LDAP: Checking the principal should not be considered fatal

The check is too restrictive as the select_principal_from_keytab can
return something else than user requested right now.

Consider that user query for host/myserver@EXAMPLE.COM, then the
select_principal_from_keytab function will return "myserver" in primary and
"EXAMPLE.COM" in realm. So the caller needs to add logic to also break
down the principal to get rid of the host/ part. The heuristics would
simply get too complex.

select_principal_from_keytab will error out anyway if there's no
suitable principal at all.

1 files changed, 10 insertions, 6 deletions

diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 07e9c5d4f..516ba179d 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -1038,12 +1038,16 @@ sdap_set_sasl_options(struct sdap_options *id_opts,
         goto done;
     }
 
-    if ((primary_requested && strcmp(desired_primary, sasl_primary) != 0) ||
-        (realm_requested && strcmp(desired_realm, sasl_realm) != 0)) {
-        DEBUG(SSSDBG_CRIT_FAILURE,
-               ("Configured SASL auth ID/realm not found in keytab.\n"));
-        ret = ENOENT;
-        goto done;
+    if (primary_requested && strcmp(desired_primary, sasl_primary) != 0) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+               ("Configured SASL auth ID not found in keytab. "
+                "Requested %s, found %s\n", desired_primary, sasl_primary));
+    }
+
+    if (realm_requested && strcmp(desired_realm, sasl_realm) != 0) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+               ("Configured SASL realm not found in keytab. "
+                "Requested %s, found %s\n", desired_realm, sasl_realm));
     }
 
     ret = dp_opt_set_string(id_opts->basic,