Make RootDSE optional

In violation of the standard, some LDAP servers control access to
the RootDSE, thus preventing us from being able to read it before
performing a bind.

This patch will allow us to continue on if the RootDSE was
inaccessible. All of the places that we use the return value of
the RootDSE after this are already checked for NULL and use sane
defaults if the RootDSE is unavailable

2 files changed, 17 insertions, 3 deletions

diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 25f8bcfd2..18f2bc0c5 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -689,7 +689,9 @@ static void sdap_get_rootdse_done(struct tevent_req *subreq)
     }
 
     if (num_results == 0 || !results) {
-        DEBUG(2, ("No RootDSE for server ?!\n"));
+        DEBUG(2, ("RootDSE could not be retrieved. "
+                  "Please check that anonymous access to RootDSE is allowed\n"
+              ));
         tevent_req_error(req, ENOENT);
         return;
     }
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index a0224a1c1..fd1cc8c72 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1052,8 +1052,20 @@ static void sdap_cli_rootdse_done(struct tevent_req *subreq)
             return;
         }
 
-        tevent_req_error(req, ret);
-        return;
+        else if (ret == ENOENT) {
+            /* RootDSE was not available on
+             * the server.
+             * Continue, and just assume that the
+             * features requested by the config
+             * work properly.
+             */
+            state->use_rootdse = false;
+        }
+
+        else {
+            tevent_req_error(req, ret);
+            return;
+        }
     }
 
     sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH);