diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2016-02-22 13:35:41 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2016-02-23 16:40:55 +0100 |
| commit | 2c3b0b1bcd972e6beec4691c03830f37dd27e199 (patch) | |
| tree | 618a0b4fee7094b54467ce463ab6432d6d4608d2 | |
| parent | b9c27b672218c30d669d085b5a57045711542fb9 (diff) | |
| download | freeipa-2c3b0b1bcd972e6beec4691c03830f37dd27e199.tar.gz freeipa-2c3b0b1bcd972e6beec4691c03830f37dd27e199.tar.xz freeipa-2c3b0b1bcd972e6beec4691c03830f37dd27e199.zip | |
upgrade: unconditional import of certificate profiles into LDAP
During IPA server upgrade, the migration of Dogtag profiles into LDAP
backend was bound to the update of CS.cfg which enabled the LDAP profile
subsystem. If the subsequent profile migration failed, the subsequent
upgrades were not executing the migration code leaving CA subsystem in
broken state. Therefore the migration code path should be executed
regardless of the status of the main Dogtag config file.
https://fedorahosted.org/freeipa/ticket/5682
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
| -rw-r--r-- | ipaserver/install/cainstance.py | 8 | ||||
| -rw-r--r-- | ipaserver/install/server/upgrade.py | 4 |
2 files changed, 9 insertions, 3 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index f3c1bfa36..b72255f1a 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1707,7 +1707,6 @@ def migrate_profiles_to_ldap(): continue class_id = match.group(1) - root_logger.info("Migrating profile '%s' to LDAP", profile_id) with open(filename) as f: profile_data = f.read() if profile_data[-1] != '\n': @@ -1724,7 +1723,12 @@ def _create_dogtag_profile(profile_id, profile_data): # import the profile try: profile_api.create_profile(profile_data) - except errors.RemoteRetrieveError: + root_logger.info("Profile '%s' successfully migrated to LDAP", + profile_id) + except errors.RemoteRetrieveError as e: + root_logger.debug("Error migrating '{}': {}".format( + profile_id, e)) + # conflicting profile; replace it if we are # installing IPA, but keep it for upgrades if api.env.context == 'installer': diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 455b28acc..a88c0ff68 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -333,7 +333,9 @@ def ca_enable_ldap_profile_subsystem(ca): separator='=') ca.restart('pki-tomcat') - cainstance.migrate_profiles_to_ldap() + + root_logger.info('[Migrating certificate profiles to LDAP]') + cainstance.migrate_profiles_to_ldap() return needs_update |