--- ./src/aclocal.m4.orig	2020-12-15 01:35:19 +0000
+++ ./src/aclocal.m4	2020-12-15 01:36:22 +0000
@@ -1671,4 +1671,13 @@
   AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
   OPENLDAP_PLUGIN=yes
 fi
+AC_ARG_WITH([dirsrv-account-locking],
+[  --with-dirsrv-account-locking       compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
+[case "$withval" in
+    yes | no) ;;
+    *)  AC_MSG_ERROR(Invalid option value --with-dirsrv-account-locking="$withval") ;;
+esac], with_dirsrv_account_locking=no)
+if test $with_dirsrv_account_locking = yes; then
+    AC_DEFINE(HAVE_DIRSRV_ACCOUNT_LOCKING,1,[Define if LDAP KDB interface should heed 389 DS's nsAccountLock attribute.])
+fi
 ])dnl
--- ./src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.orig	2020-12-15 01:42:05 +0000
+++ ./src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	2020-12-15 01:43:19 +0000
@@ -1655,6 +1655,24 @@
     ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
     if (ret)
         goto cleanup;
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
+    {
+        krb5_timestamp              expiretime=0;
+        char                        *is_login_disabled=NULL;
+
+        /* LOGIN DISABLED */
+        ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
+                                   &attr_present);
+        if (ret)
+            goto cleanup;
+        if (attr_present == TRUE) {
+            if (strcasecmp(is_login_disabled, "TRUE")== 0)
+                entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+            free (is_login_disabled);
+        }
+    }
+#endif
+
 
     /*
      * 389ds and other Netscape directory server derivatives support an