On 11/19/2015 02:31 PM, Jan Cholasta wrote:
On 19.11.2015 11:23, Martin Babinsky wrote:
On 11/19/2015 10:50 AM, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/5346



Attaching updated patches.

1) It seems the self._ldap_disconnect() was actually necessary:

     cannot connect to
'ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket':
     The ipa-kra-install command failed. See
/var/log/ipaserver-kra-install.log for more information

After re-adding it, ipa-kra-install works again.


2) I don't want to see any messages when there's nothing wrong:

       [7/8]: add vault container
     Vault container already exists

Please lower the log level of this message from info to debug.

OK, attaching updated patches.

--
Martin^3 Babinsky
From 86f9e71729ff3fe6ab9387e7ec057070eb249d95 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 19 Nov 2015 14:33:49 +0100
Subject: [PATCH] suppress errors arising from adding existing LDAP entries
 during KRA install

https://fedorahosted.org/freeipa/ticket/5346
---
 ipaserver/install/krainstance.py | 16 ++++++++++++++--
 ipaserver/install/service.py     |  4 +++-
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index ed47be7374ff89e787661dc1447b9388ba0f6334..be62226ada2878a4a826570e6ac17d7800cd5938 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -53,6 +53,8 @@ ADMIN_GROUPS = [
     'Security Domain Administrators'
 ]
 
+LDAPMOD_ERR_ALREADY_EXISTS = 68
+
 class KRAInstance(DogtagInstance):
     """
     We assume that the CA has already been installed, and we use the
@@ -312,8 +314,18 @@ class KRAInstance(DogtagInstance):
         conn.disconnect()
 
     def __add_vault_container(self):
-        self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix})
-        self.ldap_disconnect()
+        try:
+            self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix},
+                           raise_on_err=True)
+        except ipautil.CalledProcessError as e:
+            if e.returncode == LDAPMOD_ERR_ALREADY_EXISTS:
+                self.log.debug("Vault container already exists")
+            else:
+                self.log.error("Failed to add vault container: {0}".format(e))
+        finally:
+            # we need to disconnect from LDAP, because _ldap_mod() makes the
+            # connection without actually using it
+            self.ldap_disconnect()
 
     def __apply_updates(self):
         sub_dict = {
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index b9e68121dda6ea0b52c9ad923fcd5c72a22598a4..c856cccd03a5d7f166240ff87d9c49ef45f2a64d 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -184,7 +184,7 @@ class Service(object):
         self.admin_conn.unbind()
         self.admin_conn = None
 
-    def _ldap_mod(self, ldif, sub_dict=None):
+    def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=False):
         pw_name = None
         fd = None
         path = ipautil.SHARE_DIR + ldif
@@ -228,6 +228,8 @@ class Service(object):
             try:
                 ipautil.run(args, nolog=nologlist)
             except ipautil.CalledProcessError as e:
+                if raise_on_err:
+                    raise
                 root_logger.critical("Failed to load %s: %s" % (ldif, str(e)))
         finally:
             if pw_name:
-- 
2.4.3

From 8b9d337e3fee98a343006c01c3c9bdd54ce1f040 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 19 Nov 2015 14:33:49 +0100
Subject: [PATCH] suppress errors arising from adding existing LDAP entries
 during KRA install

https://fedorahosted.org/freeipa/ticket/5346
---
 ipaserver/install/krainstance.py | 16 ++++++++++++++--
 ipaserver/install/service.py     |  4 +++-
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 0000192745b6d7f9f402267e435f7223f1bf8849..a2514debae600bdc46afb92e426a5f616529fde2 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -47,6 +47,8 @@ from ipapython.ipa_log_manager import log_mgr
 IPA_KRA_RECORD = "ipa-kra"
 
 
+LDAPMOD_ERR_ALREADY_EXISTS = 68
+
 class KRAInstance(DogtagInstance):
     """
     We assume that the CA has already been installed, and we use the
@@ -308,8 +310,18 @@ class KRAInstance(DogtagInstance):
         conn.disconnect()
 
     def __add_vault_container(self):
-        self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix})
-        self.ldap_disconnect()
+        try:
+            self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix},
+                           raise_on_err=True)
+        except ipautil.CalledProcessError as e:
+            if e.returncode == LDAPMOD_ERR_ALREADY_EXISTS:
+                self.log.debug("Vault container already exists")
+            else:
+                self.log.error("Failed to add vault container: {0}".format(e))
+        finally:
+            # we need to disconnect from LDAP, because _ldap_mod() makes the
+            # connection without actually using it
+            self.ldap_disconnect()
 
     def __apply_updates(self):
         sub_dict = {
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index f0eaee2c99d2949ca77659bf163a22f6785d9bc5..e59e82c9fbd0c15dd97c1814a91a78612a151230 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -155,7 +155,7 @@ class Service(object):
         self.admin_conn.unbind()
         self.admin_conn = None
 
-    def _ldap_mod(self, ldif, sub_dict=None):
+    def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=False):
         pw_name = None
         fd = None
         path = ipautil.SHARE_DIR + ldif
@@ -199,6 +199,8 @@ class Service(object):
             try:
                 ipautil.run(args, nolog=nologlist)
             except ipautil.CalledProcessError, e:
+                if raise_on_err:
+                    raise
                 root_logger.critical("Failed to load %s: %s" % (ldif, str(e)))
         finally:
             if pw_name:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to