rpms/krb5/devel krb5-1.6.2-dirsrv-accountlock.patch, NONE, 1.1 krb5.spec, 1.154, 1.155

[Nalin Somabhai Dahyabhai (nalin)]

Author: nalin

Update of /cvs/pkgs/rpms/krb5/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25146

Modified Files:
	krb5.spec 
Added Files:
	krb5-1.6.2-dirsrv-accountlock.patch 
Log Message:
- drop netdb patch
- kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that
  the DISALLOW_ALL_TIX flag is set on an entry, for better interop with Fedora,
  Netscape, Red Hat Directory Server (Simo Sorce)


krb5-1.6.2-dirsrv-accountlock.patch:

--- NEW FILE krb5-1.6.2-dirsrv-accountlock.patch ---
diff -ur krb5-1.6.2.orig/src/aclocal.m4 krb5-1.6.2/src/aclocal.m4
--- krb5-1.6.2.orig/src/aclocal.m4	2007-11-20 11:39:51.000000000 -0500
+++ krb5-1.6.2/src/aclocal.m4	2007-11-20 12:09:56.000000000 -0500
@@ -1798,6 +1798,12 @@
     yes | no) ;;
     *)  AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;;
 esac], with_edirectory=no)dnl
+AC_ARG_WITH([dirsrv],
+[  --with-dirsrv       compile Red Hat/Fedora/Netscape Directory Server database backend module],
+[case "$withval" in
+    yes | no) ;;
+    *)  AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;;
+esac], with_dirsrv=no)dnl
 
 if test $with_ldap = yes; then
   if test $with_edirectory = yes; then
@@ -1809,6 +1815,10 @@
   AC_MSG_NOTICE(enabling eDirectory database backend module support)
   OPENLDAP_PLUGIN=yes
   AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.])
+elif test $with_dirsrv = yes; then
+  AC_MSG_NOTICE(enabling Red Hat/Fedora/Netscape Directory Server database backend module support)
+  OPENLDAP_PLUGIN=yes
+  AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.])
 else
   : # neither enabled
 dnl  AC_MSG_NOTICE(disabling ldap backend module support)
diff -ur krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
--- krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	2006-12-21 23:28:09.000000000 -0500
+++ krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	2007-11-20 12:04:10.000000000 -0500
@@ -2141,6 +2141,22 @@
 	}
     }
 #endif
+#ifdef HAVE_DIRSRV
+    {
+	krb5_timestamp              expiretime=0;
+	char                        *is_login_disabled=NULL;
+
+	/* LOGIN DISABLED */
+	if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled,
+		    &attr_present)) != 0)
+	    goto cleanup;
+	if (attr_present == TRUE) {
+	    if (strcasecmp(is_login_disabled, "TRUE")== 0)
+		entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+	    free (is_login_disabled);
+	}
+    }
+#endif
 
     if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
 	goto cleanup;
diff -ur krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
--- krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c	2007-01-03 19:27:26.000000000 -0500
+++ krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c	2007-11-20 12:00:27.000000000 -0500
@@ -57,6 +57,9 @@
 				     "loginexpirationtime",
 				     "logindisabled",
 #endif
+#ifdef HAVE_DIRSRV
+				     "nsaccountlock",
+#endif
 				     "loginexpirationtime",
 				     "logindisabled",
 				     "modifytimestamp",


Index: krb5.spec
===================================================================
RCS file: /cvs/pkgs/rpms/krb5/devel/krb5.spec,v
retrieving revision 1.154
retrieving revision 1.155
diff -u -r1.154 -r1.155
--- krb5.spec	13 Feb 2008 23:10:32 -0000	1.154
+++ krb5.spec	18 Feb 2008 18:44:39 -0000	1.155
@@ -1,5 +1,6 @@
 %define WITH_LDAP 1
 %define WITH_OPENSSL 1
+%define WITH_DIRSRV 1
 
 %define krb5prefix %{_prefix}/kerberos
 
@@ -15,7 +16,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.6.3
-Release: 6%{?dist}
+Release: 7%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -94,7 +95,7 @@
 Patch68: krb5-trunk-spnego_delegation.patch
 Patch69: krb5-trunk-seqnum.patch
 Patch70: krb5-trunk-kpasswd_tcp2.patch
-Patch71: krb5-1.6.3-netdb.patch
+Patch71: krb5-1.6.2-dirsrv-accountlock.patch
 
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
@@ -225,6 +226,12 @@
 certificate.
 
 %changelog
+* Mon Feb 18 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.3-7
+- drop netdb patch
+- kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that
+  the DISALLOW_ALL_TIX flag is set on an entry, for better interop with Fedora,
+  Netscape, Red Hat Directory Server (Simo Sorce)
+
 * Wed Feb 13 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.3-6
 - patch to avoid depending on <netdb.h> to define NI_MAXHOST and NI_MAXSERV
 
@@ -1294,7 +1301,7 @@
 %patch68 -p0 -b .spnego_delegation
 %patch69 -p0 -b .seqnum
 #%patch70 -p0 -b .kpasswd_tcp2
-%patch71 -p1 -b .netdb
+%patch71 -p1 -b .dirsrv-accountlock
 cp src/krb524/README README.krb524
 gzip doc/*.ps
 
@@ -1350,12 +1357,6 @@
 %ifarch %{ix86} s390 ppc sparc
 DEFINES="-D_FILE_OFFSET_BITS=64" ; export DEFINES
 %endif
-# Enable or disable the LDAP plugin.
-%if %{WITH_LDAP}
-OPENLDAP_PLUGIN=yes
-%else
-OPENLDAP_PLUGIN=""
-%endif
 # Enable or disable the PKINIT plugin.  The configure script only checks for
 # the version of OpenSSL being okay, so for now we have to use that to control
 # whether or not it tries to build the module.
@@ -1371,7 +1372,6 @@
 	CC=%{__cc} \
 	CFLAGS="$CFLAGS" \
 	CPPFLAGS="$CPPFLAGS" \
-	OPENLDAP_PLUGIN="$OPENLDAP_PLUGIN" \
 	SS_LIB="-lss -lcurses" \
 	--enable-shared \
 %if %{build_static}
@@ -1388,6 +1388,13 @@
 	--with-netlib=-lresolv \
 	--without-tcl \
 	--enable-dns \
+%if %{WITH_LDAP}
+%if %{WITH_DIRSRV}
+	--with-dirsrv \
+%else
+	--with-ldap \
+%endif
+%endif
 	--with-pam \
 	--with-pam-login-service=%{login_pam_service} \
 	--with-selinux