SDAP: Make it possible to silence errors from dereference

https://fedorahosted.org/sssd/ticket/2791

When a modern IPA client is connected to an old (3.x) IPA server, the
attribute dereferenced during the ID views lookup does not exist, which
triggers an error during the dereference processing and also a confusing
syslog message.

This patch suppresses the syslog message.

Reviewed-by: Michal Židek <mzidek@redhat.com>

3 files changed, 28 insertions, 10 deletions

diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index b9fad3e8..8bbbad0a 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -792,6 +792,9 @@ static errno_t ipa_get_view_name(struct ipa_subdomains_req_ctx *ctx)
         return EOK;
     }
 
+    /* We add SDAP_DEREF_FLG_SILENT because old IPA servers don't have
+     * the attribute we dereference, causing the deref call to fail
+     */
     req = sdap_deref_search_with_filter_send(ctx, ctx->sd_ctx->be_ctx->ev,
                         ctx->sd_ctx->sdap_id_ctx->opts,
                         sdap_id_op_handle(ctx->sdap_op),
@@ -799,7 +802,8 @@ static errno_t ipa_get_view_name(struct ipa_subdomains_req_ctx *ctx)
                         ctx->current_filter, IPA_ASSIGNED_ID_VIEW, attrs,
                         1, maps,
                         dp_opt_get_int(ctx->sd_ctx->sdap_id_ctx->opts->basic,
-                                       SDAP_SEARCH_TIMEOUT));
+                                       SDAP_SEARCH_TIMEOUT),
+                        SDAP_DEREF_FLG_SILENT);
 
     if (req == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 5260aafe..6cc32323 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2763,6 +2763,7 @@ struct sdap_deref_search_state {
     size_t reply_count;
     struct sdap_deref_attrs **reply;
     enum sdap_deref_type deref_type;
+    unsigned flags;
 };
 
 static void sdap_deref_search_done(struct tevent_req *subreq);
@@ -2779,7 +2780,8 @@ sdap_deref_search_with_filter_send(TALLOC_CTX *memctx,
                                    const char **attrs,
                                    int num_maps,
                                    struct sdap_attr_map_info *maps,
-                                   int timeout)
+                                   int timeout,
+                                   unsigned flags)
 {
     struct tevent_req *req = NULL;
     struct tevent_req *subreq = NULL;
@@ -2791,6 +2793,7 @@ sdap_deref_search_with_filter_send(TALLOC_CTX *memctx,
     state->sh = sh;
     state->reply_count = 0;
     state->reply = NULL;
+    state->flags = flags;
 
     if (sdap_is_control_supported(sh, LDAP_CONTROL_X_DEREF)) {
         DEBUG(SSSDBG_TRACE_INTERNAL, "Server supports OpenLDAP deref\n");
@@ -2917,14 +2920,20 @@ static void sdap_deref_search_done(struct tevent_req *subreq)
         DEBUG(SSSDBG_OP_FAILURE,
               "dereference processing failed [%d]: %s\n", ret, strerror(ret));
         if (ret == ENOTSUP) {
-            sss_log(SSS_LOG_WARNING,
-                "LDAP server claims to support deref, but deref search failed. "
-                "Disabling deref for further requests. You can permanently "
-                "disable deref by setting ldap_deref_threshold to 0 in domain "
-                "configuration.");
             state->sh->disable_deref = true;
-        } else {
-            sss_log(SSS_LOG_WARNING, "dereference processing failed : %s", strerror(ret));
+        }
+
+        if (!(state->flags & SDAP_DEREF_FLG_SILENT)) {
+            if (ret == ENOTSUP) {
+                sss_log(SSS_LOG_WARNING,
+                        "LDAP server claims to support deref, but deref search "
+                        "failed. Disabling deref for further requests. You can "
+                        "permanently disable deref by setting "
+                        "ldap_deref_threshold to 0 in domain configuration.");
+            } else {
+                sss_log(SSS_LOG_WARNING,
+                        "dereference processing failed : %s", strerror(ret));
+            }
         }
         tevent_req_error(req, ret);
         return;
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 09bc0d65..f86f1890 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -227,6 +227,10 @@ int sdap_get_generic_recv(struct tevent_req *req,
 
 bool sdap_has_deref_support(struct sdap_handle *sh, struct sdap_options *opts);
 
+enum sdap_deref_flags {
+    SDAP_DEREF_FLG_SILENT = 1 << 0,     /* Do not warn if dereference fails */
+};
+
 struct tevent_req *
 sdap_deref_search_with_filter_send(TALLOC_CTX *memctx,
                                    struct tevent_context *ev,
@@ -238,7 +242,8 @@ sdap_deref_search_with_filter_send(TALLOC_CTX *memctx,
                                    const char **attrs,
                                    int num_maps,
                                    struct sdap_attr_map_info *maps,
-                                   int timeout);
+                                   int timeout,
+                                   unsigned flags);
 int sdap_deref_search_with_filter_recv(struct tevent_req *req,
                                        TALLOC_CTX *mem_ctx,
                                        size_t *reply_count,