We use the FreeIPA servers as authentication source for Opestack Keystone. However, after the migration of our FreeIPA to CentOS 8 from CentOS 7, Openstack users cannot login. IPA Logs from the Openstack queries where I detected the different answer: CentOS 7 op=4 SRCH base="cn=groups,cn=compat,dc=example,dc=com" scope=2 filter="(&(cn=dev_admins)(cn=dev_admins)(objectClass=posixGroup))" attrs="cn description" op=4 RESULT err=0 tag=101 nentries=1 etime=0.000771612 op=5 SRCH base="cn=dev_admins,cn=groups,cn=compat,dc=example,dc=com" scope=0 filter="(objectClass=posixGroup)" attrs="memberUid" op=5 RESULT err=0 tag=101 nentries=1 etime=0.000322091 CentOS 8 op=4 SRCH base="cn=groups,cn=compat,dc=test,dc=example,dc=com" scope=2 filter="(&(cn=dev_admins)(cn=dev_admins)(objectClass=posixGroup))" attrs="cn description" op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000169800 optime=0.000829186 etime=0.000997334 op=5 SRCH base="cn=dev_admins,cn=groups,cn=compat,dc=test,dc=example,dc=com" scope=0 filter="(objectClass=posixGroup)" attrs="memberUid" op=5 RESULT err=0 tag=101 nentries=0 wtime=0.000131140 optime=0.000667892 etime=0.000794799 Notice that in CentOS 8 we have nentries=0 To reproduce the problem there is no need for Keystone or Openstack as it’s reproducible by a simple ldapsearch: CentOS 7 $ LDAPBASE="dc=example,dc=com" $ ldapsearch -v -H ldaps://localhost:636 -D "uid=appusers,cn=sysaccounts,cn=etc,${LDAPBASE}" -W -s base -b "cn=dev_admins,cn=groups,cn=compat,${LDAPBASE}" "(objectClass=posixGroup)" memberUid CentOS 8 $ LDAPBASE="dc=test,dc=example,dc=com" $ ldapsearch -v -H ldaps://localhost:636 -D "uid=appusers,cn=sysaccounts,cn=etc,${LDAPBASE}" -W -s base -b "cn=dev_admins,cn=groups,cn=compat,${LDAPBASE}" "(objectClass=posixGroup)" memberUid If using the “-s sub” scope in CentOS 8, we can see the group object, which make me thing that the “compat” branch is there and that it’s just a problem with the searching of the object Is there any possibility to fix this, or we should stick with CentOS 7?