install: remove adhoc api.Backend.ldap2 (dis)connect

Remove adhoc connects and disconnects of api.Backend.ldap2. Connection
should be established only at the start of the script, destroyed at the
end of the script and re-established when directory server is restarted.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

6 files changed, 1 insertions, 72 deletions

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index cb04b0b7f..88ec6277f 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -123,16 +123,8 @@ def install_step_0(standalone, replica_config, options):
 
     if replica_config is not None:
         # Configure the CA if necessary
-        if standalone:
-            api.Backend.ldap2.disconnect()
-
         cainstance.install_replica_ca(replica_config, standalone,
-                ra_p12=getattr(options, 'ra_p12', None))
-
-        if standalone and not api.Backend.ldap2.isconnected():
-            api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
-                                      bind_pw=dm_password)
-
+                                      ra_p12=getattr(options, 'ra_p12', None))
         return
 
     if options.external_cert_files:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index a1d44cf6c..84149b329 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -2040,14 +2040,6 @@ def ensure_ipa_authority_entry():
         )
     api.Backend.ra_lightweight_ca.override_port = None
 
-    is_already_connected = api.Backend.ldap2.isconnected()
-    if not is_already_connected:
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except errors.PublicError as e:
-            root_logger.error("Cannot connect to LDAP to add CA: %s", e)
-            return
-
     ensure_entry(
         DN(api.env.container_ca, api.env.basedn),
         objectclass=['top', 'nsContainer'],
@@ -2061,20 +2053,9 @@ def ensure_ipa_authority_entry():
         **attrs
     )
 
-    if not is_already_connected:
-        api.Backend.ldap2.disconnect()
-
 
 def ensure_default_caacl():
     """Add the default CA ACL if missing."""
-    is_already_connected = api.Backend.ldap2.isconnected()
-    if not is_already_connected:
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except errors.PublicError as e:
-            root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
-            return
-
     ensure_entry(
         DN(('cn', 'ca'), api.env.basedn),
         objectclass=['top', 'nsContainer'],
@@ -2092,9 +2073,6 @@ def ensure_default_caacl():
         api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
             certprofile=(u'caIPAserviceCert',))
 
-    if not is_already_connected:
-        api.Backend.ldap2.disconnect()
-
 
 def add_lightweight_ca_tracking_requests(logger, lwcas):
     """Add tracking requests for the given lightweight CAs.
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 5d1830268..2e5e12ae0 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -1193,7 +1193,6 @@ class DsInstance(service.Service):
 
         if ds_is_running:
             try:
-                api.Backend.ldap2.connect(autobind=True)
                 ret = api.Command['config_show']()
                 subject_base = str(
                     ret['result']['ipacertificatesubjectbase'][0])
@@ -1202,11 +1201,6 @@ class DsInstance(service.Service):
             except errors.PublicError as e:
                 root_logger.error('Cannot connect to DS to find certificate '
                                   'subject base: %s', e)
-            finally:
-                try:
-                    api.Backend.ldap2.disconnect()
-                except Exception:
-                    pass
 
         if not subject_base:
             root_logger.debug('Unable to find certificate subject base in DS')
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 743909946..b8e531a56 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -856,7 +856,6 @@ def install(installer):
     if setup_ca:
         services.knownservices['pki_tomcatd'].restart('pki-tomcat')
 
-    api.Backend.ldap2.connect(autobind=True)
     if options.setup_dns:
         dns.install(False, False, options)
     else:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 6ae979899..96720885d 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -866,7 +866,6 @@ def install(installer):
     if config.setup_ca:
         services.knownservices['pki_tomcatd'].restart('pki-tomcat')
 
-    api.Backend.ldap2.connect(autobind=True)
     if options.setup_dns:
         dns.install(False, True, options)
     else:
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index e6e1e1011..0ec01c919 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1133,14 +1133,6 @@ def add_ca_dns_records():
         root_logger.info('IPA CA DNS records already processed')
         return
 
-    if not api.Backend.ldap2.isconnected():
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except ipalib.errors.PublicError as e:
-            root_logger.error(
-                "Cannot connect to LDAP to add DNS records: %s", e)
-            return
-
     ret = api.Command['dns_is_enabled']()
     if not ret['result']:
         root_logger.info('DNS is not configured')
@@ -1205,12 +1197,6 @@ def uninstall_dogtag_9(ds, http):
         root_logger.debug('Dogtag is version 10 or above')
         return
 
-    if not api.Backend.ldap2.isconnected():
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except ipalib.errors.PublicError as e:
-            root_logger.error("Cannot connect to LDAP: %s", e)
-
     dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'),
             ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
     try:
@@ -1396,13 +1382,6 @@ def fix_trust_flags():
         root_logger.info("Trust flags already processed")
         return
 
-    if not api.Backend.ldap2.isconnected():
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except ipalib.errors.PublicError as e:
-            root_logger.error("Cannot connect to LDAP: %s", e)
-            return
-
     if not api.Command.ca_is_enabled()['result']:
         root_logger.info("CA is not enabled")
         return
@@ -1423,13 +1402,6 @@ def export_kra_agent_pem():
         root_logger.info("KRA agent PEM file already exported")
         return
 
-    if not api.Backend.ldap2.isconnected():
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except ipalib.errors.PublicError as e:
-            root_logger.error("Cannot connect to LDAP: %s", e)
-            return
-
     if not api.Command.kra_is_enabled()['result']:
         root_logger.info("KRA is not enabled")
         return
@@ -1629,11 +1601,6 @@ def upgrade_configuration():
 
     ntpinstance.ntp_ldap_enable(api.env.host, api.env.basedn, api.env.realm)
 
-    # ldap2 connection is not valid after DS restart, close connection otherwise
-    # it will cause network errors
-    if api.Backend.ldap2.isconnected():
-        api.Backend.ldap2.disconnect()
-
     ds.stop(ds_serverid)
     fix_schema_file_syntax()
     remove_ds_ra_cert(subject_base)