Bug 1511019

Cloned from upstream: https://pagure.io/freeipa/issue/7231

The following scenario is failing on the master branch:
1. ipa-backup
2. ipa-server-install --uninstall -U
3. python2 /usr/sbin/ipa-restore /path/to/full/backup/

with the following output:

    Directory Manager (existing master) password: 
    
    Preparing restore from /var/lib/ipa/backup/ipa-full-2017-10-31-19-21-23 on server.ipadomain.com
    Performing FULL restore from FULL backup
    Restoring data will overwrite existing live data. Continue to restore? [no]: yes
    Each master will individually need to be re-initialized or
    re-created from this one. The replication agreements on
    masters running IPA 3.1 or earlier will need to be manually
    re-enabled. See the man page for details.
    Disabling all replication.
    Unable to get connection, skipping disabling agreements: directory server instance is not running/configured
    Stopping IPA services
    Configuring certmonger to stop tracking system certificates for CA
    [Errno 2] No such file or directory: u'/etc/dirsrv/slapd-IPADOMAIN-COM/dse.ldif'
    The ipa-restore command failed. See /var/log/iparestore.log for more information

The log contains the following stack:

    2017-10-31T18:23:07Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
    2017-10-31T18:23:07Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 174, in execute
        return_value = self.run()
      File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", line 389, in run
        self.cert_restore_prepare()
      File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", line 838, in cert_restore_prepare
        installutils.realm_to_serverid(api.env.realm))
      File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1111, in stop_tracking_certificates
        nickname = self.get_server_cert_nickname(serverid)
      File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1091, in get_server_cert_nickname
        with open(config_file, "r") as in_file:
    
    2017-10-31T18:23:07Z DEBUG The ipa-restore command failed, exception: IOError: [Errno 2] No such file or directory: u'/etc/dirsrv/slapd-IPADOMAIN-COM/dse.ldif'
    2017-10-31T18:23:07Z ERROR [Errno 2] No such file or directory: u'/etc/dirsrv/slapd-IPADOMAIN-COM/dse.ldif'
    2017-10-31T18:23:07Z ERROR The ipa-restore command failed. See /var/log/iparestore.log for more information

When ipa-restore is run with python3, the issue does not happen.

Investigation:
when `ipa-restore` is run after `ipa-server-install --uninstall`, the directory /etc/dirsrv/slapd-DOMAIN-COM does not exist. The `ipa-restore` tool wants to stop tracking LDAP server certificate, and needs to find the certificate name using the method get_server_cert_nickname which depends on the content of dse.ldif.
As the file does not exist, an IOError exception is raised.
In python3, IOError is a subclass of OSError but not in python2. The code catches OSError but not IOError exception, hence the different behavior in python2 or python3:

    def cert_restore_prepare(self):
        cainstance.CAInstance().stop_tracking_certificates()
        httpinstance.HTTPInstance().stop_tracking_certificates()
        try:
            dsinstance.DsInstance().stop_tracking_certificates(
                installutils.realm_to_serverid(api.env.realm))
        except OSError:
            # When IPA is not installed, DS NSS DB does not exist
            pass