3 files changed, 37 insertions, 7 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8b58b0e05..725a6cfa5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -33,7 +33,7 @@ Source0:        freeipa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.3.8
+BuildRequires:  389-ds-base-devel >= 1.3.3.9
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= 2.1.12-5
 BuildRequires:  systemd-units
@@ -108,7 +108,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.3.8
+Requires: 389-ds-base >= 1.3.3.9
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -143,7 +143,7 @@ Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.76.8
-Requires(pre): 389-ds-base >= 1.3.3.8
+Requires(pre): 389-ds-base >= 1.3.3.9
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 52df6b7de..e216edbfa 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -36,6 +36,7 @@ import ldap
 from ipaserver.install import ldapupdate
 from ipaserver.install import replication
 from ipaserver.install import sysupgrade
+from ipaserver.install import upgradeinstance
 from ipalib import api
 from ipalib import certstore
 from ipalib import errors
@@ -504,10 +505,8 @@ class DsInstance(service.Service):
         conn.unbind()
 
     def apply_updates(self):
-        ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
-                                   sub_dict=self.sub_dict)
-        files = ld.get_all_files(ldapupdate.UPDATES_DIR)
-        ld.update(files)
+        data_upgrade = upgradeinstance.IPAUpgrade(self.realm)
+        data_upgrade.create_instance()
         installutils.store_version()
 
 
diff --git a/ipaserver/install/upgradeinstance.py b/ipaserver/install/upgradeinstance.py
index f70312f09..1466450b2 100644
--- a/ipaserver/install/upgradeinstance.py
+++ b/ipaserver/install/upgradeinstance.py
@@ -25,6 +25,7 @@ import random
 import traceback
 from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import *
+from ipapython import ipaldap
 
 from ipaserver.install import installutils
 from ipaserver.install import schemaupdate
@@ -170,6 +171,7 @@ class IPAUpgrade(service.Service):
         self.upgradefailed = False
         self.serverid = serverid
         self.schema_files = schema_files
+        self.realm = realm_name
 
     def __start_nowait(self):
         # Don't wait here because we've turned off port 389. The connection
@@ -184,6 +186,7 @@ class IPAUpgrade(service.Service):
         self.step("stopping directory server", self.__stop_instance)
         self.step("saving configuration", self.__save_config)
         self.step("disabling listeners", self.__disable_listeners)
+        self.step("enabling DS global lock", self.__enable_ds_global_write_lock)
         self.step("starting directory server", self.__start_nowait)
         if self.schema_files:
             self.step("updating schema", self.__update_schema)
@@ -223,9 +226,31 @@ class IPAUpgrade(service.Service):
             else:
                 self.backup_state('nsslapd-security', security)
 
+            try:
+                global_lock = config_entry['nsslapd-global-backend-lock'][0]
+            except KeyError:
+                pass
+            else:
+                self.backup_state('nsslapd-global-backend-lock', global_lock)
+
+    def __enable_ds_global_write_lock(self):
+        ldif_outfile = "%s.modified.out" % self.filename
+        with open(ldif_outfile, "wb") as out_file:
+            ldif_writer = ldif.LDIFWriter(out_file)
+            with open(self.filename, "rb") as in_file:
+                parser = ModifyLDIF(in_file, ldif_writer)
+
+                parser.remove_value("cn=config", "nsslapd-global-backend-lock")
+                parser.add_value("cn=config", "nsslapd-global-backend-lock",
+                                 "on")
+                parser.parse()
+
+        shutil.copy2(ldif_outfile, self.filename)
+
     def __restore_config(self):
         port = self.restore_state('nsslapd-port')
         security = self.restore_state('nsslapd-security')
+        global_lock = self.restore_state('nsslapd-global-backend-lock')
 
         ldif_outfile = "%s.modified.out" % self.filename
         with open(ldif_outfile, "wb") as out_file:
@@ -240,6 +265,12 @@ class IPAUpgrade(service.Service):
                     parser.remove_value("cn=config", "nsslapd-security")
                     parser.add_value("cn=config", "nsslapd-security", security)
 
+                # disable global lock by default
+                parser.remove_value("cn=config", "nsslapd-global-backend-lock")
+                if global_lock is not None:
+                    parser.add_value("cn=config", "nsslapd-global-backend-lock",
+                                     global_lock)
+
                 parser.parse()
 
         shutil.copy2(ldif_outfile, self.filename)