The kerberos packages have (compile time) support for attributes specific to
eDirectory to check for account locking.
A patch that implement support for RH Directory Server nsAccountLock attribute
would be useful.
Created attachment 294169 [details]
ldap backend patch
Reference patch to provide support for nsAccountLock initially built for Fedora
Created attachment 294170 [details]
spec file patch
Reference patch bvuilt against an Fedora 8 package
Does it make sense for kadmin clients which toggle the DISALLOW_ALL_TIX flag to
attempt to change the nsAccountLock setting as well, then?
Not sure, when you use a directory server as storage kadmin is not really the
best tool to manage accounts anyway.
Nalin, As we just discussed please continue to work on the technical resolution
and test plan for this exception. Both actions need to be completed on/before
3-March-2008, or this exception will not be considered for RHEL5.2.
> Not sure, when you use a directory server as storage kadmin is not really the
> best tool to manage accounts anyway.
I'm not generally keen on that rationale, but as the support for similar account
locking facilities with eDirectory is likewise read-only, this is at least
consistent with what's already there.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.