[krb5/f18] revise proposed patch for #860759 per upstream

[Nalin Dahyabhai]

commit b5ea90757663302bc9d2d7c8e1a9afa078a5cf5f
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Thu Dec 13 18:14:31 2012 -0500

    revise proposed patch for #860759 per upstream

 krb5-kldap-lastadminunlock.patch |   40 +++++++++++++++++++++----------------
 krb5.spec                        |    1 +
 2 files changed, 24 insertions(+), 17 deletions(-)
---
diff --git a/krb5-kldap-lastadminunlock.patch b/krb5-kldap-lastadminunlock.patch
index 4be9e32..f50c09f 100644
--- a/krb5-kldap-lastadminunlock.patch
+++ b/krb5-kldap-lastadminunlock.patch
@@ -1,27 +1,33 @@
-Submitted as RT#7502.
+Revised from RT#7502.
 
 Try to avoid writing krbLastAdminUnlock when we're just doing auditing
-in the KDC.  Because we know that kdb5_ldap_put_principal() only writes
-the attribute when it's nonzero, we temporarily set the value to zero to
-make sure that it isn't written.
+in the KDC.  Because the attributes that we want to update are not in
+the tl_data sequence, and krbLastAdminUnlock is, we NULL it out
+temporarily to avoid updating any of the attributes that are used for
+holding tl_data values.
 
 --- src/plugins/kdb/ldap/libkdb_ldap/lockout.c
 +++ src/plugins/kdb/ldap/libkdb_ldap/lockout.c
-@@ -217,8 +217,14 @@ krb5_ldap_lockout_audit(krb5_context context,
+@@ -149,6 +149,8 @@ krb5_ldap_lockout_audit(krb5_context con
+     krb5_deltat failcnt_interval = 0;
+     krb5_deltat lockout_duration = 0;
+     krb5_timestamp unlock_time;
++    krb5_tl_data *tl_data;
++    krb5_int16 n_tl_data;
+ 
+     SETUP_CONTEXT();
+ 
+@@ -217,7 +219,13 @@ krb5_ldap_lockout_audit(krb5_context con
      }
  
      if (entry->mask) {
--        code = krb5_ldap_put_principal(context, entry, NULL);
--        if (code != 0)
-+        /* temporarily clear the last-admin-unlock time so that we don't try
-+         * to write to it -- we're just here to update audit data */
-+        if ((code = krb5_dbe_lookup_last_admin_unlock(context, entry,
-+                                                      &unlock_time)) ||
-+            (code = krb5_dbe_update_last_admin_unlock(context, entry, 0)) ||
-+            (code = krb5_ldap_put_principal(context, entry, NULL)) ||
-+            (code = krb5_dbe_update_last_admin_unlock(context, entry,
-+                                                      unlock_time)))
++        tl_data = entry->tl_data;
++        n_tl_data = entry->n_tl_data;
++        entry->tl_data = NULL;
++        entry->n_tl_data = 0;
+         code = krb5_ldap_put_principal(context, entry, NULL);
++        entry->tl_data = tl_data;
++        entry->n_tl_data = n_tl_data;
+         if (code != 0)
              return code;
      }
- 
-
diff --git a/krb5.spec b/krb5.spec
index b37cc97..356934b 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -855,6 +855,7 @@ exit 0
 * Thu Dec 13 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-10
 - libkdb_ldap: add a workaround to keep the KDC from attempting to write to an
   entry's krbLastAdminUnlock attribute on every AS request (#860759, RT#7502)
+- revise proposed patch for #860759 based on upstream feedback
 
 * Tue Dec 11 2012 Nalin Dahyabhai <nalin at redhat.com> 1.10.3-9
 - when building with our bundled copy of libverto, package it in with -libs