Hullo,

The attached patch fixes
https://fedorahosted.org/freeipa/ticket/6011.

Cheers,
Fraser
From c92ed38c0ef41814dec6ddf4a003948af5bc0beb Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 30 Jun 2016 21:01:07 +1000
Subject: [PATCH] Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3

ipa-server-upgrade from pre-lightweight CAs version fails when
Dogtag is also being upgraded from pre-lightweight CAs version,
because Dogtag needs to be restarted after adding the lightweight
CAs container, before requesting information about the host
authority.

Move the addition of the Dogtag lightweight CAs container entry a
bit earlier in the upgrade procedure, ensuring restart.

Fixes: https://fedorahosted.org/freeipa/ticket/6011
---
 ipaserver/install/cainstance.py     | 14 +++++++++++---
 ipaserver/install/server/upgrade.py |  2 +-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 
ef69c898bcd4f9d8d7e698b04117047a33c1e45f..28f8fe156ff828fdcfafdf602fa6675a4ee84fea
 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1695,7 +1695,7 @@ def ensure_ldap_profiles_container():
     )
 
 def ensure_lightweight_cas_container():
-    ensure_entry(
+    return ensure_entry(
         DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')),
         objectclass=['top', 'organizationalUnit'],
         ou=['authorities'],
@@ -1703,6 +1703,12 @@ def ensure_lightweight_cas_container():
 
 
 def ensure_entry(dn, **attrs):
+    """Ensure an entry exists.
+
+    If an entry with the given DN already exists, return ``False``,
+    otherwise add the entry and return ``True``.
+
+    """
     server_id = installutils.realm_to_serverid(api.env.realm)
     dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
 
@@ -1712,12 +1718,14 @@ def ensure_entry(dn, **attrs):
 
     try:
         conn.get_entry(dn)
+        return False
     except errors.NotFound:
         # entry doesn't exist; add it
         entry = conn.make_entry(dn, **attrs)
         conn.add_entry(entry)
-
-    conn.disconnect()
+        return True
+    finally:
+        conn.disconnect()
 
 
 def configure_profiles_acl():
diff --git a/ipaserver/install/server/upgrade.py 
b/ipaserver/install/server/upgrade.py
index 
3955a8cb9faf8e5c3350fc3912ea9f05a4b97719..43427178b11f63797a9537eadee836d7cf224311
 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1747,6 +1747,7 @@ def upgrade_configuration():
         ca_enable_pkix(ca),
         ca_configure_profiles_acl(ca),
         ca_configure_lightweight_ca_acls(ca),
+        ca_ensure_lightweight_cas_container(ca),
         ca_add_default_ocsp_uri(ca),
     ])
 
@@ -1758,7 +1759,6 @@ def upgrade_configuration():
         except ipautil.CalledProcessError as e:
             root_logger.error("Failed to restart %s: %s", ca.service_name, e)
 
-    ca_ensure_lightweight_cas_container(ca)
     ca_enable_ldap_profile_subsystem(ca)
 
     # This step MUST be done after ca_enable_ldap_profile_subsystem and
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to