diff options
| author | Rich Megginson <rmeggins@redhat.com> | 2011-06-24 19:38:13 -0600 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-06-28 00:11:04 -0400 |
| commit | d43e87e10c9ebe8ee1bc6a1481c0f238b1defc37 (patch) | |
| tree | 56d8b857c75ad29e276cbefc388a06010531a724 | |
| parent | 5f4c75eb28b3d50a35fbf3a86a6d842bce8e72f9 (diff) | |
| download | freeipa-d43e87e10c9ebe8ee1bc6a1481c0f238b1defc37.tar.gz freeipa-d43e87e10c9ebe8ee1bc6a1481c0f238b1defc37.tar.xz freeipa-d43e87e10c9ebe8ee1bc6a1481c0f238b1defc37.zip | |
winsync enables disabled users in AD
https://fedorahosted.org/freeipa/ticket/1379
winsync enables disabled users in AD when the AD entry changes
This was likely broken when ipa switched from using CoS/groups for account
inactivation to using nsAccountLock directly. The code that handled the
account sync in the from AD direction was broken, but was never found before
now because it had not been used. The fix is to correctly set or remove
nsAccountLock.
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c index 2644a0108..5a27321fb 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c @@ -890,11 +890,13 @@ sync_acct_disable( (!ad_is_enabled && (ipaconfig->inactivated_group_dn == NULL))) { char *attrtype = NULL; char *attrval = NULL; + size_t attrvallen = 0; attrtype = "nsAccountLock"; if (ad_is_enabled) { attrval = NULL; /* will delete the value */ } else { - attrval = "true"; + attrval = "TRUE"; + attrvallen = 4; } if (update_entry) { @@ -903,7 +905,7 @@ sync_acct_disable( (ad_is_enabled) ? "enabled" : "disabled", slapi_entry_get_dn_const(ds_entry)); } else { /* do mod */ - struct berval tmpbval = {0, NULL}; + struct berval tmpbval = {attrvallen, attrval}; Slapi_Mod *smod = slapi_mod_new(); slapi_mod_init(smod, 1); /* one element */ slapi_mod_set_type(smod, attrtype); @@ -911,8 +913,8 @@ sync_acct_disable( slapi_mod_set_operation(smod, LDAP_MOD_DELETE|LDAP_MOD_BVALUES); } else { slapi_mod_set_operation(smod, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES); + slapi_mod_add_value(smod, &tmpbval); } - slapi_mod_add_value(smod, &tmpbval); slapi_mods_add_ldapmod(smods, slapi_mod_get_ldapmod_passout(smod)); slapi_mod_free(&smod); |