rpms/krb5/F-8 krb5-1.6.2-dirsrv-accountlock.patch, NONE, 1.1 krb5.spec, 1.149, 1.150

Nalin Somabhai Dahyabhai (nalin) fedora-extras-commits at redhat.com
Tue Feb 26 21:58:17 UTC 2008 

Author: nalin

Update of /cvs/pkgs/rpms/krb5/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12068/F-8

Modified Files:
	krb5.spec 
Added Files:
	krb5-1.6.2-dirsrv-accountlock.patch 
Log Message:
- kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that
  the DISALLOW_ALL_TIX flag is set on an entry, for better interop with Fedora,
  Netscape, Red Hat Directory Server (Simo Sorce)


krb5-1.6.2-dirsrv-accountlock.patch:

--- NEW FILE krb5-1.6.2-dirsrv-accountlock.patch ---
diff -ur krb5-1.6.2.orig/src/aclocal.m4 krb5-1.6.2/src/aclocal.m4
--- krb5-1.6.2.orig/src/aclocal.m4	2007-11-20 11:39:51.000000000 -0500
+++ krb5-1.6.2/src/aclocal.m4	2007-11-20 12:09:56.000000000 -0500
@@ -1798,6 +1798,12 @@
     yes | no) ;;
     *)  AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;;
 esac], with_edirectory=no)dnl
+AC_ARG_WITH([dirsrv],
+[  --with-dirsrv       compile Red Hat/Fedora/Netscape Directory Server database backend module],
+[case "$withval" in
+    yes | no) ;;
+    *)  AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;;
+esac], with_dirsrv=no)dnl
 
 if test $with_ldap = yes; then
   if test $with_edirectory = yes; then
@@ -1809,6 +1815,10 @@
   AC_MSG_NOTICE(enabling eDirectory database backend module support)
   OPENLDAP_PLUGIN=yes
   AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.])
+elif test $with_dirsrv = yes; then
+  AC_MSG_NOTICE(enabling Red Hat/Fedora/Netscape Directory Server database backend module support)
+  OPENLDAP_PLUGIN=yes
+  AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.])
 else
   : # neither enabled
 dnl  AC_MSG_NOTICE(disabling ldap backend module support)
diff -ur krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
--- krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	2006-12-21 23:28:09.000000000 -0500
+++ krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	2007-11-20 12:04:10.000000000 -0500
@@ -2141,6 +2141,22 @@
 	}
     }
 #endif
+#ifdef HAVE_DIRSRV
+    {
+	krb5_timestamp              expiretime=0;
+	char                        *is_login_disabled=NULL;
+
+	/* LOGIN DISABLED */
+	if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled,
+		    &attr_present)) != 0)
+	    goto cleanup;
+	if (attr_present == TRUE) {
+	    if (strcasecmp(is_login_disabled, "TRUE")== 0)
+		entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+	    free (is_login_disabled);
+	}
+    }
+#endif
 
     if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
 	goto cleanup;
diff -ur krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
--- krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c	2007-01-03 19:27:26.000000000 -0500
+++ krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c	2007-11-20 12:00:27.000000000 -0500
@@ -57,6 +57,9 @@
 				     "loginexpirationtime",
 				     "logindisabled",
 #endif
+#ifdef HAVE_DIRSRV
+				     "nsaccountlock",
+#endif
 				     "loginexpirationtime",
 				     "logindisabled",
 				     "modifytimestamp",


Index: krb5.spec
===================================================================
RCS file: /cvs/pkgs/rpms/krb5/F-8/krb5.spec,v
retrieving revision 1.149
retrieving revision 1.150
diff -u -r1.149 -r1.150
--- krb5.spec	26 Feb 2008 21:50:23 -0000	1.149
+++ krb5.spec	26 Feb 2008 21:57:42 -0000	1.150
@@ -93,6 +93,7 @@
 Patch67: krb5-trunk-server_delegation.patch
 Patch68: krb5-trunk-spnego_delegation.patch
 Patch69: krb5-1.6.1-gic_opt_chg_pwd_prmpt.patch
+Patch70: krb5-1.6.2-dirsrv-accountlock.patch
 
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
@@ -211,6 +212,9 @@
 %changelog
 * Tue Feb 26 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.2-13
 - stop adding a redundant but harmless call to initialize the gssapi internals
+- kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that
+  the DISALLOW_ALL_TIX flag is set on an entry, for better interop with Fedora,
+  Netscape, Red Hat Directory Server (Simo Sorce)
 
 * Mon Feb 25 2008 Nalin Dahyabhai <nalin at redhat.com>
 - in login, allow PAM to interact with the user when they've been strongly
@@ -1274,6 +1278,7 @@
 %patch67 -p0 -b .server-delegation
 %patch68 -p0 -b .spnego_delegation
 %patch69 -p1 -b .gic_opt_chg_pwd_prmpt
+%patch70 -p1 -b .dirsrv_accountlock
 cp src/krb524/README README.krb524
 gzip doc/*.ps
 
@@ -1329,12 +1334,6 @@
 %ifarch %{ix86} s390 ppc sparc
 DEFINES="-D_FILE_OFFSET_BITS=64" ; export DEFINES
 %endif
-# Enable or disable the LDAP plugin.
-%if %{WITH_LDAP}
-OPENLDAP_PLUGIN=yes
-%else
-OPENLDAP_PLUGIN=""
-%endif
 # Work out the CFLAGS and CPPFLAGS which we intend to use.
 CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC`"
 CPPFLAGS="`echo $DEFINES $INCLUDES`"
@@ -1342,8 +1341,14 @@
 	CC=%{__cc} \
 	CFLAGS="$CFLAGS" \
 	CPPFLAGS="$CPPFLAGS" \
-	OPENLDAP_PLUGIN="$OPENLDAP_PLUGIN" \
 	SS_LIB="-lss -lcurses" \
+%if %{WITH_LDAP}
+%if %{WITH_DIRSRV}
+	--with-dirsrv \
+%else
+	--with-ldap \
+%endif
+%endif
 	--enable-shared \
 %if %{build_static}
 	--enable-static \

More information about the fedora-extras-commits mailing list