add missing attribute to ipaca replica during CA topology update

'nsds5replicabinddngroupcheckinterval' attribute was not properly added
to 'o=ipaca' replica attribute during upgrade. The CA topology update
plugin should now add it to the entry if it exists.

https://fedorahosted.org/freeipa/ticket/6508

Reviewed-By: Martin Basti <mbasti@redhat.com>

ipaserver/install/plugins/update_ca_topology.py

@@ -2,8 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
+from ipalib import errors
 from ipalib import Registry
 from ipalib import Updater
+from ipapython.dn import DN
 from ipaserver.install import certs, cainstance
 from ipaserver.install import ldapupdate
 from ipaplatform.paths import paths
@@ -31,4 +33,24 @@ class update_ca_topology(Updater):
 
         ld.update([paths.CA_TOPOLOGY_ULDIF])
 
+        ldap = self.api.Backend.ldap2
+
+        ca_replica_dn = DN(
+            ('cn', 'replica'),
+            ('cn', 'o=ipaca'),
+            ('cn', 'mapping tree'),
+            ('cn', 'config'))
+
+        check_interval_attr = 'nsds5replicabinddngroupcheckinterval'
+        default_check_interval = ['60']
+
+        try:
+            ca_replica_entry = ldap.get_entry(ca_replica_dn)
+        except errors.NotFound:
+            pass
+        else:
+            if check_interval_attr not in ca_replica_entry:
+                ca_replica_entry[check_interval_attr] = default_check_interval
+                ldap.update_entry(ca_replica_entry)
+
         return False, []