1638379 – PKI startup initialization process should not depend on LDAP operational attributes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1638379 - PKI startup initialization process should not depend on LDAP operational attributes

Summary: PKI startup initialization process should not depend on LDAP operational attr...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	7.7
Assignee:	Fraser Tweedale
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:	GSSApproved
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-10-11 12:37 UTC by Thorsten Scherf
Modified:	2022-03-13 15:44 UTC (History)
CC List:	10 users (show)
Fixed In Version:	pki-core-10.5.16-3.el7
Doc Type:	Bug Fix
Doc Text:	.Certificate System starts even if the value in the `numSubordinates` attribute exceeds the number of profile entries The LDAP `numSubordinates` operational attribute defines the expected number of profile entries. Previously, Certificate System did not start until all profiles and lightweight Certificate Authorities (CA) were loaded. As a consequence, if the value in the attribute exceeds the number of profile entries the start process did not complete. With this update, a watchdog timer forces the start process to proceed after a short delay in the mentioned scenario and Certificate System logs the unexpected condition. As a result, the Certificate System starts completes even when `numSubordinates` in the profiles or lightweight CA subtrees exceeds the number of entries in the search result.
Clone Of:
Environment:
Last Closed:	2019-08-06 13:07:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2228	0	None	None	None	2019-08-06 13:07:40 UTC

Description Thorsten Scherf 2018-10-11 12:37:50 UTC

Description of problem:

The PKI fails to start when we have replication conflicts in   ou=certificateprofiles,ou=ca,o=ipaca subtree. LDAP conflict entries will add to the operational LDAP attribute 'numSubordinates'. As a result the number of actual cert profiles and leaf entries is this subtree is different.

The RfE is to not depend on the operational attribute for a successful PKI initialization.  

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 9 Fraser Tweedale 2019-04-04 02:05:22 UTC

Upstream PR: https://github.com/dogtagpki/pki/pull/188

Comment 10 Fraser Tweedale 2019-04-30 00:19:11 UTC

pushed to master:

    2157c4a54c486a8f433cb88b4501b8da603be004 Add watchdog timer for initial load of LWCAs
    3e922a9aed5640ee84dce17b2e30a5d6e4af4d08 LDAPProfileSubsystem: add watchdog timer for initial load


PRs for 10.6 and 10.5 branches:

10.6: https://github.com/dogtagpki/pki/pull/200
10.5: https://github.com/dogtagpki/pki/pull/201

Comment 11 Fraser Tweedale 2019-04-30 02:54:16 UTC

DOGTAG_10_6_BRANCH:

    530786c28e890c7457bc1379db54c9a59ccca346 Add watchdog timer for initial load of LWCAs
    ae7cc02eb1e7a9c20bb4291247b17714021e9449 LDAPProfileSubsystem: add watchdog timer for initial load

DOGTAG_10_5_BRANCH:

    54c15eb4eba3568eace3791d183f8d2700e5d04e Add watchdog timer for initial load of LWCAs
    758d2a7e551e532f464419d68306cf13e096fe85 LDAPProfileSubsystem: add watchdog timer for initial load

Moving to POST.

Comment 15 Geetika Kapoor 2019-06-25 11:58:22 UTC

Based on the fixes and customer usability, we have asked IPA to help with this BZ testing.

Comment 16 Nikhil Dehadrai 2019-06-28 05:48:12 UTC

IPA version: ipa-server-4.6.5-10.el7.x86_64

Verified the bug on the basis of following observations:

Steps:
1) Setup IPA Master and Replica with CA
2) Stop IPA service on Master, # ipactl stop
3) On Replica, in order to create a conflicting replication entry add following ldif file (In my case file name is replicationadd.ldif):

