From 245f54de1d4e2189b1234000916a7d591fa151b9 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Tue, 24 Nov 2015 14:43:10 +0100
Subject: [PATCH] disconnect ldap2 backend after adding default CA ACL profiles

ensure_default_caacl() was leaking open api.Backend.ldap2 connection which
could crash server/replica installation at later stages. This patch ensures
that after checking default CA ACL profiles the backend is disconnected.

https://fedorahosted.org/freeipa/ticket/5459

Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipaserver/install/cainstance.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 189876f3c0d980e78165d73eed86b2830ac8c5b8..c72d11d1e0b86c040dc497744cda87aab22caafd 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1870,6 +1870,9 @@ def ensure_default_caacl():
         api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
             certprofile=(u'caIPAserviceCert',))
 
+    if api.Backend.ldap2.isconnected():
+        api.Backend.ldap2.disconnect()
+
 
 if __name__ == "__main__":
     standard_logging_setup("install.log")
-- 
2.4.3