1754494 – ipa-replica-install does not enforce --server option

Bug 1754494 - ipa-replica-install does not enforce --server option

Summary: ipa-replica-install does not enforce --server option

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	ipa-qe
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-23 12:25 UTC by Florence Blanc-Renaud
Modified:	2020-03-31 19:56 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ipa-4.6.6-7.el7
Doc Type:	Bug Fix
Doc Text:	.The `ipa-replica-install` utility now verifies that the server specified in `--server` provides all required roles The `ipa-replica-install` utility provides a `--server` option to specify the Identity Management (IdM) server which the installer should use for the enrollment. Previously, `ipa-replica-install` did not verify that the supplied server provided the certificate authority (CA) and key recovery authority (KRA) roles. As a consequence, the installer replicated domain data from the specified server and CA data from a different server that provided the CA and KRA roles. With this update, `ipa-replica-install` verifies that the specified server provides all required roles. As a result, if the administrator uses the `--server` option, `ipa-replica-install` only replicates data from the specified server.
Clone Of:
Environment:
Last Closed:	2020-03-31 19:55:52 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:1083	0	None	None	None	2020-03-31 19:56:20 UTC

Description Florence Blanc-Renaud 2019-09-23 12:25:57 UTC

Description of problem:
The command "ipa-replica-install --server server.example.com" does not enforce the --server parameter. When it is provided, the installation should contact only the master provided and refuse to execute if the master does not offer all the required services.


Version-Release number of selected component (if applicable):
ipa-4.6.5-11.el7

How reproducible:
Always

Steps to Reproduce:
1. install master with CA
2. install replica1 without CA
3. try to install replica2 from replica1, by specifying ipa-replica-install --server replica1

Actual results:
replica2 established replication for the domain data with replica1 and for the ipaca data with  master.

Expected results:
replica2 should use only replica1 during its enrollment and promotion. If replica1 does not provide CA and KRA, the installation should refuse to proceed and provide a message explaining the reason.

Additional info:
See also BZ 1591824

Comment 2 Florence Blanc-Renaud 2019-09-23 12:27:33 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7566

Comment 3 Florence Blanc-Renaud 2019-09-23 12:37:19 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/802e54dd0e33be6015b22853767fc37a9ec02f39

Comment 4 Rob Crittenden 2019-09-23 17:53:08 UTC

ipa-4-8:
https://pagure.io/freeipa/c/c845ef07892eb22118f381e9cb1f05b017099896
ipa-4-7:
https://pagure.io/freeipa/c/6c5e72aee4dffb353b79b99324858bf2a1ec7314
ipa-4-6:
https://pagure.io/freeipa/c/22e4eef6cb54c74fc9907db1385549db670094fa

Comment 6 Florence Blanc-Renaud 2019-10-07 06:11:21 UTC

Test added upstream in  ipatests/test_integration/test_installation.py::TestInstallReplicaAgainstSpecificServer

Fixed upstream
master:
https://pagure.io/freeipa/c/c2c1000e2d5481d4be377feb12588fdb09d12de0
https://pagure.io/freeipa/c/c77bbe7899577cb14b42625953f1b9a868e6f237

Comment 9 Florence Blanc-Renaud 2019-10-14 08:55:19 UTC

Test backported upstream:

Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/b6134e86b377a2804efbfac1d78091a460898d0c
https://pagure.io/freeipa/c/b585e58b845ccecd48934f55c664a12b8ed06fc8

ipa-4-7:
https://pagure.io/freeipa/c/e12fa0b88371962e3684c6b932980c3ac0ab8e1d
https://pagure.io/freeipa/c/16c794d8a3d7d690883da5b29c5c04a203a2b8db

Comment 10 Florence Blanc-Renaud 2019-10-14 11:37:30 UTC

Test backported upstream:

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/f4dc0ee169689974020a4a77b8bb58b26f360369
https://pagure.io/freeipa/c/9b3855ec486990ecd08a9f3a0ca408425ee7fbf7

Comment 11 Mohammad Rizwan 2019-12-13 09:35:47 UTC

version:
ipa-server-4.6.6-11.el7.x86_64

Steps:
1. Install master with ca and kra setup
2. Install replica1 without ca and stop ipa-custidia service on it.

scenario 1:
 3. Try to install replica2 with --setup-ca option from replica1 as a server

scenario 2:
 4. Install CA on replica1
 5. Try to install replica2 with --setup-kra option form replica1 as a server

scenario 3:
 6. Install replica2 against master


Scenario 1 and 2 failed and scenario 3 passed. Based on these observations marking the bug as verified.

Comment 13 Florence Blanc-Renaud 2020-01-03 08:21:29 UTC

Test backported upstream
ipa-4-6:
https://pagure.io/freeipa/c/0d91a78ee409e66f96e7b2555ca33fb2128fdfa3

Comment 15 errata-xmlrpc 2020-03-31 19:55:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1083

Note You need to log in before you can comment on or make changes to this bug.