dn: cn=caEncUserCertConflict,ou=certificateProfiles,ou=ca,o=ipaca
changetype: add
certProfileConfig:: YXV0aC5jbGFzc19pZD0KZGVzYz1UaGlzIGNlcnRpZmljYXRlIHByb2ZpbG
 UgaXMgZm9yIGVucm9sbGluZyB1c2VyIGVuY3J5cHRpb24gY2VydGlmaWNhdGVzIHdpdGggb3B0aW9
 uIHRvIGFyY2hpdmUga2V5cy4KZW5hYmxlPXRydWUKZW5hYmxlQnk9YWRtaW4KaW5wdXQuaTEuY2xh
 c3NfaWQ9Y2VydFJlcUlucHV0SW1wbAppbnB1dC5pMi5jbGFzc19pZD1zdWJqZWN0TmFtZUlucHV0S
 W1wbAppbnB1dC5pMy5jbGFzc19pZD1zdWJtaXR0ZXJJbmZvSW5wdXRJbXBsCmlucHV0Lmxpc3Q9aT
 EsaTIsaTMKbmFtZT1NYW51YWwgVXNlciBFbmNyeXB0aW9uIENlcnRpZmljYXRlcyBFbnJvbGxtZW5
 0Cm91dHB1dC5saXN0PW8xCm91dHB1dC5vMS5jbGFzc19pZD1jZXJ0T3V0cHV0SW1wbApwb2xpY3lz
 ZXQuZW5jcnlwdGlvbkNlcnRTZXQuMS5jb25zdHJhaW50LmNsYXNzX2lkPXN1YmplY3ROYW1lQ29uc
 3RyYWludEltcGwKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjEuY29uc3RyYWludC5uYW1lPV
 N1YmplY3QgTmFtZSBDb25zdHJhaW50CnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC4xLmNvbnN
 0cmFpbnQucGFyYW1zLmFjY2VwdD10cnVlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC4xLmNv
 bnN0cmFpbnQucGFyYW1zLnBhdHRlcm49Q049LioKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0L
 jEuZGVmYXVsdC5jbGFzc19pZD11c2VyU3ViamVjdE5hbWVEZWZhdWx0SW1wbApwb2xpY3lzZXQuZW
 5jcnlwdGlvbkNlcnRTZXQuMS5kZWZhdWx0Lm5hbWU9U3ViamVjdCBOYW1lIERlZmF1bHQKcG9saWN
 5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjEuZGVmYXVsdC5wYXJhbXMubmFtZT0KcG9saWN5c2V0LmVu
 Y3J5cHRpb25DZXJ0U2V0LjIuY29uc3RyYWludC5jbGFzc19pZD12YWxpZGl0eUNvbnN0cmFpbnRJb
 XBsCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC4yLmNvbnN0cmFpbnQubmFtZT1WYWxpZGl0eS
 BDb25zdHJhaW50CnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC4yLmNvbnN0cmFpbnQucGFyYW1
 zLm5vdEFmdGVyQ2hlY2s9ZmFsc2UKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjIuY29uc3Ry
 YWludC5wYXJhbXMubm90QmVmb3JlQ2hlY2s9ZmFsc2UKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U
 2V0LjIuY29uc3RyYWludC5wYXJhbXMucmFuZ2U9MzY1CnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydF
 NldC4yLmRlZmF1bHQuY2xhc3NfaWQ9dmFsaWRpdHlEZWZhdWx0SW1wbApwb2xpY3lzZXQuZW5jcnl
 wdGlvbkNlcnRTZXQuMi5kZWZhdWx0Lm5hbWU9VmFsaWRpdHkgRGVmYXVsdApwb2xpY3lzZXQuZW5j
 cnlwdGlvbkNlcnRTZXQuMi5kZWZhdWx0LnBhcmFtcy5yYW5nZT0xODAKcG9saWN5c2V0LmVuY3J5c
 HRpb25DZXJ0U2V0LjIuZGVmYXVsdC5wYXJhbXMuc3RhcnRUaW1lPTAKcG9saWN5c2V0LmVuY3J5cH
 Rpb25DZXJ0U2V0LjMuY29uc3RyYWludC5jbGFzc19pZD1rZXlDb25zdHJhaW50SW1wbApwb2xpY3l
 zZXQuZW5jcnlwdGlvbkNlcnRTZXQuMy5jb25zdHJhaW50Lm5hbWU9S2V5IENvbnN0cmFpbnQKcG9s
 aWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjMuY29uc3RyYWludC5wYXJhbXMua2V5UGFyYW1ldGVyc
 z0xMDI0LDIwNDgsMzA3Miw0MDk2CnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC4zLmNvbnN0cm
 FpbnQucGFyYW1zLmtleVR5cGU9UlNBCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC4zLmRlZmF
 1bHQuY2xhc3NfaWQ9dXNlcktleURlZmF1bHRJbXBsCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNl
 dC4zLmRlZmF1bHQubmFtZT1LZXkgRGVmYXVsdApwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuN
 C5jb25zdHJhaW50LmNsYXNzX2lkPW5vQ29uc3RyYWludEltcGwKcG9saWN5c2V0LmVuY3J5cHRpb2
 5DZXJ0U2V0LjQuY29uc3RyYWludC5uYW1lPU5vIENvbnN0cmFpbnQKcG9saWN5c2V0LmVuY3J5cHR
 pb25DZXJ0U2V0LjQuZGVmYXVsdC5jbGFzc19pZD1hdXRob3JpdHlLZXlJZGVudGlmaWVyRXh0RGVm
 YXVsdEltcGwKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjQuZGVmYXVsdC5uYW1lPUF1dGhvc
