64 lines
3.1 KiB
Diff
64 lines
3.1 KiB
Diff
|
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
|
||
|
original version filed as RT#5891.
|
||
|
|
||
|
diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4
|
||
|
--- krb5-1.8/src/aclocal.m4.dirsrv-accountlock 2010-03-05 11:03:09.000000000 -0500
|
||
|
+++ krb5-1.8/src/aclocal.m4 2010-03-05 11:03:10.000000000 -0500
|
||
|
@@ -1656,6 +1656,15 @@ if test $with_ldap = yes; then
|
||
|
AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
|
||
|
OPENLDAP_PLUGIN=yes
|
||
|
fi
|
||
|
+AC_ARG_WITH([dirsrv-account-locking],
|
||
|
+[ --with-dirsrv-account-locking compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
|
||
|
+[case "$withval" in
|
||
|
+ yes | no) ;;
|
||
|
+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv-account-locking="$withval") ;;
|
||
|
+esac], with_dirsrv_account_locking=no)
|
||
|
+if test $with_dirsrv_account_locking = yes; then
|
||
|
+ AC_DEFINE(HAVE_DIRSRV_ACCOUNT_LOCKING,1,[Define if LDAP KDB interface should heed 389 DS's nsAccountLock attribute.])
|
||
|
+fi
|
||
|
])dnl
|
||
|
dnl
|
||
|
dnl If libkeyutils exists (on Linux) include it and use keyring ccache
|
||
|
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
|
||
|
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500
|
||
|
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2010-03-05 11:03:10.000000000 -0500
|
||
|
@@ -1546,6 +1546,23 @@ populate_krb5_db_entry(krb5_context cont
|
||
|
ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
|
||
|
if (ret)
|
||
|
goto cleanup;
|
||
|
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
|
||
|
+ {
|
||
|
+ krb5_timestamp expiretime=0;
|
||
|
+ char *is_login_disabled=NULL;
|
||
|
+
|
||
|
+ /* LOGIN DISABLED */
|
||
|
+ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
|
||
|
+ &attr_present);
|
||
|
+ if (ret)
|
||
|
+ goto cleanup;
|
||
|
+ if (attr_present == TRUE) {
|
||
|
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
|
||
|
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
|
||
|
+ free (is_login_disabled);
|
||
|
+ }
|
||
|
+ }
|
||
|
+#endif
|
||
|
|
||
|
ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
|
||
|
if (ret)
|
||
|
goto cleanup;
|
||
|
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
|
||
|
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500
|
||
|
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2010-03-05 11:03:10.000000000 -0500
|
||
|
@@ -59,6 +59,9 @@ char *principal_attributes[] = { "kr
|
||
|
"krbLastFailedAuth",
|
||
|
"krbLoginFailedCount",
|
||
|
"krbLastSuccessfulAuth",
|
||
|
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
|
||
|
+ "nsAccountLock",
|
||
|
+#endif
|
||
|
"krbLastPwdChange",
|
||
|
"krbLastAdminUnlock",
|
||
|
"krbExtraData",
|