRCH base="cn=retrieve certificate,cn=virtual operations,cn=etc,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" attrs="objectClass"
[20/Dec/2022:09:04:31.101301014 +0800] conn=2901 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000089696 optime=0.000718765 etime=0.000806178 - entryLevelRights: vadn
[20/Dec/2022:09:04:31.103206149 +0800] conn=2901 op=5 SRCH base="cn=cas,cn=ca,dc=wingon,dc=hk" scope=2 filter="(&(cn=ipa)(objectClass=ipaca))" attrs=""
[20/Dec/2022:09:04:31.103618859 +0800] conn=2901 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000094913 optime=0.000414408 etime=0.000507374
[20/Dec/2022:09:04:31.104283197 +0800] conn=2901 op=6 SRCH base="cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" attrs="ipaCaId cn description ipaCaSubjectDN ipaCaIssuerDN"
[20/Dec/2022:09:04:31.104553278 +0800] conn=2901 op=6 RESULT err=0 tag=101 nentries=1 wtime=0.000092105 optime=0.000271539 etime=0.000362000
[20/Dec/2022:09:04:31.106067554 +0800] conn=2901 op=7 SRCH base="cn=masters,cn=ipa,cn=etc,dc=wingon,dc=hk" scope=2 filter="(&(&(objectClass=ipaConfigObject)(cn=CA))(|(ipaConfigString=enabledService)(ipaConfigString=hiddenService)))" attrs="ipaConfigString"
[20/Dec/2022:09:04:31.106596243 +0800] conn=2901 op=7 RESULT err=0 tag=101 nentries=1 wtime=0.000144092 optime=0.000530265 etime=0.000672601
[20/Dec/2022:09:04:31.125207280 +0800] conn=2901 op=8 UNBIND
[20/Dec/2022:09:04:31.125229178 +0800] conn=2901 op=8 fd=77 closed error - U1
[20/Dec/2022:09:04:32.044788344 +0800] conn=27 op=3416 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[20/Dec/2022:09:04:32.045037986 +0800] conn=27 op=3416 RESULT err=32 tag=101 nentries=0 wtime=0.000131158 optime=0.000252952 etime=0.000381325
[20/Dec/2022:09:04:35.020912165 +0800] conn=19 op=5333 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description"
[20/Dec/2022:09:04:35.021127672 +0800] conn=19 op=5333 RESULT err=0 tag=101 nentries=1 wtime=0.000139714 optime=0.000220328 etime=0.000357248
[20/Dec/2022:09:04:38.153925748 +0800] conn=28 op=6829 SRCH base="ou=authorizations,ou=acme,o=ipaca" scope=2 filter="(acmeExpires<=20221220010438+0000)" attrs="1.1"
[20/Dec/2022:09:04:38.154147606 +0800] conn=28 op=6829 RESULT err=0 tag=101 nentries=0 wtime=0.000138731 optime=0.000226372 etime=0.000362267
[20/Dec/2022:09:04:38.154503158 +0800] conn=28 op=6830 SRCH base="ou=orders,ou=acme,o=ipaca" scope=2 filter="(acmeExpires<=20221220010438+0000)" attrs="1.1"
[20/Dec/2022:09:04:38.154624386 +0800] conn=28 op=6830 RESULT err=0 tag=101 nentries=0 wtime=0.000228268 optime=0.000122646 etime=0.000349204
[20/Dec/2022:09:04:38.154854286 +0800] conn=28 op=6831 SRCH base="ou=certificates,ou=acme,o=ipaca" scope=2 filter="(acmeExpires<=20221220010438+0000)" attrs="1.1"
[20/Dec/2022:09:04:38.154950593 +0800] conn=28 op=6831 RESULT err=0 tag=101 nentries=0 wtime=0.000159553 optime=0.000097292 etime=0.000255334
[20/Dec/2022:09:04:38.398853998 +0800] conn=19 op=5334 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore notAfter duration extension subjectName issuerName userCertificate version algorithmId signingAlgorithmId publicKeyData"
[20/Dec/2022:09:04:38.399125270 +0800] conn=19 op=5334 VLV 200:0:20221220090438Z 0:0 (0)
[20/Dec/2022:09:04:38.399186312 +0800] conn=19 op=5334 RESULT err=0 tag=101 nentries=0 wtime=0.000106897 optime=0.000334514 etime=0.000439629 notes=U details="Partially Unindexed Filter"
[20/Dec/2022:09:04:38.400127700 +0800] conn=19 op=5335 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=VALID)" attrs="objectClass serialno notBefore notAfter duration extension subjectName issuerName userCertificate version algorithmId signingAlgorithmId publicKeyData"
[20/Dec/2022:09:04:38.400265687 +0800] conn=19 op=5335 SORT notAfter
[20/Dec/2022:09:04:38.400273908 +0800] conn=19 op=5335 VLV 200:0:20221220090438Z 1:10 (0)
[20/Dec/2022:09:04:38.400433546 +0800] conn=19 op=5335 RESULT err=0 tag=101 nentries=1 wtime=0.000761697 optime=0.000307959 etime=0.001067831
[20/Dec/2022:09:04:38.401553390 +0800] conn=19 op=5336 SRCH base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno revInfo notAfter notBefore duration extension subjectName issuerName userCertificate version algorithmId signingAlgorithmId publicKeyData"
[20/Dec/2022:09:04:38.401693292 +0800] conn=19 op=5336 VLV 200:0:20221220090438Z 0:0 (0)
[20/Dec/2022:09:04:38.401734871 +0800] conn=19 op=5336 RESULT err=0 tag=101 nentries=0 wtime=0.001004479 optime=0.000183378 etime=0.001186338 notes=U details="Partially Unindexed Filter"
[20/Dec/2022:09:07:01.986680374 +0800] conn=2893 op=8 UNBIND
[20/Dec/2022:09:07:01.986743775 +0800] conn=2893 op=8 fd=73 closed error - U1
[20/Dec/2022:09:07:09.990796378 +0800] conn=2902 fd=73 slot=73 connection from 10.99.16.212 to 10.100.0.213
[20/Dec/2022:09:07:09.991696144 +0800] conn=2902 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci"
[20/Dec/2022:09:07:09.993461062 +0800] conn=2902 op=0 RESULT err=0 tag=101 nentries=1 wtime=0.000704701 optime=0.001764919 etime=0.002467783
[20/Dec/2022:09:07:10.015698288 +0800] conn=4 op=14011 SRCH base="dc=wingon,dc=hk" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/wocfreeipa-rep.wingon.hk@WINGON.HK)(krbPrincipalName:caseIgnoreIA5Match:=host/wocfreeipa-rep.wingon.hk@WINGON.HK)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink krbAuthIndMaxT..."
[20/Dec/2022:09:07:10.016098918 +0800] conn=4 op=14011 RESULT err=0 tag=101 nentries=1 wtime=0.000305749 optime=0.000403957 etime=0.000707230
[20/Dec/2022:09:07:10.016191408 +0800] conn=4 op=14012 SRCH base="cn=ipaConfig,cn=etc,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[20/Dec/2022:09:07:10.016264058 +0800] conn=4 op=14012 RESULT err=0 tag=101 nentries=1 wtime=0.000074145 optime=0.000073449 etime=0.000146247
[20/Dec/2022:09:07:10.016440110 +0800] conn=4 op=14013 SRCH base="cn=WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge"
[20/Dec/2022:09:07:10.016523232 +0800] conn=4 op=14013 RESULT err=0 tag=101 nentries=1 wtime=0.000165771 optime=0.000084128 etime=0.000248720
[20/Dec/2022:09:07:10.016619153 +0800] conn=4 op=14014 SRCH base="dc=wingon,dc=hk" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/WINGON.HK@WINGON.HK)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/WINGON.HK@WINGON.HK)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink krbAuthIndMaxT..."
[20/Dec/2022:09:07:10.016858822 +0800] conn=4 op=14014 RESULT err=0 tag=101 nentries=1 wtime=0.000084854 optime=0.000241017 etime=0.000324497
[20/Dec/2022:09:07:10.017103462 +0800] conn=4 op=14015 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration ipaPwdMaxRepeat ipaPwdMaxSequence ipaPwdDictCheck ipaPwdUserCheck"
[20/Dec/2022:09:07:10.017187893 +0800] conn=4 op=14015 RESULT err=0 tag=101 nentries=1 wtime=0.000230849 optime=0.000085268 etime=0.000315017
[20/Dec/2022:09:07:10.020212710 +0800] conn=4 op=14016 SRCH base="dc=wingon,dc=hk" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/wocfreeipa-rep.wingon.hk@WINGON.HK)(krbPrincipalName:caseIgnoreIA5Match:=host/wocfreeipa-rep.wingon.hk@WINGON.HK)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink krbAuthIndMaxT..."
[20/Dec/2022:09:07:10.020466417 +0800] conn=4 op=14016 RESULT err=0 tag=101 nentries=1 wtime=0.003013741 optime=0.000255802 etime=0.003267500
[20/Dec/2022:09:07:10.020591401 +0800] conn=4 op=14017 SRCH base="cn=WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge"
[20/Dec/2022:09:07:10.020669810 +0800] conn=4 op=14017 RESULT err=0 tag=101 nentries=1 wtime=0.000108579 optime=0.000079118 etime=0.000186522
[20/Dec/2022:09:07:10.020753948 +0800] conn=4 op=14018 SRCH base="dc=wingon,dc=hk" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/WINGON.HK@WINGON.HK)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/WINGON.HK@WINGON.HK)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink krbAuthIndMaxT..."
[20/Dec/2022:09:07:10.020958618 +0800] conn=4 op=14018 RESULT err=0 tag=101 nentries=1 wtime=0.000073304 optime=0.000205858 etime=0.000277765
[20/Dec/2022:09:07:10.021085102 +0800] conn=4 op=14019 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration ipaPwdMaxRepeat ipaPwdMaxSequence ipaPwdDictCheck ipaPwdUserCheck"
[20/Dec/2022:09:07:10.021177866 +0800] conn=4 op=14019 RESULT err=0 tag=101 nentries=1 wtime=0.000113687 optime=0.000093503 etime=0.000205988
[20/Dec/2022:09:07:10.021564896 +0800] conn=4 op=14020 SRCH base="cn=ad,cn=trusts,dc=wingon,dc=hk" scope=2 filter="(objectClass=ipaNTTrustedDomain)" attrs=ALL
[20/Dec/2022:09:07:10.021654670 +0800] conn=4 op=14020 RESULT err=0 tag=101 nentries=0 wtime=0.000377619 optime=0.000090150 etime=0.000466425
[20/Dec/2022:09:07:10.021699049 +0800] conn=4 op=14021 SRCH base="dc=wingon,dc=hk" scope=2 filter="(objectClass=ipaNTDomainAttrs)" attrs="ipaNTFlatName ipaNTFallbackPrimaryGroup ipaNTSecurityIdentifier"
[20/Dec/2022:09:07:10.021789210 +0800] conn=4 op=14021 RESULT err=0 tag=101 nentries=1 wtime=0.000033059 optime=0.000090772 etime=0.000122672
[20/Dec/2022:09:07:10.021817723 +0800] conn=4 op=14022 SRCH base="cn=Default SMB Group,cn=groups,cn=accounts,dc=wingon,dc=hk" scope=0 filter="(objectClass=posixGroup)" attrs="ipaNTSecurityIdentifier"
[20/Dec/2022:09:07:10.021878910 +0800] conn=4 op=14022 RESULT err=0 tag=101 nentries=1 wtime=0.000019217 optime=0.000061583 etime=0.000079797
[20/Dec/2022:09:07:10.021921311 +0800] conn=4 op=14023 SRCH base="cn=ad,cn=trusts,dc=wingon,dc=hk" scope=2 filter="(objectClass=ipaNTTrustedDomain)" attrs="cn ipaNTTrustPartner ipaNTFlatName ipaNTTrustedDomainSID ipaNTSIDBlacklistIncoming ipaNTSIDBlacklistOutgoing ipaNTAdditionalSuffixes"
[20/Dec/2022:09:07:10.021965808 +0800] conn=4 op=14023 RESULT err=0 tag=101 nentries=0 wtime=0.000033882 optime=0.000044969 etime=0.000077912
[20/Dec/2022:09:07:10.022044667 +0800] conn=4 op=14024 SRCH base="fqdn=wocfreeipa-rep.wingon.hk,cn=computers,cn=accounts,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[20/Dec/2022:09:07:10.022687128 +0800] conn=4 op=14024 RESULT err=0 tag=101 nentries=1 wtime=0.000068818 optime=0.000643252 etime=0.000710490
[20/Dec/2022:09:07:10.022752877 +0800] conn=4 op=14025 SRCH base="cn=wocfreeipa-rep.wingon.hk,cn=masters,cn=ipa,cn=etc,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" attrs=ALL
[20/Dec/2022:09:07:10.022838243 +0800] conn=4 op=14025 RESULT err=0 tag=101 nentries=1 wtime=0.000054231 optime=0.000085694 etime=0.000138864
[20/Dec/2022:09:07:10.029946069 +0800] conn=5 op=14493 SRCH base="dc=wingon,dc=hk" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/WINGON.HK@WINGON.HK)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/WINGON.HK@WINGON.HK)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink krbAuthIndMaxT..."
[20/Dec/2022:09:07:10.030219553 +0800] conn=5 op=14493 RESULT err=0 tag=101 nentries=1 wtime=0.000121296 optime=0.000275911 etime=0.000395201
[20/Dec/2022:09:07:10.030268251 +0800] conn=5 op=14494 SRCH base="cn=ipaConfig,cn=etc,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[20/Dec/2022:09:07:10.030336598 +0800] conn=5 op=14494 RESULT err=0 tag=101 nentries=1 wtime=0.000031215 optime=0.000068977 etime=0.000099089
[20/Dec/2022:09:07:10.030768382 +0800] conn=5 op=14495 SRCH base="dc=wingon,dc=hk" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/wocfreeipa.wingon.hk@WINGON.HK)(krbPrincipalName:caseIgnoreIA5Match:=ldap/wocfreeipa.wingon.hk@WINGON.HK)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink krbAuthIndMaxT..."
[20/Dec/2022:09:07:10.030989195 +0800] conn=5 op=14495 RESULT err=0 tag=101 nentries=1 wtime=0.000421257 optime=0.000221974 etime=0.000641717
[20/Dec/2022:09:07:10.031123610 +0800] conn=5 op=14496 SRCH base="cn=WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge"
[20/Dec/2022:09:07:10.031186770 +0800] conn=5 op=14496 RESULT err=0 tag=101 nentries=1 wtime=0.000120839 optime=0.000064074 etime=0.000183859
[20/Dec/2022:09:07:10.031358975 +0800] conn=5 op=14497 SRCH base="dc=wingon,dc=hk" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/wocfreeipa-rep.wingon.hk@WINGON.HK)(krbPrincipalName:caseIgnoreIA5Match:=host/wocfreeipa-rep.wingon.hk@WINGON.HK)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink krbAuthIndMaxT..."
[20/Dec/2022:09:07:10.031571493 +0800] conn=5 op=14497 RESULT err=0 tag=101 nentries=1 wtime=0.000161970 optime=0.000213966 etime=0.000374543
[20/Dec/2022:09:07:10.031681973 +0800] conn=5 op=14498 SRCH base="cn=WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge"
[20/Dec/2022:09:07:10.031743948 +0800] conn=5 op=14498 RESULT err=0 tag=101 nentries=1 wtime=0.000097519 optime=0.000062644 etime=0.000159085
[20/Dec/2022:09:07:10.031878773 +0800] conn=5 op=14499 SRCH base="dc=wingon,dc=hk" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/wocfreeipa-rep.wingon.hk@WINGON.HK)(krbPrincipalName:caseIgnoreIA5Match:=host/wocfreeipa-rep.wingon.hk@WINGON.HK)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink krbAuthIndMaxT..."
