ipa-kdb: Get/Store Master Key directly from LDAP

1 files changed, 8 insertions, 4 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index bd84f5b3b..97b240650 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -572,7 +572,6 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
     krb5_error_code kerr;
     char *src_filter = NULL;
     char *esc_search_expr = NULL;
-    LDAPMessage *res = NULL;
     int ret;
 
     if (!ipactx->lcontext) {
@@ -603,9 +602,6 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
                                result);
 
 done:
-    if (kerr) {
-        ldap_msgfree(res);
-    }
     free(src_filter);
     free(esc_search_expr);
     return kerr;
@@ -1517,6 +1513,10 @@ static krb5_error_code ipadb_add_principal(krb5_context kcontext,
         goto done;
     }
 
+    if (!ipactx->override_restrictions) {
+        return KRB5_KDB_CONSTRAINT_VIOLATION;
+    }
+
     kerr = krb5_unparse_name(kcontext, entry->princ, &principal);
     if (kerr != 0) {
         goto done;
@@ -1711,6 +1711,10 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext,
         return KRB5_KDB_DBNOTINITED;
     }
 
+    if (!ipactx->override_restrictions) {
+        return KRB5_KDB_CONSTRAINT_VIOLATION;
+    }
+
     kerr = krb5_unparse_name(kcontext, search_for, &principal);
     if (kerr != 0) {
         goto done;