Show Table of Contents
14.11. Manually Inactivating Users and Roles
A single user account or set of accounts can be temporarily inactivated. Once an account is inactivated, a user cannot bind to the directory. The authentication operation will fail.
Users and roles are inactivated using the operational attribute
nsAccountLock. When an entry contains the nsAccountLock attribute with a value of true, the server rejects the bind.
The same procedures are used to inactivate users and roles. However, when a role is inactivated, the members of the role are inactivated, not the role entry itself. For more information about roles in general and how roles interact with access control in particular, see Chapter 6, Organizing and Grouping Entries.
Warning
The root entry (the entry corresponding to the root or sub suffix) on a database cannot be inactivated. Chapter 3, Creating Directory Entries has information on creating the entry for a root or sub suffix, and Chapter 2, Configuring Directory Databases has information on creating root and sub suffixes.
14.11.1. Activating and Inactivating Users and Roles Using the Console
All user and role entries are active by default. They must be manually marked inactive and, once inactivated, must be manually re-activated.
- Select the Directory tab.
- Browse the navigation tree in the left navigation pane, and double-click the entry to inactivate.The Edit Entry dialog box appears.
- Click Account in the left pane. The right pane states that the role or user is activate. Click the button to inactivate the user or role (or the Activate button, to re-enable the entry).
- Click OK.
Alternatively, highlight the entry and select Inactivate (or Activate, if appropriate) from the Object menu.
14.11.2. Viewing Inactive Users and Roles
- Select the menu, and select the item.
- Select the item.
When the inactivation state is visible, any inactive object is listed in the right pane of the Console with a red slash through it.
14.11.3. Inactivating and Activating Users and Roles Using the Command Line
The Directory Server uses dual scripts to inactivate or activate entries through the command line. The
ns-inactivate.pl and ns-activate.pl script share similar options to identify the entry to modify, as listed in Table 14.10, “ns-inactivate.pl and ns-activate.pl Options”.
For example, to inactivate a user account:
[root@server ~]# /usr/lib[64]/dirsrv/slapd-example/ns-inactivate.pl -D Directory Manager -w secret -p 389 -h example.com -I "uid=jfrasier,ou=people,dc=example,dc=com"
Then, the account can be re-activated:
[root@server ~]# /usr/lib[64]/dirsrv/slapd-example/ns-activate.pl -D Directory Manager -w secret -p 389 -h example.com -I "uid=jfrasier,ou=people,dc=example,dc=com"
Table 14.10. ns-inactivate.pl and ns-activate.pl Options
| Option Name | Description |
|---|---|
| -D | The DN of the directory administrator. |
| -w | The password of the directory administrator. |
| -p | Port used by the server. |
| -h | Name of the server on which the directory resides. |
| -I | DN of the user account or role to inactivate or activate, depending on the script. |
For more information about running the
ns-inactivate.pl and ns-activate.pl scripts, see the Directory Server Configuration and Command-Line Tool Reference.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.