[20/Dec/2022:09:07:10.032077460 +0800] conn=5 op=14499 RESULT err=0 tag=101 nentries=1 wtime=0.000124982 optime=0.000199924 etime=0.000323568
[20/Dec/2022:09:07:10.032176837 +0800] conn=5 op=14500 SRCH base="cn=WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge"
[20/Dec/2022:09:07:10.032238301 +0800] conn=5 op=14500 RESULT err=0 tag=101 nentries=1 wtime=0.000087171 optime=0.000062023 etime=0.000148123
[20/Dec/2022:09:07:10.034012232 +0800] conn=2902 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Dec/2022:09:07:10.036926445 +0800] conn=2902 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000064718 optime=0.002941882 etime=0.002997227, SASL bind in progress
[20/Dec/2022:09:07:10.038060714 +0800] conn=2902 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Dec/2022:09:07:10.039499069 +0800] conn=2902 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000044218 optime=0.001441734 etime=0.001484738, SASL bind in progress
[20/Dec/2022:09:07:10.040435379 +0800] conn=2902 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Dec/2022:09:07:10.041098083 +0800] conn=2902 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000047802 optime=0.000666679 etime=0.000712984 dn="fqdn=wocfreeipa-rep.wingon.hk,cn=computers,cn=accounts,dc=wingon,dc=hk"
[20/Dec/2022:09:07:10.042295210 +0800] conn=2902 op=4 SRCH base="cn=accounts,dc=wingon,dc=hk" scope=2 filter="(&(objectClass=ipaHost)(fqdn=wocfreeipa-rep.wingon.hk))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[20/Dec/2022:09:07:10.042832144 +0800] conn=2902 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000149915 optime=0.000542636 etime=0.000690704 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
[20/Dec/2022:09:07:10.044294201 +0800] conn=2902 op=5 SRCH base="fqdn=wocfreeipa-rep.wingon.hk,cn=computers,cn=accounts,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[20/Dec/2022:09:07:10.046695424 +0800] conn=2902 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000256211 optime=0.002408597 etime=0.002662639 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
[20/Dec/2022:09:07:10.048153236 +0800] conn=2902 op=6 SRCH base="cn=sudo,dc=wingon,dc=hk" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=48528))" attrs="objectClass ipaUniqueID cn member entryusn"
[20/Dec/2022:09:07:10.048497184 +0800] conn=2902 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000266476 optime=0.000350088 etime=0.000614736 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
[20/Dec/2022:09:07:10.049804122 +0800] conn=2902 op=7 SRCH base="cn=sudo,dc=wingon,dc=hk" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostCategory=ALL)(memberHost=fqdn=wocfreeipa-rep.wingon.hk,cn=computers,cn=accounts,dc=wingon,dc=hk)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=wingon,dc=hk))(entryusn>=48528))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn"
[20/Dec/2022:09:07:10.049937748 +0800] conn=2902 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000160466 optime=0.000134985 etime=0.000293721 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
[20/Dec/2022:09:07:42.714829570 +0800] conn=2903 fd=77 slot=77 connection from 10.99.16.212 to 10.100.0.213
[20/Dec/2022:09:07:42.716410368 +0800] conn=2903 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Dec/2022:09:07:42.719062214 +0800] conn=2903 op=0 RESULT err=14 tag=97 nentries=0 wtime=0.000296752 optime=0.002658509 etime=0.002953744, SASL bind in progress
[20/Dec/2022:09:07:42.720390029 +0800] conn=2903 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Dec/2022:09:07:42.721815084 +0800] conn=2903 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000144522 optime=0.001439333 etime=0.001582641, SASL bind in progress
