IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-12 09:11:55 -06:00
Code Issues Packages Projects Releases Wiki Activity

winsync enables disabled users in AD

Browse Source 
https://fedorahosted.org/freeipa/ticket/1379
winsync enables disabled users in AD when the AD entry changes
This was likely broken when ipa switched from using CoS/groups for account
inactivation to using nsAccountLock directly.  The code that handled the
account sync in the from AD direction was broken, but was never found before
now because it had not been used.  The fix is to correctly set or remove
nsAccountLock.
This commit is contained in:
Rich Megginson 2011-06-24 19:38:13 -06:00 committed by Rob Crittenden
parent 5f4c75eb28
commit d43e87e10c
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c
View File

@ -890,11 +890,13 @@ sync_acct_disable(
(!ad_is_enabled && (ipaconfig->inactivated_group_dn == NULL))) {
char *attrtype = NULL;
char *attrval = NULL;
size_t attrvallen = 0;
attrtype = "nsAccountLock";
if (ad_is_enabled) {
attrval = NULL; /* will delete the value */
} else {
attrval = "true";
attrval = "TRUE";
attrvallen = 4;
}
if (update_entry) {
@ -903,7 +905,7 @@ sync_acct_disable(
(ad_is_enabled) ? "enabled" : "disabled",
slapi_entry_get_dn_const(ds_entry));
} else { /* do mod */
struct berval tmpbval = {0, NULL};
struct berval tmpbval = {attrvallen, attrval};
Slapi_Mod *smod = slapi_mod_new();
slapi_mod_init(smod, 1); /* one element */
slapi_mod_set_type(smod, attrtype);
@ -911,8 +913,8 @@ sync_acct_disable(
slapi_mod_set_operation(smod, LDAP_MOD_DELETE|LDAP_MOD_BVALUES);
} else {
slapi_mod_set_operation(smod, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES);
slapi_mod_add_value(smod, &tmpbval);
}
slapi_mod_add_value(smod, &tmpbval);
slapi_mods_add_ldapmod(smods,
slapi_mod_get_ldapmod_passout(smod));
slapi_mod_free(&smod);