struct berval **ber_key_data = NULL, **ber_tl_data = NULL;
krb5_tl_data userinfo_tl_data = { NULL }, **endp, *tl;
osa_princ_ent_rec princ_ent;
+ char *is_login_disabled = NULL;
memset(&princ_ent, 0, sizeof(princ_ent));
if (ret)
goto cleanup;
+ /*
+ * 389ds and other Netscape directory server derivatives support an
+ * attribute "nsAccountLock" which functions similarly to eDirectory's
+ * "loginDisabled". When the user's account object is also a
+ * krbPrincipalAux object, the kdb entry should be treated as if
+ * DISALLOW_ALL_TIX has been set.
+ */
+ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
+ &attr_present);
+ if (ret)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if (strcasecmp(is_login_disabled, "TRUE") == 0)
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ free(is_login_disabled);
+ }
+
ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
if (ret)
goto cleanup;
projects / thirdparty / krb5.git / commitdiff
