suppress errors arising from adding existing LDAP entries during KRA install

https://fedorahosted.org/freeipa/ticket/5346

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ipaserver/install/krainstance.py

@@ -53,6 +53,8 @@ ADMIN_GROUPS = [
     'Security Domain Administrators'
 ]
 
+LDAPMOD_ERR_ALREADY_EXISTS = 68
+
 class KRAInstance(DogtagInstance):
     """
     We assume that the CA has already been installed, and we use the
@@ -312,8 +314,18 @@ class KRAInstance(DogtagInstance):
         conn.disconnect()
 
     def __add_vault_container(self):
-        self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix})
+        try:
-        self.ldap_disconnect()
+            self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix},
+                           raise_on_err=True)
+        except ipautil.CalledProcessError as e:
+            if e.returncode == LDAPMOD_ERR_ALREADY_EXISTS:
+                self.log.debug("Vault container already exists")
+            else:
+                self.log.error("Failed to add vault container: {0}".format(e))
+        finally:
+            # we need to disconnect from LDAP, because _ldap_mod() makes the
+            # connection without actually using it
+            self.ldap_disconnect()
 
     def __apply_updates(self):
         sub_dict = {

ipaserver/install/service.py

@@ -184,7 +184,7 @@ class Service(object):
         self.admin_conn.unbind()
         self.admin_conn = None
 
-    def _ldap_mod(self, ldif, sub_dict=None):
+    def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=False):
         pw_name = None
         fd = None
         path = ipautil.SHARE_DIR + ldif
@@ -228,6 +228,8 @@ class Service(object):
             try:
                 ipautil.run(args, nolog=nologlist)
             except ipautil.CalledProcessError as e:
+                if raise_on_err:
+                    raise
                 root_logger.critical("Failed to load %s: %s" % (ldif, str(e)))
         finally:
             if pw_name: