|
 |
963210 |
From f8404b502015b4a9806894d212462c63c3307fa8 Mon Sep 17 00:00:00 2001
|
|
|
963210 |
From: Robbie Harwood <rharwood@redhat.com>
|
|
|
963210 |
Date: Fri, 22 Apr 2016 10:01:15 -0400
|
|
|
963210 |
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
|
|
|
963210 |
|
|
|
963210 |
---
|
|
|
167778 |
src/aclocal.m4 | 9 +++++++++
|
|
|
167778 |
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 17 +++++++++++++++++
|
|
|
167778 |
.../kdb/ldap/libkdb_ldap/ldap_principal.c | 3 +++
|
|
|
963210 |
3 files changed, 29 insertions(+)
|
|
|
963210 |
|
|
|
963210 |
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
|
|
963210 |
index f5667c35f..2bfb99496 100644
|
|
|
963210 |
--- a/src/aclocal.m4
|
|
|
963210 |
+++ b/src/aclocal.m4
|
|
|
963210 |
@@ -1656,6 +1656,15 @@ if test "$with_ldap" = yes; then
|
|
|
963210 |
AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
|
|
|
963210 |
OPENLDAP_PLUGIN=yes
|
|
|
963210 |
fi
|
|
|
963210 |
+AC_ARG_WITH([dirsrv-account-locking],
|
|
|
963210 |
+[ --with-dirsrv-account-locking compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
|
|
|
963210 |
+[case "$withval" in
|
|
|
963210 |
+ yes | no) ;;
|
|
|
963210 |
+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv-account-locking="$withval") ;;
|
|
|
963210 |
+esac], with_dirsrv_account_locking=no)
|
|
|
963210 |
+if test $with_dirsrv_account_locking = yes; then
|
|
|
963210 |
+ AC_DEFINE(HAVE_DIRSRV_ACCOUNT_LOCKING,1,[Define if LDAP KDB interface should heed 389 DS's nsAccountLock attribute.])
|
|
|
963210 |
+fi
|
|
|
963210 |
])dnl
|
|
|
963210 |
dnl
|
|
|
963210 |
dnl If libkeyutils exists (on Linux) include it and use keyring ccache
|
|
|
963210 |
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
|
|
|
963210 |
index 32efc4f54..af8b2db7b 100644
|
|
|
963210 |
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
|
|
|
963210 |
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
|
|
|
963210 |
@@ -1674,6 +1674,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
|
|
|
963210 |
ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
|
|
|
963210 |
if (ret)
|
|
|
963210 |
goto cleanup;
|
|
|
963210 |
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
|
|
|
963210 |
+ {
|
|
|
963210 |
+ krb5_timestamp expiretime=0;
|
|
|
963210 |
+ char *is_login_disabled=NULL;
|
|
|
963210 |
+
|
|
|
963210 |
+ /* LOGIN DISABLED */
|
|
|
963210 |
+ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
|
|
|
963210 |
+ &attr_present);
|
|
|
963210 |
+ if (ret)
|
|
|
963210 |
+ goto cleanup;
|
|
|
963210 |
+ if (attr_present == TRUE) {
|
|
|
963210 |
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
|
|
|
963210 |
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
|
|
|
963210 |
+ free (is_login_disabled);
|
|
|
963210 |
+ }
|
|
|
963210 |
+ }
|
|
|
963210 |
+#endif
|
|
|
963210 |
|
|
|
963210 |
ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
|
|
|
963210 |
if (ret)
|
|
|
963210 |
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
|
|
|
963210 |
index d722dbfa6..5e8e9a897 100644
|
|
|
963210 |
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
|
|
|
963210 |
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
|
|
|
963210 |
@@ -54,6 +54,9 @@ char *principal_attributes[] = { "krbprincipalname",
|
|
|
963210 |
"krbLastFailedAuth",
|
|
|
963210 |
"krbLoginFailedCount",
|
|
|
963210 |
"krbLastSuccessfulAuth",
|
|
|
963210 |
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
|
|
|
963210 |
+ "nsAccountLock",
|
|
|
963210 |
+#endif
|
|
|
963210 |
"krbLastPwdChange",
|
|
|
963210 |
"krbLastAdminUnlock",
|
|
|
963210 |
"krbPrincipalAuthInd",
|