14.11. Manually Inactivating Users and Roles

A single user account or set of accounts can be temporarily inactivated. Once an account is inactivated, a user cannot bind to the directory. The authentication operation will fail.
Users and roles are inactivated using the operational attribute nsAccountLock. When an entry contains the nsAccountLock attribute with a value of true, the server rejects the bind.
The same procedures are used to inactivate users and roles. However, when a role is inactivated, the members of the role are inactivated, not the role entry itself. For more information about roles in general and how roles interact with access control in particular, see Chapter 6, Organizing and Grouping Entries.


The root entry (the entry corresponding to the root or sub suffix) on a database cannot be inactivated. Chapter 3, Creating Directory Entries has information on creating the entry for a root or sub suffix, and Chapter 2, Configuring Directory Databases has information on creating root and sub suffixes.

14.11.1. Activating and Inactivating Users and Roles Using the Console

All user and role entries are active by default. They must be manually marked inactive and, once inactivated, must be manually re-activated.
  1. Select the Directory tab.
  2. Browse the navigation tree in the left navigation pane, and double-click the entry to inactivate.
    The Edit Entry dialog box appears.
  3. Click Account in the left pane. The right pane states that the role or user is activate. Click the Inactivate button to inactivate the user or role (or the Activate button, to re-enable the entry).
  4. Click OK.
Alternatively, highlight the entry and select Inactivate (or Activate, if appropriate) from the Object menu.

14.11.2. Viewing Inactive Users and Roles

  1. Select the View menu, and select the Display item.
  2. Select the Inactivation State item.
When the inactivation state is visible, any inactive object is listed in the right pane of the Console with a red slash through it.

14.11.3. Inactivating and Activating Users and Roles Using the Command Line

The Directory Server uses dual scripts to inactivate or activate entries through the command line. The ns-inactivate.pl and ns-activate.pl script share similar options to identify the entry to modify, as listed in Table 14.10, “ns-inactivate.pl and ns-activate.pl Options”.
For example, to inactivate a user account:
[root@server ~]# /usr/lib[64]/dirsrv/slapd-example/ns-inactivate.pl -D Directory Manager -w secret -p 389 -h example.com  -I "uid=jfrasier,ou=people,dc=example,dc=com"
Then, the account can be re-activated:
[root@server ~]# /usr/lib[64]/dirsrv/slapd-example/ns-activate.pl -D Directory Manager -w secret -p 389 -h example.com  -I "uid=jfrasier,ou=people,dc=example,dc=com"

Table 14.10. ns-inactivate.pl and ns-activate.pl Options

Option Name Description
-D The DN of the directory administrator.
-w The password of the directory administrator.
-p Port used by the server.
-h Name of the server on which the directory resides.
-I DN of the user account or role to inactivate or activate, depending on the script.
For more information about running the ns-inactivate.pl and ns-activate.pl scripts, see the Directory Server Configuration and Command-Line Tool Reference.