do not disconnect when using existing connection to check default CA ACLs

https://fedorahosted.org/freeipa/ticket/5459

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ipaserver/install/cainstance.py

@@ -2004,7 +2004,8 @@ def _create_dogtag_profile(profile_id, profile_data):
 
 def ensure_default_caacl():
     """Add the default CA ACL if missing."""
-    if not api.Backend.ldap2.isconnected():
+    is_already_connected = api.Backend.ldap2.isconnected()
+    if not is_already_connected:
         try:
             api.Backend.ldap2.connect(autobind=True)
         except errors.PublicError as e:
@@ -2028,7 +2029,7 @@ def ensure_default_caacl():
         api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
             certprofile=(u'caIPAserviceCert',))
 
-    if api.Backend.ldap2.isconnected():
+    if not is_already_connected:
         api.Backend.ldap2.disconnect()