summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFraser Tweedale <ftweedal@redhat.com>2016-06-30 21:01:07 +1000
committerPetr Vobornik <pvoborni@redhat.com>2016-07-01 11:09:53 +0200
commit3691e39a62da5134f911f6a798f79a3a2ae0c025 (patch)
treee96031cde08ed65028266d59f882d2a85e8efa5a
parent5e78b54d7c532bec0ee5a4ce3f1b6d6c94d17c51 (diff)
downloadfreeipa-3691e39a62da5134f911f6a798f79a3a2ae0c025.zip
freeipa-3691e39a62da5134f911f6a798f79a3a2ae0c025.tar.gz
freeipa-3691e39a62da5134f911f6a798f79a3a2ae0c025.tar.xz
Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3
ipa-server-upgrade from pre-lightweight CAs version fails when Dogtag is also being upgraded from pre-lightweight CAs version, because Dogtag needs to be restarted after adding the lightweight CAs container, before requesting information about the host authority. Move the addition of the Dogtag lightweight CAs container entry a bit earlier in the upgrade procedure, ensuring restart. Fixes: https://fedorahosted.org/freeipa/ticket/6011 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
-rw-r--r--ipaserver/install/cainstance.py14
-rw-r--r--ipaserver/install/server/upgrade.py2
2 files changed, 12 insertions, 4 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 2a23284..5e3e8c7 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1701,7 +1701,7 @@ def ensure_ldap_profiles_container():
)
def ensure_lightweight_cas_container():
- ensure_entry(
+ return ensure_entry(
DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')),
objectclass=['top', 'organizationalUnit'],
ou=['authorities'],
@@ -1709,6 +1709,12 @@ def ensure_lightweight_cas_container():
def ensure_entry(dn, **attrs):
+ """Ensure an entry exists.
+
+ If an entry with the given DN already exists, return ``False``,
+ otherwise add the entry and return ``True``.
+
+ """
server_id = installutils.realm_to_serverid(api.env.realm)
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
@@ -1718,12 +1724,14 @@ def ensure_entry(dn, **attrs):
try:
conn.get_entry(dn)
+ return False
except errors.NotFound:
# entry doesn't exist; add it
entry = conn.make_entry(dn, **attrs)
conn.add_entry(entry)
-
- conn.disconnect()
+ return True
+ finally:
+ conn.disconnect()
def configure_profiles_acl():
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 3955a8c..4342717 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1747,6 +1747,7 @@ def upgrade_configuration():
ca_enable_pkix(ca),
ca_configure_profiles_acl(ca),
ca_configure_lightweight_ca_acls(ca),
+ ca_ensure_lightweight_cas_container(ca),
ca_add_default_ocsp_uri(ca),
])
@@ -1758,7 +1759,6 @@ def upgrade_configuration():
except ipautil.CalledProcessError as e:
root_logger.error("Failed to restart %s: %s", ca.service_name, e)
- ca_ensure_lightweight_cas_container(ca)
ca_enable_ldap_profile_subsystem(ca)
# This step MUST be done after ca_enable_ldap_profile_subsystem and