 ml0eSBLZXkgSWRlbnRpZmllciBEZWZhdWx0CnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC41Lm
 NvbnN0cmFpbnQuY2xhc3NfaWQ9bm9Db25zdHJhaW50SW1wbApwb2xpY3lzZXQuZW5jcnlwdGlvbkN
 lcnRTZXQuNS5jb25zdHJhaW50Lm5hbWU9Tm8gQ29uc3RyYWludApwb2xpY3lzZXQuZW5jcnlwdGlv
 bkNlcnRTZXQuNS5kZWZhdWx0LmNsYXNzX2lkPWF1dGhJbmZvQWNjZXNzRXh0RGVmYXVsdEltcGwKc
 G9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjUuZGVmYXVsdC5uYW1lPUFJQSBFeHRlbnNpb24gRG
 VmYXVsdApwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNS5kZWZhdWx0LnBhcmFtcy5hdXRoSW5
 mb0FjY2Vzc0FERW5hYmxlXzA9dHJ1ZQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNS5kZWZh
 dWx0LnBhcmFtcy5hdXRoSW5mb0FjY2Vzc0FETG9jYXRpb25UeXBlXzA9VVJJTmFtZQpwb2xpY3lzZ
 XQuZW5jcnlwdGlvbkNlcnRTZXQuNS5kZWZhdWx0LnBhcmFtcy5hdXRoSW5mb0FjY2Vzc0FETG9jYX
 Rpb25fMD0KcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjUuZGVmYXVsdC5wYXJhbXMuYXV0aEl
 uZm9BY2Nlc3NBRE1ldGhvZF8wPTEuMy42LjEuNS41LjcuNDguMQpwb2xpY3lzZXQuZW5jcnlwdGlv
 bkNlcnRTZXQuNS5kZWZhdWx0LnBhcmFtcy5hdXRoSW5mb0FjY2Vzc0NyaXRpY2FsPWZhbHNlCnBvb
 GljeXNldC5lbmNyeXB0aW9uQ2VydFNldC41LmRlZmF1bHQucGFyYW1zLmF1dGhJbmZvQWNjZXNzTn
 VtQURzPTEKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjYuY29uc3RyYWludC5jbGFzc19pZD1
 rZXlVc2FnZUV4dENvbnN0cmFpbnRJbXBsCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC42LmNv
 bnN0cmFpbnQubmFtZT1LZXkgVXNhZ2UgRXh0ZW5zaW9uIENvbnN0cmFpbnQKcG9saWN5c2V0LmVuY
 3J5cHRpb25DZXJ0U2V0LjYuY29uc3RyYWludC5wYXJhbXMua2V5VXNhZ2VDcml0aWNhbD10cnVlCn
 BvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC42LmNvbnN0cmFpbnQucGFyYW1zLmtleVVzYWdlQ3J
 sU2lnbj1mYWxzZQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNi5jb25zdHJhaW50LnBhcmFt
 cy5rZXlVc2FnZURhdGFFbmNpcGhlcm1lbnQ9ZmFsc2UKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U
 2V0LjYuY29uc3RyYWludC5wYXJhbXMua2V5VXNhZ2VEZWNpcGhlck9ubHk9ZmFsc2UKcG9saWN5c2
 V0LmVuY3J5cHRpb25DZXJ0U2V0LjYuY29uc3RyYWludC5wYXJhbXMua2V5VXNhZ2VEaWdpdGFsU2l
 nbmF0dXJlPWZhbHNlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC42LmNvbnN0cmFpbnQucGFy
 YW1zLmtleVVzYWdlRW5jaXBoZXJPbmx5PWZhbHNlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNld
 C42LmNvbnN0cmFpbnQucGFyYW1zLmtleVVzYWdlS2V5QWdyZWVtZW50PWZhbHNlCnBvbGljeXNldC
 5lbmNyeXB0aW9uQ2VydFNldC42LmNvbnN0cmFpbnQucGFyYW1zLmtleVVzYWdlS2V5Q2VydFNpZ24
 9ZmFsc2UKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjYuY29uc3RyYWludC5wYXJhbXMua2V5
 VXNhZ2VLZXlFbmNpcGhlcm1lbnQ9dHJ1ZQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNi5jb
 25zdHJhaW50LnBhcmFtcy5rZXlVc2FnZU5vblJlcHVkaWF0aW9uPWZhbHNlCnBvbGljeXNldC5lbm
 NyeXB0aW9uQ2VydFNldC42LmRlZmF1bHQuY2xhc3NfaWQ9a2V5VXNhZ2VFeHREZWZhdWx0SW1wbAp
 wb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNi5kZWZhdWx0Lm5hbWU9S2V5IFVzYWdlIERlZmF1
 bHQKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjYuZGVmYXVsdC5wYXJhbXMua2V5VXNhZ2VDc
 ml0aWNhbD10cnVlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC42LmRlZmF1bHQucGFyYW1zLm
 tleVVzYWdlQ3JsU2lnbj1mYWxzZQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNi5kZWZhdWx
 0LnBhcmFtcy5rZXlVc2FnZURhdGFFbmNpcGhlcm1lbnQ9ZmFsc2UKcG9saWN5c2V0LmVuY3J5cHRp
 b25DZXJ0U2V0LjYuZGVmYXVsdC5wYXJhbXMua2V5VXNhZ2VEZWNpcGhlck9ubHk9ZmFsc2UKcG9sa
 WN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjYuZGVmYXVsdC5wYXJhbXMua2V5VXNhZ2VEaWdpdGFsU2
 lnbmF0dXJlPWZhbHNlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC42LmRlZmF1bHQucGFyYW1
 zLmtleVVzYWdlRW5jaXBoZXJPbmx5PWZhbHNlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC42
 LmRlZmF1bHQucGFyYW1zLmtleVVzYWdlS2V5QWdyZWVtZW50PWZhbHNlCnBvbGljeXNldC5lbmNye
 XB0aW9uQ2VydFNldC42LmRlZmF1bHQucGFyYW1zLmtleVVzYWdlS2V5Q2VydFNpZ249ZmFsc2UKcG
 9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjYuZGVmYXVsdC5wYXJhbXMua2V5VXNhZ2VLZXlFbmN
 pcGhlcm1lbnQ9dHJ1ZQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNi5kZWZhdWx0LnBhcmFt
 cy5rZXlVc2FnZU5vblJlcHVkaWF0aW9uPWZhbHNlCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNld
 C43LmNvbnN0cmFpbnQuY2xhc3NfaWQ9bm9Db25zdHJhaW50SW1wbApwb2xpY3lzZXQuZW5jcnlwdG
 lvbkNlcnRTZXQuNy5jb25zdHJhaW50Lm5hbWU9Tm8gQ29uc3RyYWludApwb2xpY3lzZXQuZW5jcnl
 wdGlvbkNlcnRTZXQuNy5kZWZhdWx0LmNsYXNzX2lkPWV4dGVuZGVkS2V5VXNhZ2VFeHREZWZhdWx0
 SW1wbApwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuNy5kZWZhdWx0Lm5hbWU9RXh0ZW5kZWQgS
 2V5IFVzYWdlIEV4dGVuc2lvbiBEZWZhdWx0CnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC43Lm
 RlZmF1bHQucGFyYW1zLmV4S2V5VXNhZ2VDcml0aWNhbD1mYWxzZQpwb2xpY3lzZXQuZW5jcnlwdGl
 vbkNlcnRTZXQuNy5kZWZhdWx0LnBhcmFtcy5leEtleVVzYWdlT0lEcz0xLjMuNi4xLjUuNS43LjMu
 MiwxLjMuNi4xLjUuNS43LjMuNApwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuOC5jb25zdHJha
 W50LmNsYXNzX2lkPW5vQ29uc3RyYWludEltcGwKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0Lj
 guY29uc3RyYWludC5uYW1lPU5vIENvbnN0cmFpbnQKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V
 0LjguZGVmYXVsdC5jbGFzc19pZD1zdWJqZWN0QWx0TmFtZUV4dERlZmF1bHRJbXBsCnBvbGljeXNl
 dC5lbmNyeXB0aW9uQ2VydFNldC44LmRlZmF1bHQubmFtZT1TdWJqZWN0IEFsdCBOYW1lIENvbnN0c
 mFpbnQKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjguZGVmYXVsdC5wYXJhbXMuc3ViakFsdE
 V4dEdORW5hYmxlXzA9dHJ1ZQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuOC5kZWZhdWx0LnB
 hcmFtcy5zdWJqQWx0RXh0UGF0dGVybl8wPSRyZXF1ZXN0LnJlcXVlc3Rvcl9lbWFpbCQKcG9saWN5
 c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjguZGVmYXVsdC5wYXJhbXMuc3ViakFsdEV4dFR5cGVfMD1SR
 kM4MjJOYW1lCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC44LmRlZmF1bHQucGFyYW1zLnN1Ym
 pBbHROYW1lRXh0Q3JpdGljYWw9ZmFsc2UKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjguZGV
 mYXVsdC5wYXJhbXMuc3ViakFsdE5hbWVOdW1HTnM9MQpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRT
 ZXQuOS5jb25zdHJhaW50LmNsYXNzX2lkPXNpZ25pbmdBbGdDb25zdHJhaW50SW1wbApwb2xpY3lzZ
 XQuZW5jcnlwdGlvbkNlcnRTZXQuOS5jb25zdHJhaW50Lm5hbWU9Tm8gQ29uc3RyYWludApwb2xpY3
 lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuOS5jb25zdHJhaW50LnBhcmFtcy5zaWduaW5nQWxnc0FsbG9
 3ZWQ9U0hBMXdpdGhSU0EsU0hBMjU2d2l0aFJTQSxTSEE1MTJ3aXRoUlNBLFNIQTF3aXRoRFNBLFNI
 QTF3aXRoRUMsU0hBMjU2d2l0aEVDLFNIQTM4NHdpdGhSU0EsU0hBMzg0d2l0aEVDLFNIQTUxMndpd
 GhFQwpwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuOS5kZWZhdWx0LmNsYXNzX2lkPXNpZ25pbm
 dBbGdEZWZhdWx0SW1wbApwb2xpY3lzZXQuZW5jcnlwdGlvbkNlcnRTZXQuOS5kZWZhdWx0Lm5hbWU
 9U2lnbmluZyBBbGcKcG9saWN5c2V0LmVuY3J5cHRpb25DZXJ0U2V0LjkuZGVmYXVsdC5wYXJhbXMu
 c2lnbmluZ0FsZz0tCnBvbGljeXNldC5lbmNyeXB0aW9uQ2VydFNldC5saXN0PTEsMiwzLDQsNSw2L
 DcsOCw5CnBvbGljeXNldC5saXN0PWVuY3J5cHRpb25DZXJ0U2V0CnZpc2libGU9ZmFsc2UK
classId: caEnrollImpl
cn: caSigningUserCert
objectClass: top
objectClass: certProfile
objectClass: ldapsubentry

4) Used ldapadd command to add above ldif file to Replica, #ldapadd -x -D "cn=Directory Manager" -w Secret123 -H ldap://`hostname` -f replicationadd.ldif
5) Now Stop IPA service on Replica, #ipactl stop
6) On IPA Master, start IPA service, #ipactl start
7) On IPA master, create same replicationadd.ldif file mentioned in step3 , and add it to  IPA master, #ldapadd -x -D "cn=Directory Manager" -w Secret123 -H ldap://`hostname` -f replicationadd.ldif
8) On IPA Replica, now start IPA service, # ipactl start


REPRODUCER:
-----------------------
RHEL75z (Replica), after step8, ipa service FAILs to start

[root@qe-blade-12 tmp]# rpm -q ipa-server
ipa-server-4.5.4-10.el7_5.4.4.x86_64
[root@qe-blade-12 tmp]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service

Failed to start pki-tomcatd Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed
Aborting ipactl



VALIDATION:
-----------------------
RHEL77RC (Replica), after step8, ipa service starts/ restarts successfully

[root@kvm-01-guest10 tmp]# rpm -q ipa-server
ipa-server-4.6.5-10.el7.x86_64
[root@kvm-01-guest10 tmp]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
[root@kvm-01-guest10 tmp]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful


Thus on the basis of above observations, marking status of bug to 'VERIFIED'.

Comment 23 errata-xmlrpc 2019-08-06 13:07:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2228

Note You need to log in before you can comment on or make changes to this bug.