Set shadow expiry for locked accounts

Explicity set shadow expiry to 1 for locked accounts.  Patch from mhy.

diff --git a/debian/changelog b/debian/changelog
index f0c7af2..ca0ed89 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,8 +17,9 @@ userdir-ldap (0.3.15+xxx) XXunstable; urgency=low
   * ud-host: cleanup: Replace local copy HBaseDn of the centrally
     configured HostBaseDn [HE].
   * Add myself to uploaders.
+  * Set shadow expiry to 1 for locked accounts [mhy].
 
- -- Peter Palfrader <weasel@debian.org>  Tue, 25 Dec 2007 20:34:58 +0100
+ -- Peter Palfrader <weasel@debian.org>  Wed, 26 Dec 2007 09:44:24 +0100
 
 userdir-ldap (0.3.15) unstable; urgency=low
 

diff --git a/ud-generate b/ud-generate
index c6484cb..3a9840b 100755 (executable)
--- a/ud-generate
+++ b/ud-generate
@@ -147,11 +147,20 @@ def GenShadow(l,File):
          Pass = '*';
       else:
          Pass = Pass[7:];
+
+      # If the account is locked, mark it as such in shadow
+      # See Debian Bug #308229 for why we set it to 1 instead of 0
+      if (string.find(GetAttr(x,"userPassword"),"*LK*")  != -1) \
+          or GetAttr(x,"userPassword").startswith("!"):
+         ShadowExpire = '1'
+      else:
+         ShadowExpire = GetAttr(x,"shadowexpire")
+
       Line = "%s:%s:%s:%s:%s:%s:%s:%s:" % (GetAttr(x,"uid"),\
               Pass,GetAttr(x,"shadowLastChange"),\
               GetAttr(x,"shadowMin"),GetAttr(x,"shadowMax"),\
               GetAttr(x,"shadowWarning"),GetAttr(x,"shadowinactive"),\
-              GetAttr(x,"shadowexpire"));
+              ShadowExpire);
       Line = Sanitize(Line) + "\n";
       F.write("0%u %s" % (I,Line));
       F.write(".%s %s" % (GetAttr(x,"uid"),Line));