From a114690bde54c7ebe73f1109e016720e228ea705 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Sun, 28 Feb 2016 17:51:15 -0600 Subject: [PATCH] Fix HDB two-phase commit for LDAP backend We can't replay log entries when recovering if the backend is shared by writers with separate logs (or no logs at all), i.e., on other hosts. --- lib/hdb/hdb-ldap.c | 2 +- lib/hdb/hdb.h | 1 + lib/kadm5/log.c | 7 ++++++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/hdb/hdb-ldap.c b/lib/hdb/hdb-ldap.c index 9b92905be..9d191c9cf 100644 --- a/lib/hdb/hdb-ldap.c +++ b/lib/hdb/hdb-ldap.c @@ -2002,7 +2002,7 @@ hdb_ldap_common(krb5_context context, (*db)->hdb_master_key_set = 0; (*db)->hdb_openp = 0; - (*db)->hdb_capability_flags = 0; + (*db)->hdb_capability_flags = HDB_CAP_F_SHARED_DIRECTORY; (*db)->hdb_open = LDAP_open; (*db)->hdb_close = LDAP_close; (*db)->hdb_fetch_kvno = LDAP_fetch_kvno; diff --git a/lib/hdb/hdb.h b/lib/hdb/hdb.h index e67a4e062..c1654a170 100644 --- a/lib/hdb/hdb.h +++ b/lib/hdb/hdb.h @@ -71,6 +71,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 #define HDB_CAP_F_HANDLE_PASSWORDS 2 #define HDB_CAP_F_PASSWORD_UPDATE_KEYS 4 +#define HDB_CAP_F_SHARED_DIRECTORY 8 /* auth status values */ #define HDB_AUTH_SUCCESS 0 diff --git a/lib/kadm5/log.c b/lib/kadm5/log.c index 31127d413..94fc85fec 100644 --- a/lib/kadm5/log.c +++ b/lib/kadm5/log.c @@ -1719,7 +1719,12 @@ recover_replay(kadm5_server_context *context, /* We're at the start of the payload; compute end of entry offset */ off = krb5_storage_seek(sp, 0, SEEK_CUR) + len + LOG_TRAILER_SZ; - ret = kadm5_log_replay(context, op, ver, len, sp); + /* We cannot perform log recovery on LDAP and such backends */ + if (data->mode == kadm_recover_replay && + (context->db->hdb_capability_flags & HDB_CAP_F_SHARED_DIRECTORY)) + ret = 0; + else + ret = kadm5_log_replay(context, op, ver, len, sp); switch (ret) { case HDB_ERR_NOENTRY: case HDB_ERR_EXISTS: