b763b62 Fix replication races in Dogtag admin code

Authored and Committed by cheimes 5 years ago
    Fix replication races in Dogtag admin code
    
    DogtagInstance.setup_admin and related methods have multiple LDAP
    replication race conditions. The bugs can cause parallel
    ipa-replica-install to fail.
    
    The code from __add_admin_to_group() has been changed to use MOD_ADD
    ather than search + MOD_REPLACE. The MOD_REPLACE approach can lead to
    data loss, when more than one writer changes a group.
    
    setup_admin() now waits until both admin user and group membership have
    been replicated to the master peer. The method also adds a new ACI to
    allow querying group member in the replication check.
    
    Fixes: https://pagure.io/freeipa/issue/7593
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>