From 341406d16540b1edc0d2792fe2cd9db75590f88e Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Tue, 24 Nov 2015 14:43:10 +0100
Subject: [PATCH] disconnect ldap2 backend after adding default CA ACL profiles

ensure_default_caacl() was leaking open api.Backend.ldap2 connection which
could crash server/replica installation at later stages. This patch ensures
that after checking default CA ACL profiles the backend is disconnected.

https://fedorahosted.org/freeipa/ticket/5459

Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 ipaserver/install/cainstance.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 90edb362f..cca27e9d2 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -2028,6 +2028,9 @@ def ensure_default_caacl():
         api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
             certprofile=(u'caIPAserviceCert',))
 
+    if api.Backend.ldap2.isconnected():
+        api.Backend.ldap2.disconnect()
+
 
 if __name__ == "__main__":
     standard_logging_setup("install.log")