Blame SOURCES/krb5-1.13-dirsrv-accountlock.patch

fab64b
From f8404b502015b4a9806894d212462c63c3307fa8 Mon Sep 17 00:00:00 2001
fab64b
From: Robbie Harwood <rharwood@redhat.com>
fab64b
Date: Fri, 22 Apr 2016 10:01:15 -0400
fab64b
Subject: [PATCH] krb5-1.13-dirsrv-accountlock.patch
5af5b2
fab64b
---
665228
 src/aclocal.m4                                  |  9 +++++++++
665228
 src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c    | 17 +++++++++++++++++
665228
 .../kdb/ldap/libkdb_ldap/ldap_principal.c       |  3 +++
fab64b
 3 files changed, 29 insertions(+)
fab64b
fab64b
diff --git a/src/aclocal.m4 b/src/aclocal.m4
fab64b
index f5667c35f..2bfb99496 100644
fab64b
--- a/src/aclocal.m4
fab64b
+++ b/src/aclocal.m4
fab64b
@@ -1656,6 +1656,15 @@ if test "$with_ldap" = yes; then
5af5b2
   AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
5af5b2
   OPENLDAP_PLUGIN=yes
5af5b2
 fi
5af5b2
+AC_ARG_WITH([dirsrv-account-locking],
5af5b2
+[  --with-dirsrv-account-locking       compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
5af5b2
+[case "$withval" in
5af5b2
+    yes | no) ;;
5af5b2
+    *)  AC_MSG_ERROR(Invalid option value --with-dirsrv-account-locking="$withval") ;;
5af5b2
+esac], with_dirsrv_account_locking=no)
5af5b2
+if test $with_dirsrv_account_locking = yes; then
5af5b2
+    AC_DEFINE(HAVE_DIRSRV_ACCOUNT_LOCKING,1,[Define if LDAP KDB interface should heed 389 DS's nsAccountLock attribute.])
5af5b2
+fi
5af5b2
 ])dnl
5af5b2
 dnl
5af5b2
 dnl If libkeyutils exists (on Linux) include it and use keyring ccache
fab64b
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
fab64b
index 32efc4f54..af8b2db7b 100644
fab64b
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
fab64b
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
fab64b
@@ -1674,6 +1674,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
01ee0a
     ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
01ee0a
     if (ret)
5af5b2
         goto cleanup;
5af5b2
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
5af5b2
+    {
5af5b2
+        krb5_timestamp              expiretime=0;
5af5b2
+        char                        *is_login_disabled=NULL;
5af5b2
+
5af5b2
+        /* LOGIN DISABLED */
01ee0a
+        ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
01ee0a
+                                   &attr_present);
01ee0a
+        if (ret)
5af5b2
+            goto cleanup;
5af5b2
+        if (attr_present == TRUE) {
5af5b2
+            if (strcasecmp(is_login_disabled, "TRUE")== 0)
5af5b2
+                entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
5af5b2
+            free (is_login_disabled);
5af5b2
+        }
5af5b2
+    }
5af5b2
+#endif
5af5b2
 
01ee0a
     ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
01ee0a
     if (ret)
fab64b
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
fab64b
index d722dbfa6..5e8e9a897 100644
fab64b
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
fab64b
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
fab64b
@@ -54,6 +54,9 @@ char     *principal_attributes[] = { "krbprincipalname",
5af5b2
                                      "krbLastFailedAuth",
5af5b2
                                      "krbLoginFailedCount",
5af5b2
                                      "krbLastSuccessfulAuth",
5af5b2
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
5af5b2
+                                     "nsAccountLock",
5af5b2
+#endif
5af5b2
                                      "krbLastPwdChange",
5af5b2
                                      "krbLastAdminUnlock",
fab64b
                                      "krbPrincipalAuthInd",