There is a bug in the logic that matches an incoming certificate with the user in the VOMS database. Even if the 'voms.skip-ca-check' flag is on, the user lookup logic ignores the flag and searches by certificate subject and issuer.