|
 |
9991ea |
From c41034f5ab587023d9941409618bdf5dc9046fae Mon Sep 17 00:00:00 2001
|
|
|
9991ea |
From: Martin Kosek <mkosek@redhat.com>
|
|
|
9991ea |
Date: Tue, 4 Feb 2014 11:02:34 +0100
|
|
|
9991ea |
Subject: [PATCH] ipa-lockout: do not fail when default realm cannot be read
|
|
|
9991ea |
|
|
|
9991ea |
When ipa-lockout plugin is started during FreeIPA server installation,
|
|
|
9991ea |
the default realm may not be available and plugin should then not end
|
|
|
9991ea |
with failure.
|
|
|
9991ea |
|
|
|
9991ea |
Similarly to other plugins, start in degraded mode in this situation.
|
|
|
9991ea |
Operation is fully restored during the final services restart.
|
|
|
9991ea |
|
|
|
9991ea |
https://fedorahosted.org/freeipa/ticket/4085
|
|
|
9991ea |
---
|
|
|
9991ea |
.../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 34 +++++++++++-----------
|
|
|
9991ea |
1 file changed, 17 insertions(+), 17 deletions(-)
|
|
|
9991ea |
|
|
|
9991ea |
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
|
|
|
9991ea |
index 5a24359d319aaea28773daa01d268d2d46583270..265c2701c36fe78486a2bdd4a66366b0b05472a0 100644
|
|
|
9991ea |
--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
|
|
|
9991ea |
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
|
|
|
9991ea |
@@ -176,23 +176,23 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
|
|
|
9991ea |
krberr = krb5_init_context(&krbctx);
|
|
|
9991ea |
if (krberr) {
|
|
|
9991ea |
LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
|
|
|
9991ea |
- ret = LDAP_OPERATIONS_ERROR;
|
|
|
9991ea |
- goto done;
|
|
|
9991ea |
- }
|
|
|
9991ea |
-
|
|
|
9991ea |
- krberr = krb5_get_default_realm(krbctx, &realm;;
|
|
|
9991ea |
- if (krberr) {
|
|
|
9991ea |
- LOG_FATAL("Failed to get default realm (%d)\n", krberr);
|
|
|
9991ea |
- ret = LDAP_OPERATIONS_ERROR;
|
|
|
9991ea |
- goto done;
|
|
|
9991ea |
- }
|
|
|
9991ea |
-
|
|
|
9991ea |
- ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
|
|
|
9991ea |
- realm, basedn);
|
|
|
9991ea |
- if (!ipa_global_policy) {
|
|
|
9991ea |
- LOG_OOM();
|
|
|
9991ea |
- ret = LDAP_OPERATIONS_ERROR;
|
|
|
9991ea |
- goto done;
|
|
|
9991ea |
+ /* Yes, we failed, but it is because /etc/krb5.conf doesn't exist
|
|
|
9991ea |
+ * or is misconfigured. Start up in a degraded mode.
|
|
|
9991ea |
+ */
|
|
|
9991ea |
+ } else {
|
|
|
9991ea |
+ krberr = krb5_get_default_realm(krbctx, &realm;;
|
|
|
9991ea |
+ if (krberr) {
|
|
|
9991ea |
+ LOG_FATAL("Failed to get default realm (%d)\n", krberr);
|
|
|
9991ea |
+ } else {
|
|
|
9991ea |
+ ipa_global_policy =
|
|
|
9991ea |
+ slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
|
|
|
9991ea |
+ realm, basedn);
|
|
|
9991ea |
+ if (!ipa_global_policy) {
|
|
|
9991ea |
+ LOG_OOM();
|
|
|
9991ea |
+ ret = LDAP_OPERATIONS_ERROR;
|
|
|
9991ea |
+ goto done;
|
|
|
9991ea |
+ }
|
|
|
9991ea |
+ }
|
|
|
9991ea |
}
|
|
|
9991ea |
|
|
|
9991ea |
ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
|
|
|
9991ea |
--
|
|
|
9991ea |
1.8.5.3
|
|
|
9991ea |
|