Bug 1638379 - PKI startup initialization process should not depend on LDAP operational attributes
Summary: PKI startup initialization process should not depend on LDAP operational attr...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.5
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: 7.7
Assignee: Fraser Tweedale
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard: GSSApproved
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-11 12:37 UTC by Thorsten Scherf
Modified: 2019-08-07 08:55 UTC (History)
10 users (show)

Fixed In Version: pki-core-10.5.16-3.el7
Doc Type: Bug Fix
Doc Text:
.Certificate System starts even if the value in the `numSubordinates` attribute exceeds the number of profile entries The LDAP `numSubordinates` operational attribute defines the expected number of profile entries. Previously, Certificate System did not start until all profiles and lightweight Certificate Authorities (CA) were loaded. As a consequence, if the value in the attribute exceeds the number of profile entries the start process did not complete. With this update, a watchdog timer forces the start process to proceed after a short delay in the mentioned scenario and Certificate System logs the unexpected condition. As a result, the Certificate System starts completes even when `numSubordinates` in the profiles or lightweight CA subtrees exceeds the number of entries in the search result.
Clone Of:
Environment:
Last Closed: 2019-08-06 13:07:19 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2228 None None None 2019-08-06 13:07:40 UTC

Description Thorsten Scherf 2018-10-11 12:37:50 UTC
Description of problem:

The PKI fails to start when we have replication conflicts in   ou=certificateprofiles,ou=ca,o=ipaca subtree. LDAP conflict entries will add to the operational LDAP attribute 'numSubordinates'. As a result the number of actual cert profiles and leaf entries is this subtree is different.

The RfE is to not depend on the operational attribute for a successful PKI initialization.  

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 9 Fraser Tweedale 2019-04-04 02:05:22 UTC
Upstream PR: https://github.com/dogtagpki/pki/pull/188

Comment 10 Fraser Tweedale 2019-04-30 00:19:11 UTC
pushed to master:

    2157c4a54c486a8f433cb88b4501b8da603be004 Add watchdog timer for initial load of LWCAs
    3e922a9aed5640ee84dce17b2e30a5d6e4af4d08 LDAPProfileSubsystem: add watchdog timer for initial load


PRs for 10.6 and 10.5 branches:

10.6: https://github.com/dogtagpki/pki/pull/200
10.5: https://github.com/dogtagpki/pki/pull/201

Comment 11 Fraser Tweedale 2019-04-30 02:54:16 UTC
DOGTAG_10_6_BRANCH:

    530786c28e890c7457bc1379db54c9a59ccca346 Add watchdog timer for initial load of LWCAs
    ae7cc02eb1e7a9c20bb4291247b17714021e9449 LDAPProfileSubsystem: add watchdog timer for initial load

DOGTAG_10_5_BRANCH:

    54c15eb4eba3568eace3791d183f8d2700e5d04e Add watchdog timer for initial load of LWCAs
    758d2a7e551e532f464419d68306cf13e096fe85 LDAPProfileSubsystem: add watchdog timer for initial load

Moving to POST.

Comment 15 Geetika Kapoor 2019-06-25 11:58:22 UTC
Based on the fixes and customer usability, we have asked IPA to help with this BZ testing.

Comment 16 Nikhil Dehadrai 2019-06-28 05:48:12 UTC
IPA version: ipa-server-4.6.5-10.el7.x86_64

Verified the bug on the basis of following observations:

Steps:
1) Setup IPA Master and Replica with CA
2) Stop IPA service on Master, # ipactl stop
3) On Replica, in order to create a conflicting replication entry add following ldif file (In my case file name is replicationadd.ldif):

