diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-06-30 21:01:07 +1000 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2016-07-01 11:09:53 +0200 |
commit | 3691e39a62da5134f911f6a798f79a3a2ae0c025 (patch) | |
tree | e96031cde08ed65028266d59f882d2a85e8efa5a | |
parent | 5e78b54d7c532bec0ee5a4ce3f1b6d6c94d17c51 (diff) | |
download | freeipa-3691e39a62da5134f911f6a798f79a3a2ae0c025.tar.gz freeipa-3691e39a62da5134f911f6a798f79a3a2ae0c025.tar.xz freeipa-3691e39a62da5134f911f6a798f79a3a2ae0c025.zip |
Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3
ipa-server-upgrade from pre-lightweight CAs version fails when
Dogtag is also being upgraded from pre-lightweight CAs version,
because Dogtag needs to be restarted after adding the lightweight
CAs container, before requesting information about the host
authority.
Move the addition of the Dogtag lightweight CAs container entry a
bit earlier in the upgrade procedure, ensuring restart.
Fixes: https://fedorahosted.org/freeipa/ticket/6011
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r-- | ipaserver/install/cainstance.py | 14 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 2 |
2 files changed, 12 insertions, 4 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 2a2328449..5e3e8c7f9 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1701,7 +1701,7 @@ def ensure_ldap_profiles_container(): ) def ensure_lightweight_cas_container(): - ensure_entry( + return ensure_entry( DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')), objectclass=['top', 'organizationalUnit'], ou=['authorities'], @@ -1709,6 +1709,12 @@ def ensure_lightweight_cas_container(): def ensure_entry(dn, **attrs): + """Ensure an entry exists. + + If an entry with the given DN already exists, return ``False``, + otherwise add the entry and return ``True``. + + """ server_id = installutils.realm_to_serverid(api.env.realm) dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id @@ -1718,12 +1724,14 @@ def ensure_entry(dn, **attrs): try: conn.get_entry(dn) + return False except errors.NotFound: # entry doesn't exist; add it entry = conn.make_entry(dn, **attrs) conn.add_entry(entry) - - conn.disconnect() + return True + finally: + conn.disconnect() def configure_profiles_acl(): diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 3955a8cb9..43427178b 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1747,6 +1747,7 @@ def upgrade_configuration(): ca_enable_pkix(ca), ca_configure_profiles_acl(ca), ca_configure_lightweight_ca_acls(ca), + ca_ensure_lightweight_cas_container(ca), ca_add_default_ocsp_uri(ca), ]) @@ -1758,7 +1759,6 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) - ca_ensure_lightweight_cas_container(ca) ca_enable_ldap_profile_subsystem(ca) # This step MUST be done after ca_enable_ldap_profile_subsystem and |