CLDAP: Return empty reply on non-fatal errors

Windows DCs return an empty reply when a legal request cannot satisfied.
If we get EINVAL or ENOENT it means the information requested could not be
found or input parameters were bogus.
Always return an empty reply in these cases.

On any other internal error just return, the request may have been legit but we
can't really handle it right now, pretend we never saw it and hope the next
attempt will succeed.

Fixes: https://fedorahosted.org/freeipa/ticket/3639

Signed-off-by: Simo Sorce <simo@redhat.com>

1 files changed, 18 insertions, 6 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
index 307110c12..468b92bba 100644
--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
@@ -218,12 +218,14 @@ static void ipa_cldap_respond(struct ipa_cldap_ctx *ctx,
         return;
     }
 
-    /* result */
-    ret = ber_printf(be, "{it{s{{s[O]}}}}", req->id,
+    if (nbtblob->bv_len != 0) {
+        /* result */
+        ret = ber_printf(be, "{it{s{{s[O]}}}}", req->id,
                          LDAP_RES_SEARCH_ENTRY, "", "netlogon", nbtblob);
-    if (ret == LBER_ERROR) {
-        LOG("Failed to encode CLDAP reply\n");
-        goto done;
+        if (ret == LBER_ERROR) {
+            LOG("Failed to encode CLDAP reply\n");
+            goto done;
+        }
     }
     /* done */
     ret = ber_printf(be, "{it{ess}}", req->id,
@@ -264,7 +266,17 @@ static void ipa_cldap_process(struct ipa_cldap_ctx *ctx,
     LOG_TRACE("CLDAP Request received");
 
     ret = ipa_cldap_netlogon(ctx, req, &reply);
-    if (ret) {
+    switch (ret) {
+    case 0:
+        /* all fine */
+        break;
+    case EINVAL:
+    case ENOENT:
+        /* bad request, return empty reply as windows does */
+        memset(&reply, 0, sizeof(struct berval));
+        break;
+    default:
+        /* internal error, just get out */
         goto done;
     }