[20/Dec/2022:09:07:42.722897026 +0800] conn=2903 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[20/Dec/2022:09:07:42.723744910 +0800] conn=2903 op=2 RESULT err=0 tag=97 nentries=0 wtime=0.000127640 optime=0.000859431 etime=0.000986187 dn="krbprincipalname=ldap/wocfreeipa-rep.wingon.hk@wingon.hk,cn=services,cn=accounts,dc=wingon,dc=hk"
[20/Dec/2022:09:07:42.724977421 +0800] conn=2903 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[20/Dec/2022:09:07:42.726362088 +0800] conn=2903 op=3 RESULT err=0 tag=101 nentries=1 wtime=0.000221790 optime=0.001390796 etime=0.001611222
[20/Dec/2022:09:07:42.727545779 +0800] conn=2903 op=4 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[20/Dec/2022:09:07:42.728769895 +0800] conn=2903 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000121031 optime=0.001225192 etime=0.001344844
[20/Dec/2022:09:07:42.730079779 +0800] conn=2903 op=5 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[20/Dec/2022:09:07:42.730775353 +0800] conn=2903 op=5 RESULT err=0 tag=120 nentries=0 wtime=0.000169992 optime=0.000719752 etime=0.000888391
[20/Dec/2022:09:07:42.734912005 +0800] conn=2903 op=6 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[20/Dec/2022:09:07:42.736623538 +0800] conn=2903 op=6 RESULT err=0 tag=120 nentries=0 wtime=0.000146762 optime=0.001721900 etime=0.001866327
[20/Dec/2022:09:07:42.970121954 +0800] conn=2903 op=7 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[20/Dec/2022:09:07:42.970504752 +0800] conn=2903 op=7 RESULT err=0 tag=120 nentries=0 wtime=0.000227076 optime=0.000389781 etime=0.000615871
[20/Dec/2022:09:07:42.974751272 +0800] conn=2903 op=8 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[20/Dec/2022:09:07:42.977352080 +0800] conn=2903 op=8 RESULT err=0 tag=120 nentries=0 wtime=0.000134289 optime=0.002611218 etime=0.002742205

yes, the corresponding RESULT line show nentries=1 or nentries=0 of results

ldapsearch -D "cn=directory manager" -W -b ou=Groups,o=ipaca "(&(objectClass=groupofuniquenames)(uniqueMember=uid=ipara,ou=people,o=ipaca))"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=Groups,o=ipaca> with scope subtree
# filter: (&(objectClass=groupofuniquenames)(uniqueMember=uid=ipara,ou=people,o=ipaca))
# requesting: ALL
#

# Certificate Manager Agents, groups, ipaca
dn: cn=Certificate Manager Agents,ou=groups,o=ipaca
description: Agents for Certificate Manager
objectClass: top
objectClass: groupOfUniqueNames
cn: Certificate Manager Agents
uniqueMember: uid=admin,ou=People,o=ipaca
uniqueMember: uid=pkidbuser,ou=People,o=ipaca
uniqueMember: uid=ipara,ou=people,o=ipaca

# Registration Manager Agents, groups, ipaca
dn: cn=Registration Manager Agents,ou=groups,o=ipaca
description: Agents for Registration Manager
objectClass: top
objectClass: groupOfUniqueNames
cn: Registration Manager Agents
uniqueMember: uid=ipara,ou=people,o=ipaca

# Security Domain Administrators, groups, ipaca
dn: cn=Security Domain Administrators,ou=groups,o=ipaca
description: People who are the Security Domain administrators
objectClass: top
objectClass: groupOfUniqueNames
cn: Security Domain Administrators
uniqueMember: uid=admin,ou=People,o=ipaca
uniqueMember: uid=ipara,ou=people,o=ipaca

# Enterprise ACME Administrators, groups, ipaca
dn: cn=Enterprise ACME Administrators,ou=groups,o=ipaca
objectClass: top
objectClass: groupOfUniqueNames
cn: Enterprise ACME Administrators
description: ACME RA accounts
uniqueMember: uid=acme-wocfreeipa.wingon.hk,ou=people,o=ipaca
uniqueMember: uid=ipara,ou=People,o=ipaca

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue