Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 431784

Summary: RFE: Support for Directory Server specify account lock attribute
Product: Red Hat Enterprise Linux 5 Reporter: Simo Sorce <ssorce>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: high    
Version: 5.2CC: jplans
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0381 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 15:28:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ldap backend patch
none
spec file patch none

Description Simo Sorce 2008-02-06 22:27:41 UTC 
The kerberos packages have (compile time) support for attributes specific to
eDirectory to check for account locking.
A patch that implement support for RH Directory Server nsAccountLock attribute
would be useful.
Comment 1 Simo Sorce 2008-02-06 22:28:57 UTC 
Created attachment 294169 [details]
ldap backend patch

Reference patch to provide support for nsAccountLock initially built for Fedora
8
Comment 2 Simo Sorce 2008-02-06 22:29:34 UTC 
Created attachment 294170 [details]
spec file patch

Reference patch bvuilt against an Fedora 8 package
Comment 4 Nalin Dahyabhai 2008-02-07 00:12:04 UTC 
Does it make sense for kadmin clients which toggle the DISALLOW_ALL_TIX flag to
attempt to change the nsAccountLock setting as well, then?
Comment 5 Simo Sorce 2008-02-07 00:43:39 UTC 
Not sure, when you use a directory server as storage kadmin is not really the
best tool to manage accounts anyway.
Comment 6 Ken Reilly 2008-02-08 17:40:32 UTC 
Nalin, As we just discussed please continue to work on the technical resolution
and test plan for this exception. Both actions need to be completed on/before
3-March-2008, or this exception will not be considered for RHEL5.2.
Comment 7 Nalin Dahyabhai 2008-02-08 23:07:51 UTC 
> Not sure, when you use a directory server as storage kadmin is not really the
> best tool to manage accounts anyway.

I'm not generally keen on that rationale, but as the support for similar account
locking facilities with eDirectory is likewise read-only, this is at least
consistent with what's already there.
Comment 14 errata-xmlrpc 2008-05-21 15:28:36 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0381.html