From c92214546f9ac85c29a2c942b912fffdf5339910 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Feb 04 2015 18:47:15 +0000 Subject: Ticket #48001 - ns-activate.pl fails to activate account if it was disabled on AD Bug Description: When Posix-WinSync plug-in receives a request to disable an account from AD, it checks the nsAccountLock explicitly as well as virtually. If it's not found in the both checks, it does not set a flag to tell it is a virtual attribute, then a real "nsAccountLock: true" attr-value pair is added to the user entry. Once the real nsAccountLock attribute is added to an entry, ns-activate.pl as well as Console does not remove it since it's not implemented for the purpose. Fix Description: Since nsAccountLock is known as a virtual attribute, set a virtual flag by default, which prevents to add a real attribute value pair. https://fedorahosted.org/389/ticket/48001 Reviewed by mreynolds@redhat.com (Thank you, Mark!!) (cherry picked from commit 345d2c0870d7e8b1005a13cc9cf93865ff0cb53d) (cherry picked from commit 33a5ade48caba8673748a4f7aee072596a8f6d53) --- diff --git a/ldap/servers/plugins/posix-winsync/posix-winsync.c b/ldap/servers/plugins/posix-winsync/posix-winsync.c index 642ff95..f9efcc4 100644 --- a/ldap/servers/plugins/posix-winsync/posix-winsync.c +++ b/ldap/servers/plugins/posix-winsync/posix-winsync.c @@ -145,6 +145,9 @@ _check_account_lock(Slapi_Entry *ds_entry, int *isvirt) int attr_free_flags = 0; char *strval; + if (isvirt) { + *isvirt = 1; /* nsAccountLock is implemeted as nsRole */ + } /* first, see if the attribute is a "real" attribute */ strval = slapi_entry_attr_get_charptr(ds_entry, "nsAccountLock"); if (strval) { /* value is real */