From 08d26c374ae6198b5a1ec59556ca8814329b845f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 20 Nov 2015 15:59:11 +1100
Subject: [PATCH] Avoid race condition caused by profile delete and recreate

When importing IPA-managed certificate profiles into Dogtag,
profiles with the same name (usually caIPAserviceCert) are removed,
then immediately recreated with the new profile data.  This causes a
race condition - Dogtag's LDAPProfileSystem profileChangeMonitor
thread could observe and process the deletion after the profile was
recreated, disappearing it again.

Update the profile instead of deleting and recreating it to avoid
this race condition.

Fixes: https://fedorahosted.org/freeipa/ticket/5269
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/cainstance.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d230c9bdcab68f02cce32a2aeb89ca3e2143eefe..3e3dce93de2b8ca48a3fe3ea5994ee92a1b0ce49 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1812,8 +1812,7 @@ def _create_dogtag_profile(profile_id, profile_data):
                     root_logger.debug(
                         "Failed to disable profile '%s' "
                         "(it is probably already disabled)")
-                profile_api.delete_profile(profile_id)
-                profile_api.create_profile(profile_data)
+                profile_api.update_profile(profile_id, profile_data)
 
         # enable the profile
         try:
-- 
2.4.3