From 0f39612730448993190b07708ad4c4956b214a81 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Nov 24 2015 14:37:06 +0000
Subject: disconnect ldap2 backend after adding default CA ACL profiles


ensure_default_caacl() was leaking open api.Backend.ldap2 connection which
could crash server/replica installation at later stages. This patch ensures
that after checking default CA ACL profiles the backend is disconnected.

https://fedorahosted.org/freeipa/ticket/5459

Reviewed-By: Tomas Babej <tbabej@redhat.com>

---

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 189876f..c72d11d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1870,6 +1870,9 @@ def ensure_default_caacl():
         api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
             certprofile=(u'caIPAserviceCert',))
 
+    if api.Backend.ldap2.isconnected():
+        api.Backend.ldap2.disconnect()
+
 
 if __name__ == "__main__":
     standard_logging_setup("install.log")