From 8c742b1539591b49474fe8ec871e1b523e9898bd Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Nov 11 2016 11:17:25 +0000
Subject: Fix CA replica install on DL1


Dogtag requires Directory Manager password for its installation.
On Domain Level 1 a special password for Directory Manager is
created and used during the installation. However, by importing
the real DM password from remote LDAP, we can no longer use
the temporary password from the replica installation.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

---

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 053c502..770688c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1378,7 +1378,6 @@ def install(installer):
                                                  config.realm_name)
     if promote:
         custodia.create_replica(config.master_host_name)
-        custodia.import_dm_password(config.master_host_name)
     else:
         custodia.create_instance()
 
@@ -1400,6 +1399,7 @@ def install(installer):
     krb.restart()
 
     if promote:
+        custodia.import_dm_password(config.master_host_name)
         promote_sssd(config.host_name)
         promote_openldap_conf(config.host_name, config.master_host_name)