From c5faaede276f3052517ddf86e64cb228e95dca2a Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Nov 24 2015 16:37:57 +0000
Subject: do not disconnect when using existing connection to check default CA ACLs


https://fedorahosted.org/freeipa/ticket/5459

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

---

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c72d11d..c20bf39 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1846,7 +1846,8 @@ def _create_dogtag_profile(profile_id, profile_data):
 
 def ensure_default_caacl():
     """Add the default CA ACL if missing."""
-    if not api.Backend.ldap2.isconnected():
+    is_already_connected = api.Backend.ldap2.isconnected()
+    if not is_already_connected:
         try:
             api.Backend.ldap2.connect(autobind=True)
         except errors.PublicError as e:
@@ -1870,7 +1871,7 @@ def ensure_default_caacl():
         api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
             certprofile=(u'caIPAserviceCert',))
 
-    if api.Backend.ldap2.isconnected():
+    if not is_already_connected:
         api.Backend.ldap2.disconnect()