According to the attached list of installed rpms:
389-ds-base-1.3.10.2-12.el7_9.x86_64 
pki-server-10.5.18-12.el7_9.noarch
ipa-server-4.6.8-5.el7_9.4.x86_64

The customer is hitting known issue Bug 1949136 - PKI instance creation failed with new 389-ds-base build [rhel-7.9.z] and should also apply pki (https://access.redhat.com/errata/RHBA-2021:2315) and ipa (https://access.redhat.com/errata/RHBA-2021:2324) updates.

As a general rule, please refer to https://access.redhat.com/articles/11258, especially the following sentence:
----- 8< -----
Applying package updates on Red Hat Enterprise Linux 7

Before installing an update, make sure all previously released errata relevant to the system have been applied.
----- >8 -----

Please let me know if it solves the issue, and I will close this BZ as a duplicate.

> Customer question.
> -----
> If these new versions fix a broken version of 389-ds-base-1.3.10.2-12.el7_9.x86_64, but why these packages did not get downloaded when we used below command?
> 
>    yum --security update   --downloadonly --downloaddir=/tmp/security_rpms  
> 
> even though 389-ds-base-1.3.10.2-12.el7_9.x86_64 broken version of RPM gets downloaded via patch update.
> -----

"yum update --downloadonly" doesn't apply the updates but only downloads the rpms. Extract from the man page yum(8):
----- 8< -----
       --downloadonly
              Download the resolved package set without performing any rpm transaction (install/upgrade/erase).
----- >8 -----

If the command to apply the updates was focused on 389-ds packages only, the other packages would not get updated (for instance dnf update /tmp/security_rpms/389-ds-*.rpm).

I am closing this issue as a duplicate of BZ #1949136.

*** This bug has been marked as a duplicate of bug 1949136 ***