dn: cn=caEncUserCertConflict,ou=certificateProfiles,ou=ca,o=ipaca
changetype: add
certProfileConfig:: YXV0aC5jbGFzc19pZD0KZGVzYz1UaGlzIGNlcnRpZmljYXRlIHByb2ZpbG
 UgaXMgZm9yIGVucm9sbGluZyB1c2VyIGVuY3J5cHRpb24gY2VydGlmaWNhdGVzIHdpdGggb3B0aW9
 uIHRvIGFyY2hpdmUga2V5cy4KZW5hYmxlPXRydWUKZW5hYmxlQnk9YWRtaW4KaW5wdXQuaTEuY2xh
 c3NfaWQ9Y2VydFJlcUlucHV0SW1wbAppbnB1dC5pMi5jbGFzc19pZD1zdWJqZWN0TmFtZUlucHV0S
 W1wbAppbnB1dC5pMy5jbGFzc19pZD1zdWJtaXR0ZXJJbmZvSW5wdXRJbXBsCmlucHV0Lmxpc3Q9aT
 EsaTIsaTMKbmFtZT1NYW51YWwgVXNlciBFbmNyeXB0aW9uIENlcnRpZmljYXRlcyBFbnJvbGxtZW5
 0Cm91dHB1dC5saXN0PW8xCm91dHB1dC5vMS5jbGFzc19pZD1jZXJ0T3V0cHV0SW1wbApwb2xpY3lz
 ZXQuZW5jcnlwdGlvbkNlcnRTZXQuMS5jb25zdHJhaW50LmNsYXNzX2lkPXN1YmplY3ROYW1lQ29uc
 3RyYWludEltcGwKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjEuY29uc3RyYWludC5uYW1lPV
 N1YmplY3QgTmFtZSBDb25zdHJhaW50CnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC4xLmNvbnN
 0cmFpbnQucGFyYW1zLmFjY2VwdD10cnVlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC4xLmNv
 bnN0cmFpbnQucGFyYW1zLnBhdHRlcm49Q049LioKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0L
 jEuZGVmYXVsdC5jbGFzc19pZD11c2VyU3ViamVjdE5hbWVEZWZhdWx0SW1wbApwb2xpY3lzZXQuZW
 5jcnlwdGlvbkNlcnRTZXQuMS5kZWZhdWx0Lm5hbWU9U3ViamVjdCBOYW1lIERlZmF1bHQKcG9saWN
 5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjEuZGVmYXVsdC5wYXJhbXMubmFtZT0KcG9saWN5c2V0LmVu
 Y3J5cHRpb25DZXJ0U2V0LjIuY29uc3RyYWludC5jbGFzc19pZD12YWxpZGl0eUNvbnN0cmFpbnRJb
 XBsCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC4yLmNvbnN0cmFpbnQubmFtZT1WYWxpZGl0eS
 BDb25zdHJhaW50CnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC4yLmNvbnN0cmFpbnQucGFyYW1
 zLm5vdEFmdGVyQ2hlY2s9ZmFsc2UKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjIuY29uc3Ry
 YWludC5wYXJhbXMubm90QmVmb3JlQ2hlY2s9ZmFsc2UKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U
 2V0LjIuY29uc3RyYWludC5wYXJhbXMucmFuZ2U9MzY1CnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydF
 NldC4yLmRlZmF1bHQuY2xhc3NfaWQ9dmFsaWRpdHlEZWZhdWx0SW1wbApwb2xpY3lzZXQuZW5jcnl
 wdGlvbkNlcnRTZXQuMi5kZWZhdWx0Lm5hbWU9VmFsaWRpdHkgRGVmYXVsdApwb2xpY3lzZXQuZW5j
 cnlwdGlvbkNlcnRTZXQuMi5kZWZhdWx0LnBhcmFtcy5yYW5nZT0xODAKcG9saWN5c2V0LmVuY3J5c
 HRpb25DZXJ0U2V0LjIuZGVmYXVsdC5wYXJhbXMuc3RhcnRUaW1lPTAKcG9saWN5c2V0LmVuY3J5cH
 Rpb25DZXJ0U2V0LjMuY29uc3RyYWludC5jbGFzc19pZD1rZXlDb25zdHJhaW50SW1wbApwb2xpY3l
 zZXQuZW5jcnlwdGlvbkNlcnRTZXQuMy5jb25zdHJhaW50Lm5hbWU9S2V5IENvbnN0cmFpbnQKcG9s
 aWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjMuY29uc3RyYWludC5wYXJhbXMua2V5UGFyYW1ldGVyc
 z0xMDI0LDIwNDgsMzA3Miw0MDk2CnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC4zLmNvbnN0cm
 FpbnQucGFyYW1zLmtleVR5cGU9UlNBCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC4zLmRlZmF
 1bHQuY2xhc3NfaWQ9dXNlcktleURlZmF1bHRJbXBsCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNl
 dC4zLmRlZmF1bHQubmFtZT1LZXkgRGVmYXVsdApwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuN
 C5jb25zdHJhaW50LmNsYXNzX2lkPW5vQ29uc3RyYWludEltcGwKcG9saWN5c2V0LmVuY3J5cHRpb2
 5DZXJ0U2V0LjQuY29uc3RyYWludC5uYW1lPU5vIENvbnN0cmFpbnQKcG9saWN5c2V0LmVuY3J5cHR
 pb25DZXJ0U2V0LjQuZGVmYXVsdC5jbGFzc19pZD1hdXRob3JpdHlLZXlJZGVudGlmaWVyRXh0RGVm
 YXVsdEltcGwKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjQuZGVmYXVsdC5uYW1lPUF1dGhvc
 ml0eSBLZXkgSWRlbnRpZmllciBEZWZhdWx0CnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC41Lm
 NvbnN0cmFpbnQuY2xhc3NfaWQ9bm9Db25zdHJhaW50SW1wbApwb2xpY3lzZXQuZW5jcnlwdGlvbkN
 lcnRTZXQuNS5jb25zdHJhaW50Lm5hbWU9Tm8gQ29uc3RyYWludApwb2xpY3lzZXQuZW5jcnlwdGlv
 bkNlcnRTZXQuNS5kZWZhdWx0LmNsYXNzX2lkPWF1dGhJbmZvQWNjZXNzRXh0RGVmYXVsdEltcGwKc
 G9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjUuZGVmYXVsdC5uYW1lPUFJQSBFeHRlbnNpb24gRG
 VmYXVsdApwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNS5kZWZhdWx0LnBhcmFtcy5hdXRoSW5
 mb0FjY2Vzc0FERW5hYmxlXzA9dHJ1ZQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNS5kZWZh
 dWx0LnBhcmFtcy5hdXRoSW5mb0FjY2Vzc0FETG9jYXRpb25UeXBlXzA9VVJJTmFtZQpwb2xpY3lzZ
 XQuZW5jcnlwdGlvbkNlcnRTZXQuNS5kZWZhdWx0LnBhcmFtcy5hdXRoSW5mb0FjY2Vzc0FETG9jYX
 Rpb25fMD0KcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjUuZGVmYXVsdC5wYXJhbXMuYXV0aEl
 uZm9BY2Nlc3NBRE1ldGhvZF8wPTEuMy42LjEuNS41LjcuNDguMQpwb2xpY3lzZXQuZW5jcnlwdGlv
 bkNlcnRTZXQuNS5kZWZhdWx0LnBhcmFtcy5hdXRoSW5mb0FjY2Vzc0NyaXRpY2FsPWZhbHNlCnBvb
 GljeXNldC5lbmNyeXB0aW9uQ2VydFNldC41LmRlZmF1bHQucGFyYW1zLmF1dGhJbmZvQWNjZXNzTn
 VtQURzPTEKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjYuY29uc3RyYWludC5jbGFzc19pZD1
 rZXlVc2FnZUV4dENvbnN0cmFpbnRJbXBsCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC42LmNv
 bnN0cmFpbnQubmFtZT1LZXkgVXNhZ2UgRXh0ZW5zaW9uIENvbnN0cmFpbnQKcG9saWN5c2V0LmVuY
 3J5cHRpb25DZXJ0U2V0LjYuY29uc3RyYWludC5wYXJhbXMua2V5VXNhZ2VDcml0aWNhbD10cnVlCn
 BvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC42LmNvbnN0cmFpbnQucGFyYW1zLmtleVVzYWdlQ3J
 sU2lnbj1mYWxzZQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNi5jb25zdHJhaW50LnBhcmFt
 cy5rZXlVc2FnZURhdGFFbmNpcGhlcm1lbnQ9ZmFsc2UKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U
 2V0LjYuY29uc3RyYWludC5wYXJhbXMua2V5VXNhZ2VEZWNpcGhlck9ubHk9ZmFsc2UKcG9saWN5c2
 V0LmVuY3J5cHRpb25DZXJ0U2V0LjYuY29uc3RyYWludC5wYXJhbXMua2V5VXNhZ2VEaWdpdGFsU2l
 nbmF0dXJlPWZhbHNlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC42LmNvbnN0cmFpbnQucGFy
 YW1zLmtleVVzYWdlRW5jaXBoZXJPbmx5PWZhbHNlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNld
 C42LmNvbnN0cmFpbnQucGFyYW1zLmtleVVzYWdlS2V5QWdyZWVtZW50PWZhbHNlCnBvbGljeXNldC
 5lbmNyeXB0aW9uQ2VydFNldC42LmNvbnN0cmFpbnQucGFyYW1zLmtleVVzYWdlS2V5Q2VydFNpZ24
 9ZmFsc2UKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjYuY29uc3RyYWludC5wYXJhbXMua2V5
 VXNhZ2VLZXlFbmNpcGhlcm1lbnQ9dHJ1ZQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNi5jb
 25zdHJhaW50LnBhcmFtcy5rZXlVc2FnZU5vblJlcHVkaWF0aW9uPWZhbHNlCnBvbGljeXNldC5lbm
 NyeXB0aW9uQ2VydFNldC42LmRlZmF1bHQuY2xhc3NfaWQ9a2V5VXNhZ2VFeHREZWZhdWx0SW1wbAp
 wb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNi5kZWZhdWx0Lm5hbWU9S2V5IFVzYWdlIERlZmF1
 bHQKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjYuZGVmYXVsdC5wYXJhbXMua2V5VXNhZ2VDc
 ml0aWNhbD10cnVlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC42LmRlZmF1bHQucGFyYW1zLm
 tleVVzYWdlQ3JsU2lnbj1mYWxzZQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNi5kZWZhdWx
 0LnBhcmFtcy5rZXlVc2FnZURhdGFFbmNpcGhlcm1lbnQ9ZmFsc2UKcG9saWN5c2V0LmVuY3J5cHRp
 b25DZXJ0U2V0LjYuZGVmYXVsdC5wYXJhbXMua2V5VXNhZ2VEZWNpcGhlck9ubHk9ZmFsc2UKcG9sa
 WN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjYuZGVmYXVsdC5wYXJhbXMua2V5VXNhZ2VEaWdpdGFsU2
 lnbmF0dXJlPWZhbHNlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC42LmRlZmF1bHQucGFyYW1
 zLmtleVVzYWdlRW5jaXBoZXJPbmx5PWZhbHNlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC42
 LmRlZmF1bHQucGFyYW1zLmtleVVzYWdlS2V5QWdyZWVtZW50PWZhbHNlCnBvbGljeXNldC5lbmNye
 XB0aW9uQ2VydFNldC42LmRlZmF1bHQucGFyYW1zLmtleVVzYWdlS2V5Q2VydFNpZ249ZmFsc2UKcG
 9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjYuZGVmYXVsdC5wYXJhbXMua2V5VXNhZ2VLZXlFbmN
 pcGhlcm1lbnQ9dHJ1ZQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNi5kZWZhdWx0LnBhcmFt
 cy5rZXlVc2FnZU5vblJlcHVkaWF0aW9uPWZhbHNlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNld
 C43LmNvbnN0cmFpbnQuY2xhc3NfaWQ9bm9Db25zdHJhaW50SW1wbApwb2xpY3lzZXQuZW5jcnlwdG
 lvbkNlcnRTZXQuNy5jb25zdHJhaW50Lm5hbWU9Tm8gQ29uc3RyYWludApwb2xpY3lzZXQuZW5jcnl
 wdGlvbkNlcnRTZXQuNy5kZWZhdWx0LmNsYXNzX2lkPWV4dGVuZGVkS2V5VXNhZ2VFeHREZWZhdWx0
 SW1wbApwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNy5kZWZhdWx0Lm5hbWU9RXh0ZW5kZWQgS
 2V5IFVzYWdlIEV4dGVuc2lvbiBEZWZhdWx0CnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC43Lm
 RlZmF1bHQucGFyYW1zLmV4S2V5VXNhZ2VDcml0aWNhbD1mYWxzZQpwb2xpY3lzZXQuZW5jcnlwdGl
 vbkNlcnRTZXQuNy5kZWZhdWx0LnBhcmFtcy5leEtleVVzYWdlT0lEcz0xLjMuNi4xLjUuNS43LjMu
 MiwxLjMuNi4xLjUuNS43LjMuNApwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuOC5jb25zdHJha
 W50LmNsYXNzX2lkPW5vQ29uc3RyYWludEltcGwKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0Lj
 guY29uc3RyYWludC5uYW1lPU5vIENvbnN0cmFpbnQKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V
 0LjguZGVmYXVsdC5jbGFzc19pZD1zdWJqZWN0QWx0TmFtZUV4dERlZmF1bHRJbXBsCnBvbGljeXNl
 dC5lbmNyeXB0aW9uQ2VydFNldC44LmRlZmF1bHQubmFtZT1TdWJqZWN0IEFsdCBOYW1lIENvbnN0c
 mFpbnQKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjguZGVmYXVsdC5wYXJhbXMuc3ViakFsdE
 V4dEdORW5hYmxlXzA9dHJ1ZQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuOC5kZWZhdWx0LnB
 hcmFtcy5zdWJqQWx0RXh0UGF0dGVybl8wPSRyZXF1ZXN0LnJlcXVlc3Rvcl9lbWFpbCQKcG9saWN5
 c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjguZGVmYXVsdC5wYXJhbXMuc3ViakFsdEV4dFR5cGVfMD1SR
 kM4MjJOYW1lCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC44LmRlZmF1bHQucGFyYW1zLnN1Ym
 pBbHROYW1lRXh0Q3JpdGljYWw9ZmFsc2UKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjguZGV
 mYXVsdC5wYXJhbXMuc3ViakFsdE5hbWVOdW1HTnM9MQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRT
 ZXQuOS5jb25zdHJhaW50LmNsYXNzX2lkPXNpZ25pbmdBbGdDb25zdHJhaW50SW1wbApwb2xpY3lzZ
 XQuZW5jcnlwdGlvbkNlcnRTZXQuOS5jb25zdHJhaW50Lm5hbWU9Tm8gQ29uc3RyYWludApwb2xpY3
 lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuOS5jb25zdHJhaW50LnBhcmFtcy5zaWduaW5nQWxnc0FsbG9
 3ZWQ9U0hBMXdpdGhSU0EsU0hBMjU2d2l0aFJTQSxTSEE1MTJ3aXRoUlNBLFNIQTF3aXRoRFNBLFNI
 QTF3aXRoRUMsU0hBMjU2d2l0aEVDLFNIQTM4NHdpdGhSU0EsU0hBMzg0d2l0aEVDLFNIQTUxMndpd
 GhFQwpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuOS5kZWZhdWx0LmNsYXNzX2lkPXNpZ25pbm
 dBbGdEZWZhdWx0SW1wbApwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuOS5kZWZhdWx0Lm5hbWU
 9U2lnbmluZyBBbGcKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjkuZGVmYXVsdC5wYXJhbXMu
 c2lnbmluZ0FsZz0tCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC5saXN0PTEsMiwzLDQsNSw2L
 DcsOCw5CnBvbGljeXNldC5saXN0PWVuY3J5cHRpb25DZXJ0U2V0CnZpc2libGU9ZmFsc2UK
classId: caEnrollImpl
cn: caSigningUserCert
objectClass: top
objectClass: certProfile
objectClass: ldapsubentry

4) Used ldapadd command to add above ldif file to Replica, #ldapadd -x -D "cn=Directory Manager" -w Secret123 -H ldap://`hostname` -f replicationadd.ldif
5) Now Stop IPA service on Replica, #ipactl stop
6) On IPA Master, start IPA service, #ipactl start
7) On IPA master, create same replicationadd.ldif file mentioned in step3 , and add it to  IPA master, #ldapadd -x -D "cn=Directory Manager" -w Secret123 -H ldap://`hostname` -f replicationadd.ldif
8) On IPA Replica, now start IPA service, # ipactl start


REPRODUCER:
-----------------------
RHEL75z (Replica), after step8, ipa service FAILs to start

[root@qe-blade-12 tmp]# rpm -q ipa-server
ipa-server-4.5.4-10.el7_5.4.4.x86_64
[root@qe-blade-12 tmp]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service

Failed to start pki-tomcatd Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed
Aborting ipactl



VALIDATION:
-----------------------
RHEL77RC (Replica), after step8, ipa service starts/ restarts successfully

[root@kvm-01-guest10 tmp]# rpm -q ipa-server
ipa-server-4.6.5-10.el7.x86_64
[root@kvm-01-guest10 tmp]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
[root@kvm-01-guest10 tmp]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful


Thus on the basis of above observations, marking status of bug to 'VERIFIED'.

Comment 23 errata-xmlrpc 2019-08-06 13:07:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2228


Note You need to log in before you can comment on or make changes to this bug.