Bug 1705125

Summary: ipa-replica-install with 389-ds-base-1.3.9.1-5.el7
Product: Red Hat Enterprise Linux 7 Reporter: Lukas Slebodnik <lslebodn>
Component: 389-ds-baseAssignee: thierry bordaz <tbordaz>
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: lkrispen, mreynolds, ndehadra, nkinder, pasik, rmeggins, spichugi, tbordaz, tmihinto, vashirov
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: 7.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.9.1-6.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:59:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2019-05-01 14:40:28 UTC 
Description of problem:
The latest update of 389-ds-base cause failures with setup of ipa replica

Version-Release number of selected component (if applicable):
389-ds-base-1.3.9.1-5.el7.x86_64

How reproducible:
Deterministic

Steps to Reproduce:
1. # install ipa-server on one machine
2. # try to install replica on another machine
   e.g.
   /usr/sbin/ipa-replica-install -U --setup-ca --setup-dns -P admin -w Secret123

Actual results:
  [15/41]: configuring DNS plugin
  [16/41]: enabling entryUSN plugin
  [17/41]: configuring lockout plugin
  [18/41]: configuring topology plugin
  [19/41]: creating indices
  [20/41]: enabling referential integrity plugin
  [21/41]: configuring certmap.conf
  [22/41]: configure new location for managed entries
  [23/41]: configure dirsrv ccache
  [24/41]: enabling SASL mapping fallback
  [25/41]: restarting directory server
  [26/41]: creating DS keytab
  [error] NetworkError: cannot connect to 'ldaps://ibm-x3250m4-05.testrelm.test': 
ipapython.admintool: ERROR    cannot connect to 'ldaps://ibm-x3250m4-05.testrelm.test': 
ipapython.admintool: ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Expected results:
Replica installed without any problem
Comment 7 mreynolds 2019-05-01 14:59:23 UTC 
This appears to be a regression of: 

   Bug 1668457 - CVE-2019-3883 389-ds-base: DoS via hanging secured connections


Assigning to Thierry...
Comment 17 Nikhil Dehadrai 2019-05-15 09:54:40 UTC 
ipa version: ipa-server-4.6.5-8.el7.x86_64
389-ds package: 389-ds-base-1.3.9.1-6.el7.x86_64

Verified the bug on the basis of following observations:
1. Verified that replica installation is successful.
2. Verified that the FIALURES observed at comment#11 are no more observed, re-ran jobs thrice and all the three occasion replica installation is successful.


Thus on the basis of above observations , marking bug to "VERIFIED"
Comment 19 thierry bordaz 2019-07-10 16:14:09 UTC 
Hi Nikhil,

This BZ was detected on 1.3.9.1-5 [1] and was decided [2] to revert and rework 1668457.
This BZ was then successfully tested in 1.3.9.1-6 [3] and marked verified.
Later the reworked 1668457 patch was delivered in 1.3.9.1-10 [4]. Do you know if the test described in this BZ was retested with 1.3.9.1-10 ?

[1] https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=889394
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1705125#c15
[3] https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=895002
[4] https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=911344
Comment 22 errata-xmlrpc 2019-08-06 12:59:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2152