Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1656758

Summary: ipa-migrate command fails over ldaps
Product: Red Hat Enterprise Linux 8 Reporter: Nikhil Dehadrai <ndehadra>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED NOTABUG QA Contact: RHDS QE <ds-qe-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: ksiddiqu, lkrispen, mhonek, nkinder, rmeggins, spichugi, tbordaz, vashirov
Target Milestone: rcKeywords: Regression
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-13 12:21:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikhil Dehadrai 2018-12-06 09:30:58 UTC 
Description of problem:
ipa-migrate command fails over ldaps when ds-migration tests are executed

Version-Release number of selected component (if applicable):
389-ds-base-1.4.0.18-2.el8+2083+08c28fa5.x86_64
ipa-4.7.1-5.module+el8+2239+1c5bd4cb

How reproducible:
Always

Steps to Reproduce:
1. Setup IPA server and IPA-Client
2. Configure client as DS
3. Initiate ipa-migrate-ds over ldaps

Actual results:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   migration over ldaps
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 08:10:22 ] :: [  BEGIN   ] :: Running 'sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf'
:: [ 08:10:22 ] :: [   PASS   ] :: Command 'sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf' (Expected 0, got 0)
:: [ 08:10:22 ] :: [  BEGIN   ] :: Running 'grep remoteds.crt /etc/openldap/ldap.conf'
TLS_CACERT /etc/ipa/remoteds.crt
:: [ 08:10:22 ] :: [   PASS   ] :: Command 'grep remoteds.crt /etc/openldap/ldap.conf' (Expected 0, got 0)
:: [ 08:10:22 ] :: [  BEGIN   ] :: Restarting httpd :: actually running 'service httpd restart'
Redirecting to /bin/systemctl restart httpd.service
:: [ 08:10:26 ] :: [   PASS   ] :: Restarting httpd (Expected 0, got 0)
:: [ 08:10:26 ] :: [  BEGIN   ] :: Running 'grep remoteds.crt /etc/openldap/ldap.conf'
TLS_CACERT /etc/ipa/remoteds.crt
:: [ 08:10:26 ] :: [   PASS   ] :: Command 'grep remoteds.crt /etc/openldap/ldap.conf' (Expected 0, got 0)
:: [ 08:10:27 ] :: [  BEGIN   ] :: Running 'ipa config-mod --enable-migration=TRUE'
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: TRUE
  Certificate Subject base: O=TESTRELM.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: auto-hv-01-guest04.testrelm.test
  IPA CA servers: auto-hv-01-guest04.testrelm.test
  IPA CA renewal master: auto-hv-01-guest04.testrelm.test
  IPA master capable of PKINIT: auto-hv-01-guest04.testrelm.test
:: [ 08:10:36 ] :: [   PASS   ] :: Command 'ipa config-mod --enable-migration=TRUE' (Expected 0, got 0)
:: [ 08:10:36 ] :: [  BEGIN   ] :: Running 'grep remoteds.crt /etc/openldap/ldap.conf'
TLS_CACERT /etc/ipa/remoteds.crt
:: [ 08:10:36 ] :: [   PASS   ] :: Command 'grep remoteds.crt /etc/openldap/ldap.conf' (Expected 0, got 0)
:: [ 08:10:36 ] :: [   LOG    ] :: EXECUTING: ipa migrate-ds --with-compat --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://kvm-02-guest04.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt --with-compat
:: [ 08:10:36 ] :: [  BEGIN   ] :: Running 'echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://kvm-02-guest04.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt --with-compat'
ipa: ERROR: cannot connect to 'ldaps://kvm-02-guest04.testrelm.test:636': error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
:: [ 08:10:37 ] :: [   FAIL   ] :: Command 'echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://kvm-02-guest04.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt --with-compat' (Expected 0, got 1)

Expected results:
1. ipa-migrate command over ldpas should be successful.

Additional info:
The issue was not observed in RHEL76 test execution
Comment 4 Nikhil Dehadrai 2018-12-13 12:21:00 UTC 
As per suggestion from Viktor, the setupds.pl used in the ds-migration test suite is not supported in RHEL8, thus used 'dscreate' to install directory server and the ds-migration over lpdas was successful

Thus closing the bug

LOG:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   migration over ldaps
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 07:11:34 ] :: [  BEGIN   ] :: Running 'sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf'
:: [ 07:11:34 ] :: [   PASS   ] :: Command 'sed -i 's/ca.crt/remoteds.crt/g' /etc/openldap/ldap.conf' (Expected 0, got 0)
:: [ 07:11:34 ] :: [  BEGIN   ] :: Restarting httpd :: actually running 'service httpd restart'
Redirecting to /bin/systemctl restart httpd.service
:: [ 07:11:37 ] :: [   PASS   ] :: Restarting httpd (Expected 0, got 0)
:: [ 07:11:38 ] :: [  BEGIN   ] :: Running 'ipa config-mod --enable-migration=TRUE'
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: TRUE
  Certificate Subject base: O=TESTRELM.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: auto-hv-01-guest03.testrelm.test
  IPA CA servers: auto-hv-01-guest03.testrelm.test
  IPA CA renewal master: auto-hv-01-guest03.testrelm.test
  IPA master capable of PKINIT: auto-hv-01-guest03.testrelm.test
:: [ 07:11:47 ] :: [   PASS   ] :: Command 'ipa config-mod --enable-migration=TRUE' (Expected 0, got 0)
:: [ 07:11:47 ] :: [   LOG    ] :: EXECUTING: ipa migrate-ds --with-compat --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://hp-dl380pgen8-02-vm-13.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt --with-compat
:: [ 07:11:47 ] :: [  BEGIN   ] :: Running 'echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://hp-dl380pgen8-02-vm-13.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt --with-compat'
-----------
migrate-ds:
-----------
Migrated:
  user: puser1, puser2, philomena_hazen
  group: demo_group, group1, group2
Failed user:
Failed group:
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.
:: [ 07:11:48 ] :: [   PASS   ] :: Command 'echo Secret123 | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://hp-dl380pgen8-02-vm-13.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt --with-compat' (Expected 0, got 0)
:: [ 07:11:48 ] :: [  BEGIN   ] :: Verifying puser1 was migrated :: actually running 'ipa user-show puser1'
  User login: puser1
  Last name: User1
  Home directory: /home/puser1
  Login shell: /bin/bash
  Principal name: puser1
  Principal alias: puser1
  UID: 1001
  GID: 1001
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: False
:: [ 07:11:49 ] :: [   PASS   ] :: Verifying puser1 was migrated (Expected 0, got 0)
:: [ 07:11:49 ] :: [  BEGIN   ] :: Verifying 'puser2' was migrated :: actually running 'ipa user-show puser2'
  User login: puser2
  Last name: User2
  Home directory: /home/puser2
  Login shell: /bin/bash
  Principal name: puser2
  Principal alias: puser2
  UID: 1002
  GID: 1002
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: False
:: [ 07:11:50 ] :: [   PASS   ] :: Verifying 'puser2' was migrated (Expected 0, got 0)
:: [ 07:11:51 ] :: [  BEGIN   ] :: Verifying 'philomena_hazen' was migrated :: actually running 'ipa user-show philomena_hazen'
  User login: philomena_hazen
  First name: Philomena
  Last name: Hazen
  Home directory: /home/Philomena_Hazen
  Login shell: /bin/sh
  Principal name: philomena_hazen
  Principal alias: philomena_hazen
  Email address: Philomena_Hazen
  UID: 18795
  GID: 28795
  Telephone Number: +1 206 660-3641
  Org. Unit: Human Resources
  Job Title: Senior Human Resources Accountant
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: False
:: [ 07:11:51 ] :: [   PASS   ] :: Verifying 'philomena_hazen' was migrated (Expected 0, got 0)
:: [ 07:11:52 ] :: [  BEGIN   ] :: Verifying group 'group1' was migrated :: actually running 'ipa group-show group1'
  Group name: group1
  GID: 1001
:: [ 07:11:52 ] :: [   PASS   ] :: Verifying group 'group1' was migrated (Expected 0, got 0)
:: [ 07:11:52 ] :: [  BEGIN   ] :: Verifying group 'group2' was migrated :: actually running 'ipa group-show group2'
  Group name: group2
  GID: 1002
:: [ 07:11:53 ] :: [   PASS   ] :: Verifying group 'group2' was migrated (Expected 0, got 0)
:: [ 07:11:53 ] :: [   LOG    ] :: Cleaning up migrated users
--------------------------------------------
Deleted user "puser1,puser2,philomena_hazen"
--------------------------------------------
ipa: ERROR: hr managers: group not found
Redirecting to /bin/systemctl restart httpd.service
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 25s
::   Assertions: 9 good, 0 bad
::   RESULT: PASS

** migration-over-ldaps PASS Score:0
Uploading resultoutputfile.log .done
/usr/bin/rhts-sync-set -s DONE
:: [ 07:12:03 ] :: [   LOG    ] :: Machine in recipe in not a SLAVE
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 107s
::   Assertions: 19 good, 0 bad
::   RESULT: PASS