9ea7eb2ddf
- Move ipa-otpd socket directory to /var/run/krb5kdc - Require krb5-server 1.11.5-3 supporting the new directory - ipa_lockout plugin did not work with users's without krbPwdPolicyReference
67 lines
2.4 KiB
Diff
67 lines
2.4 KiB
Diff
From 43070359eb267c3eb3b290f5f601e9509a63389f Mon Sep 17 00:00:00 2001
|
|
From: Martin Kosek <mkosek@redhat.com>
|
|
Date: Tue, 4 Feb 2014 11:02:34 +0100
|
|
Subject: [PATCH 11/11] ipa-lockout: do not fail when default realm cannot be
|
|
read
|
|
|
|
When ipa-lockout plugin is started during FreeIPA server installation,
|
|
the default realm may not be available and plugin should then not end
|
|
with failure.
|
|
|
|
Similarly to other plugins, start in degraded mode in this situation.
|
|
Operation is fully restored during the final services restart.
|
|
|
|
https://fedorahosted.org/freeipa/ticket/4085
|
|
---
|
|
.../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 34 +++++++++++-----------
|
|
1 file changed, 17 insertions(+), 17 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
|
|
index 5a24359d319aaea28773daa01d268d2d46583270..265c2701c36fe78486a2bdd4a66366b0b05472a0 100644
|
|
--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
|
|
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
|
|
@@ -176,23 +176,23 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
|
|
krberr = krb5_init_context(&krbctx);
|
|
if (krberr) {
|
|
LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
|
|
- ret = LDAP_OPERATIONS_ERROR;
|
|
- goto done;
|
|
- }
|
|
-
|
|
- krberr = krb5_get_default_realm(krbctx, &realm);
|
|
- if (krberr) {
|
|
- LOG_FATAL("Failed to get default realm (%d)\n", krberr);
|
|
- ret = LDAP_OPERATIONS_ERROR;
|
|
- goto done;
|
|
- }
|
|
-
|
|
- ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
|
|
- realm, basedn);
|
|
- if (!ipa_global_policy) {
|
|
- LOG_OOM();
|
|
- ret = LDAP_OPERATIONS_ERROR;
|
|
- goto done;
|
|
+ /* Yes, we failed, but it is because /etc/krb5.conf doesn't exist
|
|
+ * or is misconfigured. Start up in a degraded mode.
|
|
+ */
|
|
+ } else {
|
|
+ krberr = krb5_get_default_realm(krbctx, &realm);
|
|
+ if (krberr) {
|
|
+ LOG_FATAL("Failed to get default realm (%d)\n", krberr);
|
|
+ } else {
|
|
+ ipa_global_policy =
|
|
+ slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
|
|
+ realm, basedn);
|
|
+ if (!ipa_global_policy) {
|
|
+ LOG_OOM();
|
|
+ ret = LDAP_OPERATIONS_ERROR;
|
|
+ goto done;
|
|
+ }
|
|
+ }
|
|
}
|
|
|
|
ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
|
|
--
|
|
1.8.5.3
|
|
|