Fix HDB two-phase commit for LDAP backend

We can't replay log entries when recovering if the backend is shared by
writers with separate logs (or no logs at all), i.e., on other hosts.

lib/hdb/hdb-ldap.c

@@ -2002,7 +2002,7 @@ hdb_ldap_common(krb5_context context,
 
     (*db)->hdb_master_key_set = 0;
     (*db)->hdb_openp = 0;
-    (*db)->hdb_capability_flags = 0;
+    (*db)->hdb_capability_flags = HDB_CAP_F_SHARED_DIRECTORY;
     (*db)->hdb_open = LDAP_open;
     (*db)->hdb_close = LDAP_close;
     (*db)->hdb_fetch_kvno = LDAP_fetch_kvno;

lib/hdb/hdb.h

@@ -71,6 +71,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
 #define HDB_CAP_F_HANDLE_PASSWORDS	2
 #define HDB_CAP_F_PASSWORD_UPDATE_KEYS	4
+#define HDB_CAP_F_SHARED_DIRECTORY      8
 
 /* auth status values */
 #define HDB_AUTH_SUCCESS		0

lib/kadm5/log.c

@@ -1719,7 +1719,12 @@ recover_replay(kadm5_server_context *context,
     /* We're at the start of the payload; compute end of entry offset */
     off = krb5_storage_seek(sp, 0, SEEK_CUR) + len + LOG_TRAILER_SZ;
 
-    ret = kadm5_log_replay(context, op, ver, len, sp);
+    /* We cannot perform log recovery on LDAP and such backends */
+    if (data->mode == kadm_recover_replay &&
+        (context->db->hdb_capability_flags & HDB_CAP_F_SHARED_DIRECTORY))
+        ret = 0;
+    else
+        ret = kadm5_log_replay(context, op, ver, len, sp);
     switch (ret) {
     case HDB_ERR_NOENTRY:
     case HDB_ERR_EXISTS: