From d43e87e10c9ebe8ee1bc6a1481c0f238b1defc37 Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Fri, 24 Jun 2011 19:38:13 -0600 Subject: winsync enables disabled users in AD https://fedorahosted.org/freeipa/ticket/1379 winsync enables disabled users in AD when the AD entry changes This was likely broken when ipa switched from using CoS/groups for account inactivation to using nsAccountLock directly. The code that handled the account sync in the from AD direction was broken, but was never found before now because it had not been used. The fix is to correctly set or remove nsAccountLock. --- daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c index 2644a0108..5a27321fb 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c @@ -890,11 +890,13 @@ sync_acct_disable( (!ad_is_enabled && (ipaconfig->inactivated_group_dn == NULL))) { char *attrtype = NULL; char *attrval = NULL; + size_t attrvallen = 0; attrtype = "nsAccountLock"; if (ad_is_enabled) { attrval = NULL; /* will delete the value */ } else { - attrval = "true"; + attrval = "TRUE"; + attrvallen = 4; } if (update_entry) { @@ -903,7 +905,7 @@ sync_acct_disable( (ad_is_enabled) ? "enabled" : "disabled", slapi_entry_get_dn_const(ds_entry)); } else { /* do mod */ - struct berval tmpbval = {0, NULL}; + struct berval tmpbval = {attrvallen, attrval}; Slapi_Mod *smod = slapi_mod_new(); slapi_mod_init(smod, 1); /* one element */ slapi_mod_set_type(smod, attrtype); @@ -911,8 +913,8 @@ sync_acct_disable( slapi_mod_set_operation(smod, LDAP_MOD_DELETE|LDAP_MOD_BVALUES); } else { slapi_mod_set_operation(smod, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES); + slapi_mod_add_value(smod, &tmpbval); } - slapi_mod_add_value(smod, &tmpbval); slapi_mods_add_ldapmod(smods, slapi_mod_get_ldapmod_passout(smod)); slapi_mod_free(&smod); -- cgit