From a77469f5984b12e201a3d349efad1ca2925ee5af Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Nov 07 2016 10:34:03 +0000
Subject: install: remove adhoc api.Backend.ldap2 (dis)connect


Remove adhoc connects and disconnects of api.Backend.ldap2. Connection
should be established only at the start of the script, destroyed at the
end of the script and re-established when directory server is restarted.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

---

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index cb04b0b..88ec627 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -123,16 +123,8 @@ def install_step_0(standalone, replica_config, options):
 
     if replica_config is not None:
         # Configure the CA if necessary
-        if standalone:
-            api.Backend.ldap2.disconnect()
-
         cainstance.install_replica_ca(replica_config, standalone,
-                ra_p12=getattr(options, 'ra_p12', None))
-
-        if standalone and not api.Backend.ldap2.isconnected():
-            api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
-                                      bind_pw=dm_password)
-
+                                      ra_p12=getattr(options, 'ra_p12', None))
         return
 
     if options.external_cert_files:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index a1d44cf..84149b3 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -2040,14 +2040,6 @@ def ensure_ipa_authority_entry():
         )
     api.Backend.ra_lightweight_ca.override_port = None
 
-    is_already_connected = api.Backend.ldap2.isconnected()
-    if not is_already_connected:
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except errors.PublicError as e:
-            root_logger.error("Cannot connect to LDAP to add CA: %s", e)
-            return
-
     ensure_entry(
         DN(api.env.container_ca, api.env.basedn),
         objectclass=['top', 'nsContainer'],
@@ -2061,20 +2053,9 @@ def ensure_ipa_authority_entry():
         **attrs
     )
 
-    if not is_already_connected:
-        api.Backend.ldap2.disconnect()
-
 
 def ensure_default_caacl():
     """Add the default CA ACL if missing."""
-    is_already_connected = api.Backend.ldap2.isconnected()
-    if not is_already_connected:
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except errors.PublicError as e:
-            root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
-            return
-
     ensure_entry(
         DN(('cn', 'ca'), api.env.basedn),
         objectclass=['top', 'nsContainer'],
@@ -2092,9 +2073,6 @@ def ensure_default_caacl():
         api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
             certprofile=(u'caIPAserviceCert',))
 
-    if not is_already_connected:
-        api.Backend.ldap2.disconnect()
-
 
 def add_lightweight_ca_tracking_requests(logger, lwcas):
     """Add tracking requests for the given lightweight CAs.
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 5d18302..2e5e12a 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -1193,7 +1193,6 @@ class DsInstance(service.Service):
 
         if ds_is_running:
             try:
-                api.Backend.ldap2.connect(autobind=True)
                 ret = api.Command['config_show']()
                 subject_base = str(
                     ret['result']['ipacertificatesubjectbase'][0])
@@ -1202,11 +1201,6 @@ class DsInstance(service.Service):
             except errors.PublicError as e:
                 root_logger.error('Cannot connect to DS to find certificate '
                                   'subject base: %s', e)
-            finally:
-                try:
-                    api.Backend.ldap2.disconnect()
-                except Exception:
-                    pass
 
         if not subject_base:
             root_logger.debug('Unable to find certificate subject base in DS')
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 7439099..b8e531a 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -856,7 +856,6 @@ def install(installer):
     if setup_ca:
         services.knownservices['pki_tomcatd'].restart('pki-tomcat')
 
-    api.Backend.ldap2.connect(autobind=True)
     if options.setup_dns:
         dns.install(False, False, options)
     else:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 6ae9798..9672088 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -866,7 +866,6 @@ def install(installer):
     if config.setup_ca:
         services.knownservices['pki_tomcatd'].restart('pki-tomcat')
 
-    api.Backend.ldap2.connect(autobind=True)
     if options.setup_dns:
         dns.install(False, True, options)
     else:
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index e6e1e10..0ec01c9 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1133,14 +1133,6 @@ def add_ca_dns_records():
         root_logger.info('IPA CA DNS records already processed')
         return
 
-    if not api.Backend.ldap2.isconnected():
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except ipalib.errors.PublicError as e:
-            root_logger.error(
-                "Cannot connect to LDAP to add DNS records: %s", e)
-            return
-
     ret = api.Command['dns_is_enabled']()
     if not ret['result']:
         root_logger.info('DNS is not configured')
@@ -1205,12 +1197,6 @@ def uninstall_dogtag_9(ds, http):
         root_logger.debug('Dogtag is version 10 or above')
         return
 
-    if not api.Backend.ldap2.isconnected():
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except ipalib.errors.PublicError as e:
-            root_logger.error("Cannot connect to LDAP: %s", e)
-
     dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'),
             ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
     try:
@@ -1396,13 +1382,6 @@ def fix_trust_flags():
         root_logger.info("Trust flags already processed")
         return
 
-    if not api.Backend.ldap2.isconnected():
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except ipalib.errors.PublicError as e:
-            root_logger.error("Cannot connect to LDAP: %s", e)
-            return
-
     if not api.Command.ca_is_enabled()['result']:
         root_logger.info("CA is not enabled")
         return
@@ -1423,13 +1402,6 @@ def export_kra_agent_pem():
         root_logger.info("KRA agent PEM file already exported")
         return
 
-    if not api.Backend.ldap2.isconnected():
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except ipalib.errors.PublicError as e:
-            root_logger.error("Cannot connect to LDAP: %s", e)
-            return
-
     if not api.Command.kra_is_enabled()['result']:
         root_logger.info("KRA is not enabled")
         return
@@ -1629,11 +1601,6 @@ def upgrade_configuration():
 
     ntpinstance.ntp_ldap_enable(api.env.host, api.env.basedn, api.env.realm)
 
-    # ldap2 connection is not valid after DS restart, close connection otherwise
-    # it will cause network errors
-    if api.Backend.ldap2.isconnected():
-        api.Backend.ldap2.disconnect()
-
     ds.stop(ds_serverid)
     fix_schema_file_syntax()
     remove_ds_ra_cert(subject_base)