Bug 1705125 - ipa-replica-install with 389-ds-base-1.3.9.1-5.el7
Summary: ipa-replica-install with 389-ds-base-1.3.9.1-5.el7
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 7.7
Assignee: thierry bordaz
QA Contact: RHDS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-01 14:40 UTC by Lukas Slebodnik
Modified: 2019-08-06 12:59 UTC (History)
10 users (show)

Fixed In Version: 389-ds-base-1.3.9.1-6.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:59:17 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2152 None None None 2019-08-06 12:59:29 UTC

Description Lukas Slebodnik 2019-05-01 14:40:28 UTC
Description of problem:
The latest update of 389-ds-base cause failures with setup of ipa replica

Version-Release number of selected component (if applicable):
389-ds-base-1.3.9.1-5.el7.x86_64

How reproducible:
Deterministic

Steps to Reproduce:
1. # install ipa-server on one machine
2. # try to install replica on another machine
   e.g.
   /usr/sbin/ipa-replica-install -U --setup-ca --setup-dns -P admin -w Secret123

Actual results:
  [15/41]: configuring DNS plugin
  [16/41]: enabling entryUSN plugin
  [17/41]: configuring lockout plugin
  [18/41]: configuring topology plugin
  [19/41]: creating indices
  [20/41]: enabling referential integrity plugin
  [21/41]: configuring certmap.conf
  [22/41]: configure new location for managed entries
  [23/41]: configure dirsrv ccache
  [24/41]: enabling SASL mapping fallback
  [25/41]: restarting directory server
  [26/41]: creating DS keytab
  [error] NetworkError: cannot connect to 'ldaps://ibm-x3250m4-05.testrelm.test': 
ipapython.admintool: ERROR    cannot connect to 'ldaps://ibm-x3250m4-05.testrelm.test': 
ipapython.admintool: ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.


Expected results:
Replica installed without any problem

Comment 7 mreynolds 2019-05-01 14:59:23 UTC
This appears to be a regression of: 

   Bug 1668457 - CVE-2019-3883 389-ds-base: DoS via hanging secured connections


Assigning to Thierry...

Comment 17 Nikhil Dehadrai 2019-05-15 09:54:40 UTC
ipa version: ipa-server-4.6.5-8.el7.x86_64
389-ds package: 389-ds-base-1.3.9.1-6.el7.x86_64

Verified the bug on the basis of following observations:
1. Verified that replica installation is successful.
2. Verified that the FIALURES observed at comment#11 are no more observed, re-ran jobs thrice and all the three occasion replica installation is successful.


Thus on the basis of above observations , marking bug to "VERIFIED"

Comment 19 thierry bordaz 2019-07-10 16:14:09 UTC
Hi Nikhil,

This BZ was detected on 1.3.9.1-5 [1] and was decided [2] to revert and rework 1668457.
This BZ was then successfully tested in 1.3.9.1-6 [3] and marked verified.
Later the reworked 1668457 patch was delivered in 1.3.9.1-10 [4]. Do you know if the test described in this BZ was retested with 1.3.9.1-10 ?

[1] https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=889394
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1705125#c15
[3] https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=895002
[4] https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=911344

Comment 22 errata-xmlrpc 2019-08-06 12:59:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2152


Note You need to log in before you can comment on or make changes to this bug.