From 528a21996734467be193673e4f987e7e3acc3ad9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sat, 11 May 2019 11:54:40 +0300
Subject: [PATCH] upgrade: adtrust - catch empty result when retrieving list of
 trusts

Upgrade failure when ipa-server-upgrade is being run on a system with no
trust established but trust configured

Fixes: https://pagure.io/freeipa/issue/7939
---
 ipaserver/install/plugins/adtrust.py | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 6b4e2caa2..cdc3a8b04 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -609,11 +609,17 @@ class update_tdo_to_new_layout(Updater):
 
         trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
 
-        trusts = ldap.get_entries(
-            base_dn=trusts_dn,
-            scope=ldap.SCOPE_ONELEVEL,
-            filter=self.trust_filter,
-            attrs_list=self.trust_attrs)
+        # We might be in a situation when no trusts exist yet
+        # In such case there is nothing to upgrade but we have to catch
+        # an exception or it will abort the whole upgrade process
+        try:
+            trusts = ldap.get_entries(
+                base_dn=trusts_dn,
+                scope=ldap.SCOPE_ONELEVEL,
+                filter=self.trust_filter,
+                attrs_list=self.trust_attrs)
+        except errors.EmptyResult:
+            trusts = []
 
         # For every trust, retrieve its principals and convert
         for t_entry in trusts:
-- 
2.21.0