DogtagInstance.setup_admin and related methods have multiple LDAP replication race conditions. The bugs can cause parallel ipa-replica-install to fail. The issue typically manifests itself as:
DogtagInstance.setup_admin
ipa-replica-install
com.netscape.certsrv.base.PKIException: Failed to obtain installation token from security domain: com.netscape.certsrv.base.UnauthorizedException: User admin-replica1.ipa.example is not a member of Enterprise CA Administrators group.
The _add_admin_to_group method https://pagure.io/freeipa/blob/84ae625fe2c3786f7c5430f23a55c171ff54e110/f/ipaserver/install/dogtaginstance.py#_397-407 uses an LDAP search + MOD_REPLACE to add the host admin to the admin group. This is subject to race conditions. In case an other thread, process, or replica modifies the group between read and mod, the previous modification is lost. The method must use MOD_ADD to add the user to the group.
_add_admin_to_group
MOD_REPLACE
MOD_ADD
The setup_admin waits until the new admin user has been replicated to the replication source. But that is not sufficient. Since the admin is first created and then appended to the groups, the method must wait until the group membership addition have been replicated, too.
setup_admin
https://pagure.io/freeipa/blob/84ae625fe2c3786f7c5430f23a55c171ff54e110/f/ipaserver/install/dogtaginstance.py#_439-444
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2051
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1594141
Issue linked to bug 1594141
master:
ipa-4-6:
ipa-4-5:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.