Issue

The method check_repl_update in ipaserver/install/replication.py badly handles the attributes nsds5ReplicaLastUpdateStart and nsds5ReplicaLastUpdateEnd as it expects them to contain an int.
These attributes are defined as GeneralizedTime (OID 1.3.6.1.4.1.1466.115.121.1.24) but older versions of 389-ds can also return the value 0 for uninitialized values (see 389-ds ticket 47836). The code must be able to handle the generalized time format or the 0 value.

This issue has no visible impact because in case of error when casting the value to an int, the exception is trapped and the value is set to 0. As a result, the code is always considering that nsds5ReplicaLastUpdateStart = nsds5ReplicaLastUpdateEnd = 0.

To show the wrong evaluation:

ipa-replica-manage force-sync --from master.example.com -v
/usr/lib/python3.7/site-packages/ipaclient/install/ipadiscovery.py:22: DeprecationWarning: ipaclient.install.ipadiscovery is deprecated, use ipaclient.discovery
  DeprecationWarning
ipa: INFO: Setting agreement cn=meToreplica.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToreplica.example.com,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config
ipa: INFO: Replication Update in progress: FALSE: status: Error (0) Replica acquired successfully: Incremental update succeeded: start: 0: end: 0

The output shows start and end = 0 while the attributes are not null.