[krb5/f18] revise proposed patch for #860759 per upstream
Nalin Dahyabhai
nalin at fedoraproject.org
Mon Jan 7 15:05:35 UTC 2013
commit b5ea90757663302bc9d2d7c8e1a9afa078a5cf5f
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Thu Dec 13 18:14:31 2012 -0500
revise proposed patch for #860759 per upstream
krb5-kldap-lastadminunlock.patch | 40 +++++++++++++++++++++----------------
krb5.spec | 1 +
2 files changed, 24 insertions(+), 17 deletions(-)
---
diff --git a/krb5-kldap-lastadminunlock.patch b/krb5-kldap-lastadminunlock.patch
index 4be9e32..f50c09f 100644
--- a/krb5-kldap-lastadminunlock.patch
+++ b/krb5-kldap-lastadminunlock.patch
@@ -1,27 +1,33 @@
-Submitted as RT#7502.
+Revised from RT#7502.
Try to avoid writing krbLastAdminUnlock when we're just doing auditing
-in the KDC. Because we know that kdb5_ldap_put_principal() only writes
-the attribute when it's nonzero, we temporarily set the value to zero to
-make sure that it isn't written.
+in the KDC. Because the attributes that we want to update are not in
+the tl_data sequence, and krbLastAdminUnlock is, we NULL it out
+temporarily to avoid updating any of the attributes that are used for
+holding tl_data values.
--- src/plugins/kdb/ldap/libkdb_ldap/lockout.c
+++ src/plugins/kdb/ldap/libkdb_ldap/lockout.c
-@@ -217,8 +217,14 @@ krb5_ldap_lockout_audit(krb5_context context,
+@@ -149,6 +149,8 @@ krb5_ldap_lockout_audit(krb5_context con
+ krb5_deltat failcnt_interval = 0;
+ krb5_deltat lockout_duration = 0;
+ krb5_timestamp unlock_time;
++ krb5_tl_data *tl_data;
++ krb5_int16 n_tl_data;
+
+ SETUP_CONTEXT();
+
+@@ -217,7 +219,13 @@ krb5_ldap_lockout_audit(krb5_context con
}
if (entry->mask) {
-- code = krb5_ldap_put_principal(context, entry, NULL);
-- if (code != 0)
-+ /* temporarily clear the last-admin-unlock time so that we don't try
-+ * to write to it -- we're just here to update audit data */
-+ if ((code = krb5_dbe_lookup_last_admin_unlock(context, entry,
-+ &unlock_time)) ||
-+ (code = krb5_dbe_update_last_admin_unlock(context, entry, 0)) ||
-+ (code = krb5_ldap_put_principal(context, entry, NULL)) ||
-+ (code = krb5_dbe_update_last_admin_unlock(context, entry,
-+ unlock_time)))
++ tl_data = entry->tl_data;
++ n_tl_data = entry->n_tl_data;
++ entry->tl_data = NULL;
++ entry->n_tl_data = 0;
+ code = krb5_ldap_put_principal(context, entry, NULL);
++ entry->tl_data = tl_data;
++ entry->n_tl_data = n_tl_data;
+ if (code != 0)
return code;
}
-
-
diff --git a/krb5.spec b/krb5.spec
index b37cc97..356934b 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -855,6 +855,7 @@ exit 0
* Thu Dec 13 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-10
- libkdb_ldap: add a workaround to keep the KDC from attempting to write to an
entry's krbLastAdminUnlock attribute on every AS request (#860759, RT#7502)
+- revise proposed patch for #860759 based on upstream feedback
* Tue Dec 11 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-9
- when building with our bundled copy of libverto, package it in with -libs
More information about the scm-commits
mailing list