|
 |
aa60fb |
From 52e2e879fa4decf67a19d6c79f4ec409b6a0dce7 Mon Sep 17 00:00:00 2001
|
|
|
aa60fb |
From: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
aa60fb |
Date: Mon, 22 Feb 2016 13:35:41 +0100
|
|
|
aa60fb |
Subject: [PATCH] upgrade: unconditional import of certificate profiles into
|
|
|
aa60fb |
LDAP
|
|
|
aa60fb |
|
|
|
aa60fb |
During IPA server upgrade, the migration of Dogtag profiles into LDAP
|
|
|
aa60fb |
backend was bound to the update of CS.cfg which enabled the LDAP profile
|
|
|
aa60fb |
subsystem. If the subsequent profile migration failed, the subsequent
|
|
|
aa60fb |
upgrades were not executing the migration code leaving CA subsystem in
|
|
|
aa60fb |
broken state. Therefore the migration code path should be executed
|
|
|
aa60fb |
regardless of the status of the main Dogtag config file.
|
|
|
aa60fb |
|
|
|
aa60fb |
https://fedorahosted.org/freeipa/ticket/5682
|
|
|
aa60fb |
|
|
|
aa60fb |
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
aa60fb |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
aa60fb |
---
|
|
|
aa60fb |
ipaserver/install/cainstance.py | 8 ++++++--
|
|
|
aa60fb |
ipaserver/install/server/upgrade.py | 4 +++-
|
|
|
aa60fb |
2 files changed, 9 insertions(+), 3 deletions(-)
|
|
|
aa60fb |
|
|
|
aa60fb |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
aa60fb |
index 369902ad04b197c9e9516503c1f81c4de1ef153b..1a98c438786ae7dad208212fff23e3a760c95b3c 100644
|
|
|
aa60fb |
--- a/ipaserver/install/cainstance.py
|
|
|
aa60fb |
+++ b/ipaserver/install/cainstance.py
|
|
|
aa60fb |
@@ -1807,7 +1807,6 @@ def migrate_profiles_to_ldap(dogtag_constants):
|
|
|
aa60fb |
continue
|
|
|
aa60fb |
class_id = match.group(1)
|
|
|
aa60fb |
|
|
|
aa60fb |
- root_logger.info("Migrating profile '%s' to LDAP", profile_id)
|
|
|
aa60fb |
with open(filename) as f:
|
|
|
aa60fb |
profile_data = f.read()
|
|
|
aa60fb |
if profile_data[-1] != '\n':
|
|
|
aa60fb |
@@ -1824,7 +1823,12 @@ def _create_dogtag_profile(profile_id, profile_data):
|
|
|
aa60fb |
# import the profile
|
|
|
aa60fb |
try:
|
|
|
aa60fb |
profile_api.create_profile(profile_data)
|
|
|
aa60fb |
- except errors.RemoteRetrieveError:
|
|
|
aa60fb |
+ root_logger.info("Profile '%s' successfully migrated to LDAP",
|
|
|
aa60fb |
+ profile_id)
|
|
|
aa60fb |
+ except errors.RemoteRetrieveError as e:
|
|
|
aa60fb |
+ root_logger.debug("Error migrating '{}': {}".format(
|
|
|
aa60fb |
+ profile_id, e))
|
|
|
aa60fb |
+
|
|
|
aa60fb |
# conflicting profile; replace it if we are
|
|
|
aa60fb |
# installing IPA, but keep it for upgrades
|
|
|
aa60fb |
if api.env.context == 'installer':
|
|
|
aa60fb |
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
|
aa60fb |
index 0a46635979497f8028465c2295b22485fd9c0279..258d976c83844f89c1a939303b685fd6565b79e5 100644
|
|
|
aa60fb |
--- a/ipaserver/install/server/upgrade.py
|
|
|
aa60fb |
+++ b/ipaserver/install/server/upgrade.py
|
|
|
aa60fb |
@@ -336,7 +336,9 @@ def ca_enable_ldap_profile_subsystem(ca):
|
|
|
aa60fb |
separator='=')
|
|
|
aa60fb |
|
|
|
aa60fb |
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
|
|
|
aa60fb |
- cainstance.migrate_profiles_to_ldap(caconfig)
|
|
|
aa60fb |
+
|
|
|
aa60fb |
+ root_logger.info('[Migrating certificate profiles to LDAP]')
|
|
|
aa60fb |
+ cainstance.migrate_profiles_to_ldap(caconfig)
|
|
|
aa60fb |
|
|
|
aa60fb |
return needs_update
|
|
|
aa60fb |
|
|
|
aa60fb |
--
|
|
|
aa60fb |
2.5.0
|
|
|
aa60fb |
|