Let 389-ds start up even if Kerboros is not configured yet.

The situation is if during installation /etc/krb5.conf either doesn't
exist or configures no realms then 389-ds won't start up at all, causing
the installation to fail. This will let the server start up in a degraded
mode.

Also need to make the sub_dict in ldapupdate.py handle no realm otherwise
the installation will abort enabling the compat plugin.

ticket 606

4 files changed, 38 insertions, 13 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
index 34fba02c4..ec1c3967c 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
@@ -101,6 +101,13 @@ ipaenrollement_secure(Slapi_PBlock *pb, char **errMesg)
         goto done;
     }
 
+    if (NULL == realm) {
+        *errMesg = "Kerberos realm is not set.\n";
+        LOG_FATAL("%s", errMesg);
+        rc = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+
     if ((0 == is_ssl) && (sasl_ssf <= 1)) {
         *errMesg = "Operation requires a secure connection.\n";
         rc = LDAP_CONFIDENTIALITY_REQUIRED;
@@ -144,6 +151,13 @@ ipa_join(Slapi_PBlock *pb)
     char *principal = NULL;
     struct berval retbval;
 
+    if (NULL == realm) {
+        errMesg = "Kerberos realm is not set.\n";
+        LOG_FATAL("%s", errMesg);
+        rc = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+
     /* Get Bind DN */
     slapi_pblock_get(pb, SLAPI_CONN_DN, &bindDN);
 
@@ -363,18 +377,21 @@ ipaenrollment_start(Slapi_PBlock *pb)
     krberr = krb5_init_context(&krbctx);
     if (krberr) {
         LOG_FATAL("krb5_init_context failed\n");
-        return LDAP_OPERATIONS_ERROR;
+        /* Yes, we failed, but it is because /etc/krb5.conf doesn't exist
+         * or is misconfigured. Start up in a degraded mode.
+         */
+        goto done;
     }
 
-    ret = krb5_get_default_realm(krbctx, &realm);
-    if (ret) {
+    krberr = krb5_get_default_realm(krbctx, &realm);
+    if (krberr) {
+        realm = NULL;
         LOG_FATAL("Failed to get default realm?!\n");
-        ret = LDAP_OPERATIONS_ERROR;
+        goto done;
     }
 
     if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &config_dn) != 0) {
         LOG_FATAL("No config DN?\n");
-        ret = LDAP_OPERATIONS_ERROR;
         goto done;
     }
     sdn = slapi_sdn_new_dn_byref(config_dn);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 7a4591f8a..d76b7f7cd 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -1069,7 +1069,10 @@ static int ipapwd_start( Slapi_PBlock *pb )
     krberr = krb5_init_context(&krbctx);
     if (krberr) {
         LOG_FATAL("krb5_init_context failed\n");
-        return LDAP_OPERATIONS_ERROR;
+        /* Yes, we failed, but it is because /etc/krb5.conf doesn't exist
+         * or is misconfigured. Start up in a degraded mode.
+         */
+        return LDAP_SUCCESS;
     }
 
     if (slapi_pblock_get(pb, SLAPI_TARGET_DN, &config_dn) != 0) {
@@ -1079,8 +1082,8 @@ static int ipapwd_start( Slapi_PBlock *pb )
     }
 
     if (ipapwd_getEntry(config_dn, &config_entry, NULL) != LDAP_SUCCESS) {
-        LOG_FATAL("No config Entry?\n");
-        ret = LDAP_OPERATIONS_ERROR;
+        LOG_FATAL("No config Entry extop?\n");
+        ret = LDAP_SUCCESS;
         goto done;
     }
 
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index 6f4f02e01..5ff214e50 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -311,6 +311,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
     ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
     if (ret != LDAP_SUCCESS) {
         LOG_FATAL("No config Entry?\n");
+        goto free_and_error;
     } else {
         tmparray = slapi_entry_attr_get_charray(config_entry,
                                                 "ipaConfigString");
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index f8128fc3a..e7411e3fb 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -68,6 +68,12 @@ class LDAPUpdate:
         self.pw_name = pwd.getpwuid(os.geteuid()).pw_name
 
         krbctx = krbV.default_context()
+        try:
+            self.realm = krbctx.default_realm
+            suffix = util.realm_to_suffix(self.realm)
+        except krbV.Krb5Error:
+            self.realm = None
+            suffix = None
 
         fqdn = installutils.get_fqdn()
         if fqdn is None:
@@ -75,16 +81,14 @@ class LDAPUpdate:
 
         domain = ipautil.get_domain_name()
         libarch = self.__identify_arch()
-        suffix = util.realm_to_suffix(krbctx.default_realm)
-        self.realm = krbctx.default_realm
 
-        if not self.sub_dict.get("REALM"):
-            self.sub_dict["REALM"] = krbctx.default_realm
+        if not self.sub_dict.get("REALM") and self.realm is not None:
+            self.sub_dict["REALM"] = self.realm
         if not self.sub_dict.get("FQDN"):
             self.sub_dict["FQDN"] = fqdn
         if not self.sub_dict.get("DOMAIN"):
             self.sub_dict["DOMAIN"] = domain
-        if not self.sub_dict.get("SUFFIX"):
+        if not self.sub_dict.get("SUFFIX") and suffix is not None:
             self.sub_dict["SUFFIX"] = suffix
         if not self.sub_dict.get("ESCAPED_SUFFIX"):
             self.sub_dict["ESCAPED_SUFFIX"] = escape_dn_chars(suffix)