CLDAP: Return empty reply on non-fatal errors

Windows DCs return an empty reply when a legal request cannot satisfied. If we get EINVAL or ENOENT it means the information requested could not be found or input parameters were bogus. Always return an empty reply in these cases. On any other internal error just return, the request may have been legit but we can't really handle it right now, pretend we never saw it and hope the next attempt will succeed. Fixes: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <simo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2013-05-23 10:06:22 -04:00
parent b402b6d553
commit 1e224c2ea0
1 changed files with 18 additions and 6 deletions
--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
@@ -218,12 +218,14 @@ static void ipa_cldap_respond(struct ipa_cldap_ctx *ctx,
        return;
    }

-    /* result */
-    ret = ber_printf(be, "{it{s{{s[O]}}}}", req->id,
+    if (nbtblob->bv_len != 0) {
+        /* result */
+        ret = ber_printf(be, "{it{s{{s[O]}}}}", req->id,
                         LDAP_RES_SEARCH_ENTRY, "", "netlogon", nbtblob);
-    if (ret == LBER_ERROR) {
-        LOG("Failed to encode CLDAP reply\n");
-        goto done;
+        if (ret == LBER_ERROR) {
+            LOG("Failed to encode CLDAP reply\n");
+            goto done;
+        }
    }
    /* done */
    ret = ber_printf(be, "{it{ess}}", req->id,
@@ -264,7 +266,17 @@ static void ipa_cldap_process(struct ipa_cldap_ctx *ctx,
    LOG_TRACE("CLDAP Request received");

    ret = ipa_cldap_netlogon(ctx, req, &reply);
-    if (ret) {
+    switch (ret) {
+    case 0:
+        /* all fine */
+        break;
+    case EINVAL:
+    case ENOENT:
+        /* bad request, return empty reply as windows does */
+        memset(&reply, 0, sizeof(struct berval));
+        break;
+    default:
+        /* internal error, just get out */
        goto done;
    }