4 files changed, 36 insertions, 35 deletions

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 1584dd58c..e8fabd705 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -32,7 +32,6 @@ from ipaserver.install import bindinstance, httpinstance, ntpinstance, certs
 from ipaserver import ipaldap
 from ipapython import version
 from ipalib import api, util
-from ipalib.constants import DEFAULT_CONFIG
 
 CACERT="/usr/share/ipa/html/ca.crt"
 
@@ -134,14 +133,6 @@ def install_ca(config):
     # FIXME, need to pass along the CA plugin to use
     cafile = config.dir + "/ca.p12"
 
-    # Just initialize the environment. This is so the installer can have
-    # access to the plugin environment
-    api.env._bootstrap()
-    default_config = dict(DEFAULT_CONFIG)
-    if ipautil.file_exists(cafile):
-        default_config['ra_plugin'] = 'dogtag'
-    api.env._finalize_core(**default_config)
-
     if not ipautil.file_exists(cafile):
         return None
 
@@ -320,6 +311,14 @@ def main():
     except ldap.INVALID_CREDENTIALS, e :
         sys.exit("\nThe password provided is incorrect for LDAP server %s" % config.master_host_name)
 
+    if ipautil.file_exists(config.dir + "/ca.p12"):
+        ca_type = 'dogtag'
+    else:
+        ca_type = 'selfsign'
+
+    api.bootstrap(in_server=True, ra_plugin=ca_type)
+    api.finalize()
+
     # Install CA cert so that we can do SSL connections with ldap
     install_ca_cert(config)
 
@@ -379,9 +378,6 @@ def main():
     service.restart("krb5kdc")
 
     if options.setup_dns:
-        # First bootstrap the plug-in framework
-        api.bootstrap(in_server=True)
-        api.finalize()
         api.Backend.ldap2.connect(bind_dn="cn=Directory Manager",
                                   bind_pw=config.dirman_password)
 
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 3aa6fae2f..094654dbf 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -52,7 +52,6 @@ from ipaserver.install.installutils import *
 from ipapython import sysrestore
 from ipapython.ipautil import *
 from ipalib import api, util
-from ipalib.constants import DEFAULT_CONFIG
 
 pw_name = None
 
@@ -402,14 +401,6 @@ def main():
     signal.signal(signal.SIGTERM, signal_handler)
     signal.signal(signal.SIGINT, signal_handler)
 
-    # Just initialize the environment. This is so the installer can have
-    # access to the plugin environment
-    api.env._bootstrap()
-    default_config = dict(DEFAULT_CONFIG)
-    if options.ca:
-        default_config['ra_plugin'] = 'dogtag'
-    api.env._finalize_core(**default_config)
-
     if options.uninstall:
         standard_logging_setup("/var/log/ipaserver-uninstall.log", options.debug)
     else:
@@ -419,6 +410,14 @@ def main():
     global fstore
     fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 
+    if options.ca:
+        ca_type = 'dogtag'
+    else:
+        ca_type = 'selfsign'
+
+    api.bootstrap(in_server=True, ra_plugin=ca_type)
+    api.finalize()
+
     if options.uninstall:
         if not options.unattended:
             print "\nThis is a NON REVERSIBLE operation and will delete all data and configuration!\n"
@@ -712,9 +711,6 @@ def main():
     bind = bindinstance.BindInstance(fstore, dm_password)
     bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders)
     if options.setup_dns:
-        # First bootstrap the plug-in framework
-        api.bootstrap(in_server=True)
-        api.finalize()
         api.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw=dm_password)
 
         bind.create_instance()
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 2b1e84e7a..1bbabbf7c 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -60,9 +60,12 @@ class ra(rabase.rabase):
         self.ipa_key_size = "2048"
         self.ipa_certificate_nickname = "ipaCert"
         self.ca_certificate_nickname = "caCert"
-        f = open(self.pwd_file, "r")
-        self.password = f.readline().strip()
-        f.close()
+        try:
+            f = open(self.pwd_file, "r")
+            self.password = f.readline().strip()
+            f.close()
+        except IOError:
+            self.password = ''
         super(ra, self).__init__()
 
     def _request(self, url, **kw):
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 0deded937..1b133e570 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -121,12 +121,15 @@ def _get_url(host, port, using_cacert=False):
 
