ipa-replica-install: fix domain level 0 remote LDAP connection

[felipevolpone]

In order to fix https://pagure.io/freeipa/issue/6549.

First of all, I tried at ipaserver/server/install/replicainstall.py:1393:

try:
    domain_level = current_domain_level(remote_api)
    if domain_level != 0:
        conn.connect(bind_dn=ipaldap.DIRMAN_DN, bind_pw=config.dirman_password,
                 cacert=cafile)
    else:
        conn.connect(ccache=ccache)

However, the current_domain_level method was raising this exception:

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
    ERROR    ldap2 is not connected (ldap2_140240602559056 in MainThread)

So, I created a connection first, then I check the domain level.
If the domain level is 0 the connection is already created properly. If the domain level is not 0, then it should create using the ccache (how it was before).

This PR fixes the error specified at the bug #6549, however it doesn't fix the entire ipa-replica-install process. This is the output when running sudo ipa-replica-install replica-info-vm-058-186.abc.idm.lab.eng.brq.redhat.com.gpg --skip-conncheck

WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Directory Manager (existing master) password: 

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/44]: creating directory server user
  [2/44]: creating directory server instance
  [3/44]: enabling ldapi
  [4/44]: configure autobind for root
  [5/44]: stopping directory server
  [6/44]: updating configuration in dse.ldif
  [7/44]: starting directory server
  [8/44]: adding default schema
  [9/44]: enabling memberof plugin
  [10/44]: enabling winsync plugin
  [11/44]: configuring replication version plugin
  [12/44]: enabling IPA enrollment plugin
  [13/44]: configuring uniqueness plugin
  [14/44]: configuring uuid plugin
  [15/44]: configuring modrdn plugin
  [16/44]: configuring DNS plugin
  [17/44]: enabling entryUSN plugin
  [18/44]: configuring lockout plugin
  [19/44]: configuring topology plugin
  [20/44]: creating indices
  [21/44]: enabling referential integrity plugin
  [22/44]: configuring TLS for DS instance
  [23/44]: configuring certmap.conf
  [24/44]: configure new location for managed entries
  [25/44]: configure dirsrv ccache
  [26/44]: enabling SASL mapping fallback
  [27/44]: restarting directory server
  [28/44]: creating DS keytab
  [29/44]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 6 seconds elapsed
Update succeeded

  [30/44]: adding sasl mappings to the directory
  [31/44]: updating schema
  [32/44]: setting Auto Member configuration
  [33/44]: enabling S4U2Proxy delegation
  [34/44]: importing CA certificates from LDAP
  [35/44]: initializing group membership
  [36/44]: adding master entry
  [37/44]: initializing domain level
  [38/44]: configuring Posix uid/gid generation
  [39/44]: adding replication acis
  [40/44]: enabling compatibility plugin
  [41/44]: activating sidgen plugin
  [42/44]: activating extdom plugin
  [43/44]: tuning directory server
  [44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/4]: configuring KDC
  [2/4]: adding the password extension to the directory
  [3/4]: starting the KDC
  [4/4]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Restarting directory server to enable password extension plugin
Configuring the web interface (httpd)
  [1/22]: setting mod_nss port to 443
  [2/22]: setting mod_nss cipher suite
  [3/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/22]: setting mod_nss password file
  [5/22]: enabling mod_nss renegotiate
  [6/22]: adding URL rewriting rules
  [7/22]: configuring httpd
  [8/22]: setting up httpd keytab
  [9/22]: retrieving anonymous keytab
  [error] CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k /var/lib/ipa/api/anon.keytab -p WELLKNOWN/ANONYMOUS -H ldapi://%2fvar%2frun%2fslapd-DOM-133-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL' returned non-zero exit status 9
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    Command '/usr/sbin/ipa-getkeytab -k /var/lib/ipa/api/anon.keytab -p WELLKNOWN/ANONYMOUS -H ldapi://%2fvar%2frun%2fslapd-DOM-133-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket -Y EXTERNAL' returned non-zero exit status 9
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

[MartinBasti]

This should be:

if promote:
    conn.connect(ccache)
else:
   connect as directory manager

variable promote should be already defined, and promote means domain level 1+ for now, so there is no need for gettting domain level one more time

[felipevolpone]

Done

[MartinBasti]

Please merge commits into one and please use full description in commit message instead of ticket number.

[HonzaCholasta]

Please add a comment with explanation so that the fix does not get lost (see the pagure issue for an explanation).

[felipevolpone]

@HonzaCholasta, @MartinBasti done :)
Please, check if the commit message and the code comment are good enough.

Thank you

[tkrizek]

Please try to keep the commit message summary short and append the link to the ticket at the end.

For example:

server install: require IPv6 stack to be enabled

Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608

[felipevolpone]

What do you think about:

Fixing the replica install against IPA 3.0.0 master. 

Now, at the domain level 0, the replica install always uses 
Directory Manager credentials to create the LDAP connection.

https://pagure.io/freeipa/issue/6549

[tkrizek]

Seems all right, but I'd go with a more informative summary to make it a bit more clear what's changed when looking through the log:

replica install: fix ldap connection in domlvl 0

[HonzaCholasta]

@felipevolpone, the comment should explain why DM authentication has to be used.

[felipevolpone]

@HonzaCholasta @tomaskrizek please, check if it looks good to you. thank you for helping me guys 👍

[MartinBasti]

I updated title to more descriptive one and I'm going to test it

[MartinBasti]

You fixed this issue, but uncover more issues, I will open particular tickets. ACK for this fix

[tkrizek]

master:

• 772d4e3 Fixing replica install: fix ldap connection in domlvl 0
  ipa-4-5:

• af4531d Fixing replica install: fix ldap connection in domlvl 0