ipa: fix issues with older servers not supporting views

Older FreeIPA servers which do not know about the ipaAssignedIDView
attribute will return an error during the LDAP dereference request
because SSSD marks LDAP extensions as critical. In this case we keep the
view name empty and skip override lookups.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

3 files changed, 27 insertions, 6 deletions

diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index bedc0f1a5..eb172fdfc 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -1002,7 +1002,19 @@ static void ipa_get_view_name_done(struct tevent_req *req)
     ret = sdap_deref_search_with_filter_recv(req, ctx, &reply_count, &reply);
     talloc_zfree(req);
     if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n");
+        if (ret == EOPNOTSUPP) {
+            DEBUG(SSSDBG_TRACE_FUNC, "get_view_name request failed, looks " \
+                                     "like server does not support views.\n");
+            ret = ipa_check_master(ctx);
+            if (ret == EAGAIN) {
+                return;
+            } else if (ret != EOK) {
+                goto done;
+            }
+
+        } else {
+            DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n");
+        }
         goto done;
     }
 
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 36f8b2392..b67006ce6 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -106,11 +106,13 @@ struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx,
      * have to check first if the request matches an override in the given
      * view. But there are cases where this can be skipped and the AD object
      * can be searched directly:
+     * - if no view is defined, i.e. the server does not supprt views yet
      * - searches by SID: because we do not override the SID
      * - if the responder does not send the EXTRA_INPUT_MAYBE_WITH_VIEW flags,
      *   because in this case the entry was found in the cache and the
      *   original value is used for the search (e.g. during cache updates) */
-    if (state->ar->filter_type == BE_FILTER_SECID
+    if (state->ipa_ctx->view_name == NULL
+            || state->ar->filter_type == BE_FILTER_SECID
             || (!state->ipa_server_mode
                 && state->ar->extra_value != NULL
                 && strcmp(state->ar->extra_value,
diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c
index 33dbf7b1c..2eb77216a 100644
--- a/src/providers/ipa/ipa_views.c
+++ b/src/providers/ipa/ipa_views.c
@@ -208,15 +208,22 @@ struct tevent_req *ipa_get_ad_override_send(TALLOC_CTX *mem_ctx,
     state->sdap_id_ctx = sdap_id_ctx;
     state->ipa_options = ipa_options;
     state->ipa_realm = ipa_realm;
+    state->ar = ar;
+    state->dp_error = -1;
+    state->override_attrs = NULL;
+    state->filter = NULL;
+
+    if (view_name == NULL) {
+        DEBUG(SSSDBG_TRACE_ALL, "View not defined, nothing to do.\n");
+        ret = EOK;
+        goto done;
+    }
+
     if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) {
         state->ipa_view_name = IPA_DEFAULT_VIEW_NAME;
     } else {
         state->ipa_view_name = view_name;
     }
-    state->ar = ar;
-    state->dp_error = -1;
-    state->override_attrs = NULL;
-    state->filter = NULL;
 
     state->sdap_op = sdap_id_op_create(state,
                                        state->sdap_id_ctx->conn->conn_cache);