RHDS - Getting the error message "Account inactivity limit exceeded" while the accountInactivityLimit is not set.

Solution Verified - Updated -

Environment

Red Hat Directory Server
Red Hat Enterprise Linux

Issue

After creating an Account Inactivation Policy as documented here, one wants to disable the policy by simply deleting the attribute accountInactivityLimit from the relevant LDAP entry.

Some users then started to fail to authenticate.
For instance:

$ ldapsearch -H ldaps://server.example.com:636 -D "uid=demo_user,ou=people,dc=example,dc=com" -W -b "" -sbase namingContexts
Enter LDAP Password:
ldap_bind: Constraint violation (19)
        additional info: Account inactivity limit exceeded. Contact system administrator to reset.

Resolution

Either:

  • Add the attribute accountInactivityLimit back to the Account Inactivation Policy entry
    or
  • Delete the Account Inactivation Policy entry along with the related CoS Template and CoS Definition entries.

NOTE:
If the actual need is only to track the lastLoginTime, please use these steps.

Root Cause

Removing only the accountInactivityLimit attribute is not enough to prevent the lockout of users.

Diagnostic Steps

Check for Account Policy entries and verify if the attribute accountInactivityLimit is missing.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments