[30509] in CVS-changelog-for-Kerberos-V5
krb5 commit: Support 389ds's lockout model
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue May 21 12:47:04 2019
Date: Tue, 21 May 2019 12:46:59 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <201905211646.x4LGkx8U025901@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/6ad061e24eca41a61eebed61db39768bfa51a084
commit 6ad061e24eca41a61eebed61db39768bfa51a084
Author: Robbie Harwood <rharwood@redhat.com>
Date: Tue Aug 23 16:47:44 2016 -0400
Support 389ds's lockout model
Handle the attribute 'nsAccountLock' from Netscape derivatives. Based
on a patch by Nalin Dahyabhai and Simo Sorce.
ticket: 5891
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 18 ++++++++++++++++++
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c | 1 +
2 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index 5b9d1e9..2ade637 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -1420,6 +1420,7 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
struct berval **ber_key_data = NULL, **ber_tl_data = NULL;
krb5_tl_data userinfo_tl_data = { NULL }, **endp, *tl;
osa_princ_ent_rec princ_ent;
+ char *is_login_disabled = NULL;
memset(&princ_ent, 0, sizeof(princ_ent));
@@ -1653,6 +1654,23 @@ populate_krb5_db_entry(krb5_context context, krb5_ldap_context *ldap_context,
if (ret)
goto cleanup;
+ /*
+ * 389ds and other Netscape directory server derivatives support an
+ * attribute "nsAccountLock" which functions similarly to eDirectory's
+ * "loginDisabled". When the user's account object is also a
+ * krbPrincipalAux object, the kdb entry should be treated as if
+ * DISALLOW_ALL_TIX has been set.
+ */
+ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
+ &attr_present);
+ if (ret)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if (strcasecmp(is_login_disabled, "TRUE") == 0)
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ free(is_login_disabled);
+ }
+
ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
if (ret)
goto cleanup;
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
index d722dbf..a5180c7 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -54,6 +54,7 @@ char *principal_attributes[] = { "krbprincipalname",
"krbLastFailedAuth",
"krbLoginFailedCount",
"krbLastSuccessfulAuth",
+ "nsAccountLock",
"krbLastPwdChange",
"krbLastAdminUnlock",
"krbPrincipalAuthInd",
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
