Bug 2151071

Summary: 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install
Product: Red Hat Enterprise Linux 8 Reporter: Sudhir Menon <sumenon>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 8.8CC: bsmejkal, idm-ds-dev-bugs, mreynolds, paul, pkis, tbordaz
Target Milestone: rcKeywords: Regression, Triaged
Target Release: 8.8Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: 389-ds-1.4-8080020230103133349.6e2e7265 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 08:33:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2144443    

Description Sudhir Menon 2022-12-06 05:17:37 UTC 
Description of problem: 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install IPA Server on RHEL7.9
2. Install IPA replica on RHEL8.8
3. Check the message displayed on the console.

Actual results:
2022-12-02T14:14:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG   [3/30]: creating ACIs for admin
2022-12-02T14:14:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG   [4/30]: creating installation admin user
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca on ldap://master.testrealm.test:389
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG   [error] NotFound: uid=admin-replica.testrealm.test,ou=people,o=ipaca did not replicate to ldap://master.testrealm.test:389
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG [hint] tune with replication_wait_timeout
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG uid=admin-replica.testrealm.test,ou=people,o=ipaca did not replicate to ldap://master.testrealm.test:389
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG Your system may be partly configured.
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG Run /usr/sbin/ipa-server-install --uninstall to clean up.

Expected results:
ipa-replica-install should be successfull.

Additional info:
The replica installer creates a temporary user uid=admin-replica.testrealm.test,ou=people,o=ipaca on the 8.8 replica, that gets replicated to the 7.9 master. To ensure the user is properly replicated, the installer performs a bind on the master with the password.
The problem is that the user is created with a password encrypted using PBKDF2-SHA512, and if you try to do a ldap bind on the 7.9 master the op fails because this algo is not supported. As a consequence the replica installer assumes the user hasn't been replicated.
Comment 10 bsmejkal 2023-02-06 13:47:05 UTC 
As per comment #c6 marking as VERIFIED.
Comment 11 Paul McIntyre 2023-02-15 15:46:46 UTC 
Is there a workaround for this?

https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK/

The above kinda works but I'm struggling to get the timing right during the ipa-replica-install for the file update.
Comment 13 errata-xmlrpc 2023-05-16 08:33:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2811