Detect usercertificate vs usercertificate;binary

[rcritten]

In this thread [1] a user reported that they couldn't enable ACME using ipa-acme-manage because it failed with a 403 error.

The normal troubleshooting steps turned up nothing. It was additional debugging added by the PKI team that showed that no certificate was found:

2021-11-05 11:15:14 [https-jsse-nio-8443-exec-26] INFO: LDAP search:
2021-11-05 11:15:14 [https-jsse-nio-8443-exec-26] INFO: - base DN: ou=people,o=ipaca
2021-11-05 11:15:14 [https-jsse-nio-8443-exec-26] INFO: - filter: (description=2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=PIPEBREAKER.PL)
2021-11-05 11:15:14 [https-jsse-nio-8443-exec-26] INFO: User: uid=ipara,ou=people,o=ipaca
2021-11-05 11:15:14 [https-jsse-nio-8443-exec-26] INFO: Validating cert data in uid=ipara,ou=people,o=ipaca
2021-11-05 11:15:14 [https-jsse-nio-8443-exec-26] WARNING: User uid=ipara,ou=people,o=ipaca has no certificates

That failing entry had;

dn: uid=ipara,ou=people,o=ipaca
description: 2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=PIPEBREAKER.PL
userCertificate;binary:: MIIDajCCAlKgAw…

The user dropped this attribute and replaced it with pure usercertificate and it works now.

This is confusing on multiple levels but I wonder if we can detect this situation and provide a suggestion.

[1][ https://lists.fedoraproject.org/archives/list/[email protected]/thread
/ALKXEHVTXSIFI4NLAONRVV36XOHV6S7U/