Bug 1754494 - ipa-replica-install does not enforce --server option
Summary: ipa-replica-install does not enforce --server option
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
Marc Muehlfeld
Depends On:
TreeView+ depends on / blocked
Reported: 2019-09-23 12:25 UTC by Florence Blanc-Renaud
Modified: 2020-03-31 19:56 UTC (History)
5 users (show)

Fixed In Version: ipa-4.6.6-7.el7
Doc Type: Bug Fix
Doc Text:
.The `ipa-replica-install` utility now verifies that the server specified in `--server` provides all required roles The `ipa-replica-install` utility provides a `--server` option to specify the Identity Management (IdM) server which the installer should use for the enrollment. Previously, `ipa-replica-install` did not verify that the supplied server provided the certificate authority (CA) and key recovery authority (KRA) roles. As a consequence, the installer replicated domain data from the specified server and CA data from a different server that provided the CA and KRA roles. With this update, `ipa-replica-install` verifies that the specified server provides all required roles. As a result, if the administrator uses the `--server` option, `ipa-replica-install` only replicates data from the specified server.
Clone Of:
Last Closed: 2020-03-31 19:55:52 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1083 0 None None None 2020-03-31 19:56:20 UTC

Description Florence Blanc-Renaud 2019-09-23 12:25:57 UTC
Description of problem:
The command "ipa-replica-install --server server.example.com" does not enforce the --server parameter. When it is provided, the installation should contact only the master provided and refuse to execute if the master does not offer all the required services.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install master with CA
2. install replica1 without CA
3. try to install replica2 from replica1, by specifying ipa-replica-install --server replica1

Actual results:
replica2 established replication for the domain data with replica1 and for the ipaca data with  master.

Expected results:
replica2 should use only replica1 during its enrollment and promotion. If replica1 does not provide CA and KRA, the installation should refuse to proceed and provide a message explaining the reason.

Additional info:
See also BZ 1591824

Comment 2 Florence Blanc-Renaud 2019-09-23 12:27:33 UTC
Upstream ticket:

Comment 3 Florence Blanc-Renaud 2019-09-23 12:37:19 UTC
Fixed upstream

Comment 6 Florence Blanc-Renaud 2019-10-07 06:11:21 UTC
Test added upstream in  ipatests/test_integration/test_installation.py::TestInstallReplicaAgainstSpecificServer

Fixed upstream

Comment 10 Florence Blanc-Renaud 2019-10-14 11:37:30 UTC
Test backported upstream:

Fixed upstream

Comment 11 Mohammad Rizwan 2019-12-13 09:35:47 UTC

1. Install master with ca and kra setup
2. Install replica1 without ca and stop ipa-custidia service on it.

scenario 1:
 3. Try to install replica2 with --setup-ca option from replica1 as a server

scenario 2:
 4. Install CA on replica1
 5. Try to install replica2 with --setup-kra option form replica1 as a server

scenario 3:
 6. Install replica2 against master

Scenario 1 and 2 failed and scenario 3 passed. Based on these observations marking the bug as verified.

Comment 13 Florence Blanc-Renaud 2020-01-03 08:21:29 UTC
Test backported upstream

Comment 15 errata-xmlrpc 2020-03-31 19:55:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.