update heed-nsaccountlock patch

We lost explicit support for eDirectory per se, so just add a toggle to enable heeding the one native attribute that 389 adds to the mix.
2012-11-15 16:54:51 -05:00 · 2012-11-15 16:54:51 -05:00 · 0efe966105
commit 0efe966105
parent 8a943cb6b5
2 changed files with 27 additions and 36 deletions
--- a/krb5-1.11-dirsrv-accountlock.patch
+++ b/krb5-1.11-dirsrv-accountlock.patch
@ -4,44 +4,36 @@ original version filed as RT#5891.
 diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4
 --- krb5-1.8/src/aclocal.m4.dirsrv-accountlock	2010-03-05 11:03:09.000000000 -0500
 +++ krb5-1.8/src/aclocal.m4	2010-03-05 11:03:10.000000000 -0500
-@@ -1678,6 +1678,12 @@ AC_ARG_WITH([edirectory],
-     yes | no) ;;
-     *)  AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;;
- esac], with_edirectory=no)dnl
-+AC_ARG_WITH([dirsrv],
-+[  --with-dirsrv       compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
+@@ -1656,6 +1656,15 @@ if test $with_ldap = yes; then
+   AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
+   OPENLDAP_PLUGIN=yes
+ fi
+AC_ARG_WITH([dirsrv-account-locking],
+[  --with-dirsrv-account-locking       compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
 +[case "$withval" in
 +    yes | no) ;;
-+    *)  AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;;
-+esac], with_dirsrv=no)dnl
- 
- if test $with_ldap = yes; then
-   if test $with_edirectory = yes; then
-@@ -1689,6 +1695,10 @@ elif test $with_edirectory = yes; then
-   AC_MSG_NOTICE(enabling eDirectory database backend module support)
-   OPENLDAP_PLUGIN=yes
-   AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.])
-+elif test $with_dirsrv = yes; then
-+  AC_MSG_NOTICE(enabling 389/Red Hat/Fedora/Netscape Directory Server database backend module support)
-+  OPENLDAP_PLUGIN=yes
-+  AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.])
- else
-   : # neither enabled
- dnl  AC_MSG_NOTICE(disabling ldap backend module support)
+    *)  AC_MSG_ERROR(Invalid option value --with-dirsrv-account-locking="$withval") ;;
+esac], with_dirsrv_account_locking=no)
+if test $with_dirsrv_account_locking = yes; then
+    AC_DEFINE(HAVE_DIRSRV_ACCOUNT_LOCKING,1,[Define if LDAP KDB interface should heed 389 DS's nsAccountLock attribute.])
+fi
+ ])dnl
+ dnl
+ dnl If libkeyutils exists (on Linux) include it and use keyring ccache
 diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
 --- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock	2009-11-24 18:52:25.000000000 -0500
 +++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	2010-03-05 11:03:10.000000000 -0500
@@ -2101,6 +2101,22 @@ populate_krb5_db_entry(krb5_context cont
-         }
-     }
- #endif
-+#ifdef HAVE_DIRSRV
+         goto cleanup;
+     if ((st=krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data)) != 0)
+         goto cleanup;
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
 +    {
 +        krb5_timestamp              expiretime=0;
 +        char                        *is_login_disabled=NULL;
 +
 +        /* LOGIN DISABLED */
-+        if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled,
+        if ((st=krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
 +                    &attr_present)) != 0)
 +            goto cleanup;
 +        if (attr_present == TRUE) {
@ -58,11 +50,11 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accou
 --- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock	2009-11-24 18:52:25.000000000 -0500
 +++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c	2010-03-05 11:03:10.000000000 -0500
@@ -59,6 +59,9 @@ char     *principal_attributes[] = { "kr
-                                      "loginexpirationtime",
-                                      "logindisabled",
- #endif
-+#ifdef HAVE_DIRSRV
-+                                     "nsaccountlock",
+                                      "krbLastFailedAuth",
+                                      "krbLoginFailedCount",
+                                      "krbLastSuccessfulAuth",
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
+                                     "nsAccountLock",
 +#endif
                                      "krbLastPwdChange",
                                      "krbLastAdminUnlock",
--- a/krb5.spec
+++ b/krb5.spec
@ -67,7 +67,7 @@ Patch59: krb5-1.10-kpasswd_tcp.patch
 Patch60: krb5-1.11-pam.patch
 Patch61: krb5-1.11-manpaths.patch
 Patch63: krb5-1.11-selinux-label.patch
-Patch71: krb5-1.9-dirsrv-accountlock.patch
+Patch71: krb5-1.11-dirsrv-accountlock.patch
 Patch75: krb5-pkinit-debug.patch
 Patch86: krb5-1.9-debuginfo.patch
 Patch105: krb5-kvno-230379.patch
@ -315,10 +315,9 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
 	--with-tcl \
 	--enable-dns-for-realm \
 %if %{WITH_LDAP}
-%if %{WITH_DIRSRV}
-	--with-dirsrv \
-%else
 	--with-ldap \
+%if %{WITH_DIRSRV}
+	--with-dirsrv-account-locking \
 %endif
 %endif
 %if %{WITH_OPENSSL} || %{WITH_NSS}