[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication windows_protocol_util.c, 1.44, 1.45

Wed Jan 7 21:45:58 UTC 2009

Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23969/ldapserver/ldap/servers/plugins/replication

Modified Files:
	windows_protocol_util.c 
Log Message:
Resolves: bug 478656
Bug Description:  rhds accounts are disabled in ad after full sync
Reviewed by: nkinder (Thanks!)
Fix Description: The incremental sync code calls send_accountcontrol_modify after adding an entry, but the total update code does not.  I modified the code to do that.  I also changed the send_accountcontrol_modify to force the account to be enabled if adding it.  I tried just adding userAccountContro:512 to the default user add template, but AD does not like this - gives operations error.  So you have to modify userAccountControl after adding the entry.  I also cleaned up a couple of minor memory leaks.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes - we need to document the fact that new accounts will now be created in AD enabled



Index: windows_protocol_util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_protocol_util.c,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45

--- windows_protocol_util.c	15 Dec 2008 15:59:41 -0000	1.44
+++ windows_protocol_util.c	7 Jan 2009 21:45:55 -0000	1.45
@@ -806,7 +806,7 @@
 }
 
 static int
-send_accountcontrol_modify(Slapi_DN *sdn, Private_Repl_Protocol *prp)
+send_accountcontrol_modify(Slapi_DN *sdn, Private_Repl_Protocol *prp, int missing_entry)
 {
 	ConnResult mod_return = 0;
 	Slapi_Mods smods = {0};
@@ -823,9 +823,18 @@
 		acctval = slapi_entry_attr_get_ulong(remote_entry, "userAccountControl");
 	}
 	slapi_entry_free(remote_entry);
+	/* if we are adding a new entry, we need to set the entry to be
+	   enabled to allow AD login */
+	if (missing_entry) {
+	    slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name,
+			    "%s: New Windows entry %s will be enabled.\n",
+			    agmt_get_long_name(prp->agmt), slapi_sdn_get_dn(sdn));
+	    acctval &= ~0x2; /* unset the disabled bit, if set */
+	}
+	/* set the account to be a normal account */
 	acctval |= 0x0200; /* normal account == 512 */
 
-    slapi_mods_init (&smods, 0);
+	slapi_mods_init (&smods, 0);
 	PR_snprintf(acctvalstr, sizeof(acctvalstr), "%lu", acctval);
 	slapi_mods_add_string(&smods, LDAP_MOD_REPLACE, "userAccountControl", acctvalstr);
 
@@ -1320,7 +1329,7 @@
 				 *   userAccountControl: 512 */
 				if (op->operation_type == SLAPI_OPERATION_ADD && missing_entry)
 				{
-					return_value = send_accountcontrol_modify(remote_dn, prp);
+					return_value = send_accountcontrol_modify(remote_dn, prp, missing_entry);
 				}
 			}
 		}
@@ -1340,6 +1349,7 @@
 	{
 		slapi_sdn_free(&remote_dn);
 	}
+	slapi_ch_free_string(&password);
 	return return_value;
 }
 
@@ -3631,6 +3641,10 @@
 			}
 			ldap_mods_free(entryattrs, 1);
 			entryattrs = NULL;
+
+			if (retval == 0) { /* set the account control bits */
+			    retval = send_accountcontrol_modify(remote_dn, prp, missing_entry);
+			}
 		}
 	} else
 	{
@@ -3659,6 +3673,7 @@
 			slapi_entry_free(remote_entry);
 		}
 	}
+	slapi_ch_free_string(&password);
 	return retval;
 }
 


