ipa: fix issues with older servers not supporting views

Older FreeIPA servers which do not know about the ipaAssignedIDView
attribute will return an error during the LDAP dereference request
because SSSD marks LDAP extensions as critical. In this case we keep the
view name empty and skip override lookups.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 36f8b2392..b67006ce6 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -106,11 +106,13 @@ struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx,
      * have to check first if the request matches an override in the given
      * view. But there are cases where this can be skipped and the AD object
      * can be searched directly:
+     * - if no view is defined, i.e. the server does not supprt views yet
      * - searches by SID: because we do not override the SID
      * - if the responder does not send the EXTRA_INPUT_MAYBE_WITH_VIEW flags,
      *   because in this case the entry was found in the cache and the
      *   original value is used for the search (e.g. during cache updates) */
-    if (state->ar->filter_type == BE_FILTER_SECID
+    if (state->ipa_ctx->view_name == NULL
+            || state->ar->filter_type == BE_FILTER_SECID
             || (!state->ipa_server_mode
                 && state->ar->extra_value != NULL
                 && strcmp(state->ar->extra_value,