upgrade: unconditional import of certificate profiles into LDAP

During IPA server upgrade, the migration of Dogtag profiles into LDAP
backend was bound to the update of CS.cfg which enabled the LDAP profile
subsystem. If the subsequent profile migration failed, the subsequent
upgrades were not executing the migration code leaving CA subsystem in
broken state. Therefore the migration code path should be executed
regardless of the status of the main Dogtag config file.

https://fedorahosted.org/freeipa/ticket/5682

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ipaserver/install/cainstance.py

@@ -1707,7 +1707,6 @@ def migrate_profiles_to_ldap():
             continue
         class_id = match.group(1)
 
-        root_logger.info("Migrating profile '%s' to LDAP", profile_id)
         with open(filename) as f:
             profile_data = f.read()
             if profile_data[-1] != '\n':
@@ -1724,7 +1723,12 @@ def _create_dogtag_profile(profile_id, profile_data):
         # import the profile
         try:
             profile_api.create_profile(profile_data)
-        except errors.RemoteRetrieveError:
+            root_logger.info("Profile '%s' successfully migrated to LDAP",
+                             profile_id)
+        except errors.RemoteRetrieveError as e:
+            root_logger.debug("Error migrating '{}': {}".format(
+                profile_id, e))
+
             # conflicting profile; replace it if we are
             # installing IPA, but keep it for upgrades
             if api.env.context == 'installer':

ipaserver/install/server/upgrade.py

@@ -333,7 +333,9 @@ def ca_enable_ldap_profile_subsystem(ca):
             separator='=')
 
         ca.restart('pki-tomcat')
-        cainstance.migrate_profiles_to_ldap()
+
+    root_logger.info('[Migrating certificate profiles to LDAP]')
+    cainstance.migrate_profiles_to_ldap()
 
     return needs_update