The issue is related to the way 389-ds manage nsds5replicabinddngroup
When the replica LDAP entry is created, if it contains nsds5replicabinddngroup, then the group is fetched. So if at that time the group does not contains the DN of the replication manager, replication will fail until the group is updated and fetched again.
With current setting (nsDS5ReplicaBindDnGroupCheckInterval=60s) that means that replication will fail during the next 60s of the creation of the replica entry.
The way group is fetched is improved with https://pagure.io/389-ds-base/issue/49818.
But ipa-replica-install against a master not containing #49818, replication will be delayed by 60s
ipa-server-install + ipa-replica-install
Check in master and consumer error logs
Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later.
replication is delayed by 60 sec
if the group contains the replication manager DN, the first replication session should succeed
Any easy way to mitigate this issue is to reduce nsDS5ReplicaBindDnGroupCheckInterval=2s
But after first sessions it would be good to return nsDS5ReplicaBindDnGroupCheckInterval=60s (for performance reason)
Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1623112
to comment on this ticket.