 # retrieves LDAP schema from server
 def _load_schema(url):
+    global _schema
     try:
         conn = _ldap.initialize(url)
         # assume anonymous access is enabled
         conn.simple_bind_s('', '')
         schema_entry = conn.search_s('cn=schema', _ldap.SCOPE_BASE)[0]
         conn.unbind_s()
+    except _ldap.SERVER_DOWN:
+        return None
     except _ldap.LDAPError, e:
         # TODO: raise a more appropriate exception
         _handle_errors(e, **{})
@@ -142,8 +145,9 @@ def _load_schema(url):
 _schema = _load_schema(api.env.ldap_uri)
 
 def _get_syntax(attr, value):
-    schema = api.Backend.ldap2._schema
-    obj = schema.get_obj(_ldap.schema.AttributeType, attr)
+    global _schema
+
+    obj = _schema.get_obj(_ldap.schema.AttributeType, attr)
     if obj is not None:
         return obj.syntax
     else:
@@ -176,7 +180,6 @@ class ldap2(CrudBackend, Encoder):
         self.encoder_settings.decode_dict_vals_table_keygen = _get_syntax
         self.encoder_settings.decode_postprocessor = lambda x: string.lower(x)
         self._ldapuri = api.env.ldap_uri
-        self._schema = _schema
         CrudBackend.__init__(self)
 
     def __del__(self):
@@ -204,12 +207,13 @@ class ldap2(CrudBackend, Encoder):
 
         Extends backend.Connectible.create_connection.
         """
+        global _schema
         if ldapuri is not None:
             self._ldapuri = ldapuri
 
         # if we don't have this server's schema cached, do it now
-        if self._ldapuri != api.env.ldap_uri:
-            self._schema = _load_schema(self._ldapuri)
+        if self._ldapuri != api.env.ldap_uri or _schema is None:
+            _schema = _load_schema(self._ldapuri)
 
         if tls_cacertfile is not None:
             _ldap.set_option(_ldap.OPT_X_TLS_CACERTFILE, tls_cacertfile)
@@ -304,9 +308,10 @@ class ldap2(CrudBackend, Encoder):
         preferred_names -- list of preferred synomyms or None for defaults
                            (default None)
         """
+        global _schema
         if preferred_names:
             for n in preferred_names:
-                attr = self._schema.get_obj(_ldap.schema.AttributeType, n)
+                attr = _schema.get_obj(_ldap.schema.AttributeType, n)
                 synonyms = [v.lower() for v in attr.names]
                 synonyms.remove(n)
                 for s in synonyms:
@@ -315,7 +320,7 @@ class ldap2(CrudBackend, Encoder):
                         del entry_attrs[s]
         else:
             for (k, v) in entry_attrs.items():
-                attr = self._schema.get_obj(_ldap.schema.AttributeType, k)
+                attr = _schema.get_obj(_ldap.schema.AttributeType, k)
                 synonyms = [v.lower() for v in attr.names]
                 preferred_name = synonyms[0]
                 if k in synonyms[1:]:
@@ -492,8 +497,9 @@ class ldap2(CrudBackend, Encoder):
         return self.find_entries(filter, None, 'cn=etc', self.SCOPE_ONELEVEL)[0][0]
 
     def get_schema(self):
+        global _schema
         """Returns a copy of the current LDAP schema."""
-        return copy.deepcopy(self._schema)
+        return copy.deepcopy(_schema)
 
     @encode_args(1, 2)
     def get_effective_rights(self, dn, entry_attrs):