[krbdev.mit.edu #5891] kdb_ldap should treat entries with "nsAccountLock: true" as locked
The RT System itself via RT
rt-comment at krbdev.mit.edu
Mon Feb 18 16:21:15 EST 2008
>From krb5-bugs-incoming-bounces at PCH.MIT.EDU Mon Feb 18 16:21:07 2008
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP
id m1ILL6HW029506; Mon, 18 Feb 2008 16:21:06 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1ILL12o027619;
Mon, 18 Feb 2008 16:21:01 -0500
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1IJKuSK011109
for <krb5-bugs-incoming at PCH.mit.edu>; Mon, 18 Feb 2008 14:20:56 -0500
Received: from mit.edu (M24-004-BARRACUDA-2.MIT.EDU [18.7.7.112])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
m1IJKkTq018079
for <krb5-bugs at mit.edu>; Mon, 18 Feb 2008 14:20:47 -0500 (EST)
Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31])
by mit.edu (Spam Firewall) with ESMTP id A3048F9AC5D
for <krb5-bugs at mit.edu>; Mon, 18 Feb 2008 14:20:25 -0500 (EST)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id m1IJKPmu005992
for <krb5-bugs at mit.edu>; Mon, 18 Feb 2008 14:20:25 -0500
Received: from blade.boston.redhat.com (blade.boston.redhat.com [172.16.80.50])
by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m1IJKOJB005994
for <krb5-bugs at mit.edu>; Mon, 18 Feb 2008 14:20:24 -0500
Received: from blade.boston.redhat.com (localhost.localdomain [127.0.0.1])
by blade.boston.redhat.com (8.14.2/8.14.2) with ESMTP id m1IJKOcx002016
for <krb5-bugs at mit.edu>; Mon, 18 Feb 2008 14:20:24 -0500
Received: (from nalin at localhost)
by blade.boston.redhat.com (8.14.2/8.14.2/Submit) id m1IJKOic002015;
Mon, 18 Feb 2008 14:20:24 -0500
Date: Mon, 18 Feb 2008 14:20:24 -0500
Message-Id: <200802181920.m1IJKOic002015 at blade.boston.redhat.com>
To: krb5-bugs at mit.edu
Subject: kdb_ldap should treat entries with "nsAccountLock: true" as locked
From: nalin at redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.42
X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Mailman-Approved-At: Mon, 18 Feb 2008 16:21:00 -0500
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin at redhat.com
Sender: krb5-bugs-incoming-bounces at PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces at PCH.MIT.EDU
>Submitter-Id: net
>Originator:
>Organization: Red Hat
>Confidential: no
>Synopsis: kdb_ldap should treat entries with "nsAccountLock: true" as locked
>Severity: non-critical
>Priority: low
>Category: krb5-libs
>Class: change-request
>Release: 1.6.3
>Environment:
System: Linux blade.boston.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
>Description:
The Fedora/Red Hat/Netscape directory server supports an operational
attribute named "nsAccountLock" which functions similarly to the
"loginDisabled" attribute in eDirectory. For cases where a user's
account object is also a krbPrincipalAux object (and perhaps others),
it's probably a good idea to treat "nsAccountLock: true" as an
indication that the kdb entry should be treated as if the
DISALLOW_ALL_TIX flag is set.
>How-To-Repeat:
- Set up a realm using Fedora Directory Server as storage.
- Using the management console, select a user's account (creating it
first if need be), and add the 'krbPrincipalAux' object class to
the entry. Add a 'krbPrincipalName' attribute value which places the
user in the realm.
- Select the user's account, right-click, and select "Inactivate"
from the pop-up menu.
- Verify that 'kadmin.local -q "getprinc principalName"' shows that
the kdb entry has the DISALLOW_ALL_TIX flag set.
>Fix:
Proposed patch from Simo Sorce:
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c (revision 20227)
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c (working copy)
@@ -57,6 +57,9 @@
"loginexpirationtime",
"logindisabled",
#endif
+#ifdef HAVE_DIRSRV
+ "nsaccountlock",
+#endif
"loginexpirationtime",
"logindisabled",
"modifytimestamp",
Index: src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
===================================================================
--- src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (revision 20227)
+++ src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c (working copy)
@@ -2141,7 +2141,23 @@
}
}
#endif
+#ifdef HAVE_DIRSRV
+ {
+ krb5_timestamp expiretime=0;
+ char *is_login_disabled=NULL;
+ /* LOGIN DISABLED */
+ if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled,
+ &attr_present)) != 0)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ free (is_login_disabled);
+ }
+ }
+#endif
+
if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
goto cleanup;
Index: src/aclocal.m4
===================================================================
--- src/aclocal.m4 (revision 20227)
+++ src/aclocal.m4 (working copy)
@@ -1757,6 +1757,12 @@
yes | no) ;;
*) AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;;
esac], with_edirectory=no)dnl
+AC_ARG_WITH([dirsrv],
+[ --with-dirsrv compile Red Hat/Fedora/Netscape Directory Server database backend module],
+[case "$withval" in
+ yes | no) ;;
+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;;
+esac], with_dirsrv=no)dnl
if test $with_ldap = yes; then
if test $with_edirectory = yes; then
@@ -1768,6 +1774,10 @@
AC_MSG_NOTICE(enabling eDirectory database backend module support)
OPENLDAP_PLUGIN=yes
AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.])
+elif test $with_dirsrv = yes; then
+ AC_MSG_NOTICE(enabling Red Hat/Fedora/Netscape Directory Server database backend module support)
+ OPENLDAP_PLUGIN=yes
+ AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.])
else
: # neither enabled
dnl AC_MSG_NOTICE(disabling ldap backend module support)
More information about the krb5-bugs
mailing list