disconnect ldap2 backend after adding default CA ACL profiles

ensure_default_caacl() was leaking open api.Backend.ldap2 connection which
could crash server/replica installation at later stages. This patch ensures
that after checking default CA ACL profiles the backend is disconnected.

https://fedorahosted.org/freeipa/ticket/5459

Reviewed-By: Tomas Babej <tbabej@redhat.com>

ipaserver/install/cainstance.py

@@ -2028,6 +2028,9 @@ def ensure_default_caacl():
         api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
             certprofile=(u'caIPAserviceCert',))
 
+    if api.Backend.ldap2.isconnected():
+        api.Backend.ldap2.disconnect()
+
 
 if __name__ == "__main__":
     standard_logging_setup("install.log")