From 8c742b1539591b49474fe8ec871e1b523e9898bd Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Wed, 9 Nov 2016 17:55:56 +0100
Subject: [PATCH] Fix CA replica install on DL1

Dogtag requires Directory Manager password for its installation.
On Domain Level 1 a special password for Directory Manager is
created and used during the installation. However, by importing
the real DM password from remote LDAP, we can no longer use
the temporary password from the replica installation.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/server/replicainstall.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 053c5021e..770688c1d 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1378,7 +1378,6 @@ def install(installer):
                                                  config.realm_name)
     if promote:
         custodia.create_replica(config.master_host_name)
-        custodia.import_dm_password(config.master_host_name)
     else:
         custodia.create_instance()
 
@@ -1400,6 +1399,7 @@ def install(installer):
     krb.restart()
 
     if promote:
+        custodia.import_dm_password(config.master_host_name)
         promote_sssd(config.host_name)
         promote_openldap_conf(config.host_name, config.master_host_name)