7.2. Inactivating Users and Roles

7.2. Inactivating Users and Roles

A single user account or set of accounts can be temporarily inactivated. Once an account is inactivated, a user cannot bind to the directory. The authentication operation will fail.

Users and roles are inactivated using the operational attribute nsAccountLock. When an entry contains the nsAccountLock attribute with a value of true, the server rejects the bind.

The same procedures are used to inactivate users and roles. However, when a role is inactivated, the members of the role are inactivated, not the role entry itself. For more information about roles in general and how roles interact with access control in particular, see Chapter 5, Managing Entries with Roles, Class of Service, and Views.

CAUTION

The root entry (the entry corresponding to the root or sub suffix) on a database cannot be inactivated. Chapter 2, Creating Directory Entries has information on creating the entry for a root or sub suffix, and Chapter 3, Configuring Directory Databases has information on creating root and sub suffixes.

7.2.1. Inactivating User and Roles Using the Console

The following procedure describes inactivating a user or a role using the Console:

  1. Select the Directory tab.

  2. Browse the navigation tree in the left navigation pane, and double-click the user or role to inactivate.

    The Edit Entry dialog box appears.

    Alterntatively, select Inactivate from the Object menu.

  3. Click Account in the left pane. The right pane states that the role or user is activate. Click the Inactivate to inactivate the user or role.

  4. Click OK.

    Once inactivated, the state of the object can be viewed by selecting Inactivation State from the View > Display menu. The icon of the object then appears in the right pane of the Console with a red slash through it.

7.2.2. Inactivating User and Roles Using the Command-Line

To inactivate a user account, use the ns-inactivate.pl script. The following example describes using the ns-inactivate.pl script to inactivate Joe Frasier's user account: 

ns-inactivate.pl -D Directory Manager -w secretpwd -p 389 -h example.com 
     -I "uid=jfrasier,ou=people,dc=example,dc=com"

The following table describes the ns-inactivate.pl options used in the example:

Option Name Description
-D The DN of the directory administrator.
-w The password of the directory administrator.
-p Port used by the server.
-h Name of the server on which the directory resides.
-I DN of the user account or role to inactivate.

For more information about running the ns-inactivate.pl script, refer to the Directory Server Configuration, Command, and File Reference.

7.2.3. Activating User and Roles Using the Console

The following procedure describes activating a user or a role using the Console:

  1. Select the Directory tab.

  2. Browse the navigation tree in the left navigation pane, and double-click the user or role to activate.

    Alternatively, select Activate from the Object menu.

    The Edit Entry dialog box appears.

  3. Click Account in the left pane. The right pane states that the role or user is inactivated. Click the Activate to activate the user or role.

  4. If the user or role is a member of another inactivated role, the Console displays an option for viewing the inactivated roles. Click Show Inactivated Roles to view the list of roles to which the user or role belongs.

  5. Click OK.

Once reactivated, the state of the object can be viewed by selecting Inactivation State from the View menu. The icon of the role or user in the right pane of the Console appears as normal. The red slash through the icon indicating it was inactive disappears.

7.2.4. Activating User and Roles Using the Command-Line

To activate a user account, use the ns-activate.pl script. The following example describes using the ns-activate.pl script to activate Joe Frasier's user account: 

ns-activate.pl -D Directory Manager -w secretpwd -p 389 -h example.com 
     -I "uid=jfrasier,ou=people,dc=example,dc=com"

The following table describes the ns-inactivate.pl options used in the example:

Option Name Description
-D The DN of the directory administrator.
-w The password of the directory administrator.
-p Port used by the server.
-h Name of the server on which the directory resides.
-I DN of the user account or role to activate.

For more information about running the ns-activate.pl script, refer to the Directory Server Configuration, Command, and File Reference.


Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.