19.15. Manually Inactivating Users and Roles

A single user account or set of accounts can be temporarily inactivated. Once an account is inactivated, a user cannot bind to the directory. The authentication operation will fail.
Users and roles are inactivated using the operational attribute nsAccountLock. When an entry contains the nsAccountLock attribute with a value of true, the server rejects the bind.
The same procedures are used to inactivate users and roles. However, when a role is inactivated, the members of the role are inactivated, not the role entry itself. For more information about roles in general and how roles interact with access control in particular, see Chapter 8, Organizing and Grouping Entries.

Warning

The root entry (the entry corresponding to the root or sub suffix) on a database cannot be inactivated. Chapter 3, Managing Directory Entries has information on creating the entry for a root or sub suffix, and Chapter 2, Configuring Directory Databases has information on creating root and sub suffixes.

19.15.1. Viewing Inactive Users and Roles Using the Console

  1. Select the View menu, and select the Display item.
  2. Select the Inactivation State item.
When the inactivation state is visible, any inactive object is listed in the right pane of the Console with a red slash through it.

19.15.2. Activating and Inactivating Users and Roles Using the Console

All user and role entries are active by default. They must be manually marked inactive and, once inactivated, must be manually re-activated.
  1. Select the Directory tab.
  2. Browse the navigation tree in the left navigation pane, and double-click the entry to inactivate.
    The Edit Entry dialog box appears.
  3. Click Account in the left pane. The right pane states that the role or user is activate. Click the Inactivate button to inactivate the user or role (or the Activate button, to re-enable the entry).
  4. Click OK.
Alternatively, highlight the entry and select Inactivate (or Activate, if appropriate) from the Object menu.

19.15.3. Viewing Inactive Users and Roles Using the Command Line

The ns-accountstatus.pl script is used to obtain detailed information about active and inactive users.
To obtain the account status of a single user, you can use the command as follows:
# ns-accountstatus.pl -D "cn=Directory Manager" -w password -I "uid=jsmith,ou=people,dc=example,dc=com"
uid=bjensen,ou=people,dc=example,dc=com  activated.
Add the -V option to obtain more verbose output:
# ns-accountstatus.pl -D "cn=Directory Manager" -w password -I "uid=jsmith,ou=people,dc=example,dc=com"
Entry:                   uid=jsmith,ou=People,dc=example,dc=com
Entry Creation Date:     20160204153140Z (02/04/2016 10:31:40)
Entry Modification Date: 20160205163904Z (02/05/2016 11:39:04)
Last Login Date:         20160205163905Z (02/05/2016 11:39:05)
Inactivity Limit:        2592000 seconds (30 days)
Time Until Inactive:     2591688 seconds (29 days, 23 hours, 54 minutes, 48 seconds)
Time Since Inactive:     -
Entry State:             activated
The above is an example of an active account, as indicated by the last three lines of the output. An inactivated account would instead provide output similar to the following:
# ns-accountstatus.pl -D "cn=Directory Manager" -w password -I "uid=jsmith,ou=people,dc=example,dc=com"
Entry:                   uid=jsmith,ou=people,dc=example,dc=com
Entry Creation Date:     20160204153140Z (02/04/2016 10:31:40)
Entry Modification Date: 20160204160545Z (02/04/2016 11:05:45)
Last Login Date:         20160204160546Z (01/04/2016 11:05:46)
Inactivity Limit:        2592000 seconds (30 days)
Time Until Inactive:     -
Time Since Inactivated:  85877 seconds (23 hours, 51 minutes, 17 seconds)
Entry State:             inactivated (inactivity limit exceeded)
Instead of using the -I option to specify an account, you can use the -b (search a database suffix), -f (use a filter), and -s (search scope) options to create a search. Additionally, you can refine the search by using the -i option (return only inactive accounts) or the -g X option (return only accounts which will expire in the next X seconds). For example:
# ns-accountstatus.pl -D "cn=Directory Manager" -w password -b "ou=people,dc=example,dc=com" -f "(uid=*)" -V -g 86400
Entry:                   uid=jsmith,ou=people,dc=example,dc=com
Entry Creation Date:     20160204153140Z (02/04/2016 10:31:40)
Entry Modification Date: 20160205163904Z (02/05/2016 11:39:04)
Last Login Date:         20160205163905Z (01/05/2016 11:39:05)
Inactivity Limit:        2592000 seconds (30 days)
Time Until Inactive:     979 seconds (16 minutes, 19 seconds)
Time Since Inactive:     -
Entry State:             activated
As you can see from the last three lines of the output, this account is currently active, but will expire soon.

19.15.4. Inactivating and Activating Users and Roles Using the Command Line

The Directory Server uses dual scripts to inactivate or activate entries through the command line. The ns-inactivate.pl and ns-activate.pl script share similar options to identify the entry to modify, as listed in the Red Hat Directory Server Configuration, Command, and File Reference.
For example, to inactivate a user account:
[root@server ~]# ns-inactivate.pl -Z instance_name -D Directory Manager -w secret -p 389 -h example.com  -I "uid=jfrasier,ou=people,dc=example,dc=com"
Then, the account can be re-activated:
# ns-activate.pl -Z instance_name -D Directory Manager -w secret -p 389 -h example.com  -I "uid=jfrasier,ou=people,dc=example,dc=com"