Bug 2151071 - 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install
Summary: 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' duri...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 8.8
Assignee: mreynolds
QA Contact: LDAP QA Team
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks: 2144443
TreeView+ depends on / blocked
 
Reported: 2022-12-06 05:17 UTC by Sudhir Menon
Modified: 2023-02-15 15:46 UTC (History)
6 users (show)

Fixed In Version: 389-ds-1.4-8080020230103133349.6e2e7265
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker IDMDS-2735 0 None None None 2023-01-18 19:10:06 UTC
Red Hat Issue Tracker IDMDS-2765 0 None None None 2023-02-06 14:00:55 UTC
Red Hat Issue Tracker RHELPLAN-141373 0 None None None 2022-12-06 05:42:56 UTC

Description Sudhir Menon 2022-12-06 05:17:37 UTC 
Description of problem: 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install IPA Server on RHEL7.9
2. Install IPA replica on RHEL8.8
3. Check the message displayed on the console.

Actual results:
2022-12-02T14:14:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG   [3/30]: creating ACIs for admin
2022-12-02T14:14:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG   [4/30]: creating installation admin user
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca on ldap://master.testrealm.test:389
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG   [error] NotFound: uid=admin-replica.testrealm.test,ou=people,o=ipaca did not replicate to ldap://master.testrealm.test:389
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG [hint] tune with replication_wait_timeout
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG uid=admin-replica.testrealm.test,ou=people,o=ipaca did not replicate to ldap://master.testrealm.test:389
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG Your system may be partly configured.
2022-12-02T14:19:14+0000 [ipa_pytests.qe_class.QeHost.replica.cmd22] DEBUG Run /usr/sbin/ipa-server-install --uninstall to clean up.

Expected results:
ipa-replica-install should be successfull.

Additional info:
The replica installer creates a temporary user uid=admin-replica.testrealm.test,ou=people,o=ipaca on the 8.8 replica, that gets replicated to the 7.9 master. To ensure the user is properly replicated, the installer performs a bind on the master with the password.
The problem is that the user is created with a password encrypted using PBKDF2-SHA512, and if you try to do a ldap bind on the 7.9 master the op fails because this algo is not supported. As a consequence the replica installer assumes the user hasn't been replicated.
Comment 10 bsmejkal 2023-02-06 13:47:05 UTC 
As per comment #c6 marking as VERIFIED.
Comment 11 Paul McIntyre 2023-02-15 15:46:46 UTC 
Is there a workaround for this?

https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IHIPPVMMIWV2TL7BNLW55XII3OIQ62HK/

The above kinda works but I'm struggling to get the timing right during the ipa-replica-install for the file update.
Note You need to log in before you can comment on or make changes to this bug.