areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone
Blob Blame History Raw
From 52e2e879fa4decf67a19d6c79f4ec409b6a0dce7 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Mon, 22 Feb 2016 13:35:41 +0100
Subject: [PATCH] upgrade: unconditional import of certificate profiles into
 LDAP

During IPA server upgrade, the migration of Dogtag profiles into LDAP
backend was bound to the update of CS.cfg which enabled the LDAP profile
subsystem. If the subsequent profile migration failed, the subsequent
upgrades were not executing the migration code leaving CA subsystem in
broken state. Therefore the migration code path should be executed
regardless of the status of the main Dogtag config file.

https://fedorahosted.org/freeipa/ticket/5682

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/cainstance.py     | 8 ++++++--
 ipaserver/install/server/upgrade.py | 4 +++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 369902ad04b197c9e9516503c1f81c4de1ef153b..1a98c438786ae7dad208212fff23e3a760c95b3c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1807,7 +1807,6 @@ def migrate_profiles_to_ldap(dogtag_constants):
             continue
         class_id = match.group(1)
 
-        root_logger.info("Migrating profile '%s' to LDAP", profile_id)
         with open(filename) as f:
             profile_data = f.read()
             if profile_data[-1] != '\n':
@@ -1824,7 +1823,12 @@ def _create_dogtag_profile(profile_id, profile_data):
         # import the profile
         try:
             profile_api.create_profile(profile_data)
-        except errors.RemoteRetrieveError:
+            root_logger.info("Profile '%s' successfully migrated to LDAP",
+                             profile_id)
+        except errors.RemoteRetrieveError as e:
+            root_logger.debug("Error migrating '{}': {}".format(
+                profile_id, e))
+
             # conflicting profile; replace it if we are
             # installing IPA, but keep it for upgrades
             if api.env.context == 'installer':
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 0a46635979497f8028465c2295b22485fd9c0279..258d976c83844f89c1a939303b685fd6565b79e5 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -336,7 +336,9 @@ def ca_enable_ldap_profile_subsystem(ca):
             separator='=')
 
         ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
-        cainstance.migrate_profiles_to_ldap(caconfig)
+
+    root_logger.info('[Migrating certificate profiles to LDAP]')
+    cainstance.migrate_profiles_to_ldap(caconfig)
 
     return needs_update
 
-- 
2.5.0