Bug 1877551

Summary: Missing parameters in the command to create an agreement with SSLCLIENTAUTH bind method.
Product: Red Hat Directory Server Reporter: Têko Mihinto <tmihinto>
Component: 389-ds-baseAssignee: Simon Pichugin <spichugi>
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: medium Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 11.1CC: gkimetto, minfrin, mreynolds, pasik, rhel-docs, sgouvern, spichugi
Target Milestone: DS11.3   
Target Release: dirsrv-11.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: redhat-ds-11-8040020210326143715.45c09202 Doc Type: Bug Fix
Doc Text:
.Creating replication agreements with certificate-based authentication now works as expected Previously, the `lib389` library always checked if a bind distinguished name (DN) and password were provided when an administrator created a replication agreement. As a consequence, using the `dsconf` utility to create an agreement that uses certificate-based authentication failed. This update removes this incorrect requirement. As a result, you can create replication agreements that use certificate-based authentication as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-19 07:54:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Têko Mihinto 2020-09-09 19:54:39 UTC 
Document URL:
    https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_replication_partners_to_use_certificate-based_authentication

Section Number and Name:
    5. Create a replication agreement on both servers that use certificate-based authentication:

Describe the issue:
The documented command to create the replication agreement is failing with the following message:
######
Error: You need to set the bind dn (--bind-dn) and the password (--bind-passwd) for bind method (sslclientauth)
######

Suggestions for improvement:
The customer had to add the missing parameters to make the command work.
Please update the commands in the RHDS documentation.

Additional information:
    https://pagure.io/389-ds-base/blob/389-ds-base-1.4.2/f/src/lib389/lib389/cli_conf/replication.py#_691
====================================================================
    # We do need the bind dn and credentials for none-sasl bind methods
    if (bind_method in ('simple', 'sslclientauth')) and (args.bind_dn is None or args.bind_passwd is None):   
        raise ValueError("You need to set the bind dn (--bind-dn) and the password (--bind-passwd) for bind method ({})".format(bind_method))
====================================================================
Comment 3 mreynolds 2020-10-06 13:25:01 UTC 
*** Bug 1885547 has been marked as a duplicate of this bug. ***
Comment 4 mreynolds 2020-10-29 13:28:10 UTC 
Upstream ticket:

https://github.com/389ds/389-ds-base/issues/4412
Comment 6 Simon Pichugin 2021-02-17 13:01:43 UTC 
Looks good to me!
Thank you!
Comment 12 Gilbert Kimetto 2021-05-03 20:13:26 UTC 
Build tested:
389-ds-base-1.4.3.22-1.module+el8dsrv+10501+8ce33e95.x86_64
389-ds-base-debuginfo-1.4.3.22-1.module+el8dsrv+10501+8ce33e95.x86_64
389-ds-base-libs-1.4.3.22-1.module+el8dsrv+10501+8ce33e95.x86_64


STEPS:
1.) Setup 2 DS instances
2.) Configured replication as outlined in the documentation:
    SECTION: 15.5. CONFIGURING REPLICATION PARTNERS TO USE CERTIFICATE-BASED AUTHENTICATION
3.) Verified that the step that had an invalid command now succeeds with the correct instructions
     dsconf -D "cn=Directory Manager" ,instance_1> repl-agmt create --suffix=<suffix 1>. --host=<host1> --port=636 --conn-protocol=LDAPS --bind-dn="cn=Replication Manager,cn=config" --bind-passwd="password" --bind-method=SIMPLE --init temporary_agreement
4.) Verify command succeds:

    Successfully created replication agreement "temporary_agreement"


marking as VERIFIED
Comment 13 Gilbert Kimetto 2021-05-04 00:33:44 UTC 

Build tested:
389-ds-base-1.4.3.22-1.module+el8dsrv+10501+8ce33e95.x86_64
389-ds-base-debuginfo-1.4.3.22-1.module+el8dsrv+10501+8ce33e95.x86_64
389-ds-base-libs-1.4.3.22-1.module+el8dsrv+10501+8ce33e95.x86_64


STEPS:
1.) Setup 2 DS instances
2.) Configured replication as outlined in the documentation:
    SECTION: 15.5. CONFIGURING REPLICATION PARTNERS TO USE CERTIFICATE-BASED AUTHENTICATION
3.) Verified that the step that had an invalid command now succeeds with the correct instructions
     dsconf -D "cn=Directory Manager" ,instance_1> repl-agmt create --suffix=<suffix 1>. --host=<host1> --port=636 --conn-protocol=LDAPS --bind-dn="cn=Replication Manager,cn=config" --bind-passwd="password" --bind-method=SIMPLE --init temporary_agreement
    dsconf -D "cn=Directory Manager" <instance1> repl-agmt create --suffix="dc=<suffix>" --host="<hostname>" --port=1636 --conn-protocol=LDAPS --bind-method="SSLCLIENTAUTH" --init example_agreement
Successfully created replication agreement "example_agreement"
Agreement initialization started...


4.) Verify command succeeds:


marking as VERIFIED
Comment 15 errata-xmlrpc 2021-05-19 07:54:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (redhat-ds:11 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:2038