Treat 'nsAccountLock: true' the same as 'loginDisabled: true'.  Updated from
original version filed as RT#5891.

diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4
--- krb5-1.8/src/aclocal.m4.dirsrv-accountlock	2010-03-05 11:03:09.000000000 -0500
+++ krb5-1.8/src/aclocal.m4	2010-03-05 11:03:10.000000000 -0500
@@ -1678,6 +1678,12 @@ AC_ARG_WITH([edirectory],
     yes | no) ;;
     *)  AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;;
 esac], with_edirectory=no)dnl
+AC_ARG_WITH([dirsrv],
+[  --with-dirsrv       compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
+[case "$withval" in
+    yes | no) ;;
+    *)  AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;;
+esac], with_dirsrv=no)dnl
 
 if test $with_ldap = yes; then
   if test $with_edirectory = yes; then
@@ -1689,6 +1695,10 @@ elif test $with_edirectory = yes; then
   AC_MSG_NOTICE(enabling eDirectory database backend module support)
   OPENLDAP_PLUGIN=yes
   AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.])
+elif test $with_dirsrv = yes; then
+  AC_MSG_NOTICE(enabling 389/Red Hat/Fedora/Netscape Directory Server database backend module support)
+  OPENLDAP_PLUGIN=yes
+  AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.])
 else
   : # neither enabled
 dnl  AC_MSG_NOTICE(disabling ldap backend module support)
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock	2009-11-24 18:52:25.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	2010-03-05 11:03:10.000000000 -0500
@@ -2101,6 +2101,22 @@ populate_krb5_db_entry(krb5_context cont
         }
     }
 #endif
+#ifdef HAVE_DIRSRV
+    {
+        krb5_timestamp              expiretime=0;
+        char                        *is_login_disabled=NULL;
+
+        /* LOGIN DISABLED */
+        if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled,
+                    &attr_present)) != 0)
+            goto cleanup;
+        if (attr_present == TRUE) {
+            if (strcasecmp(is_login_disabled, "TRUE")== 0)
+                entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+            free (is_login_disabled);
+        }
+    }
+#endif
 
     if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
         goto cleanup;
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock	2009-11-24 18:52:25.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c	2010-03-05 11:03:10.000000000 -0500
@@ -59,6 +59,9 @@ char     *principal_attributes[] = { "kr
                                      "loginexpirationtime",
                                      "logindisabled",
 #endif
+#ifdef HAVE_DIRSRV
+                                     "nsaccountlock",
+#endif
                                      "krbLastPwdChange",
                                      "krbLastAdminUnlock",
                                      "krbExtraData",