<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 07/17/2012 11:13 AM, Arpit Tolani wrote:
<blockquote
cite="mid:CAD3MydAZvhpTQ1o+tCBN+NNukEDCYbUQvx4Am3jqqHB_Httoxw@mail.gmail.com"
type="cite">Hello<br>
<br>
<br>
<div class="gmail_quote">On Tue, Jul 17, 2012 at 10:10 PM, <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:harry.devine@faa.gov" target="_blank">harry.devine@faa.gov</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<font face="sans-serif">We have several users who no longer
need access, but may in the future, so we have set them to
be Inactive
in their profile. However, we noticed that these accounts
have re-activated
themselves and those users could log back in if they wanted
to. How
do we make accounts that we specifically make inactive by
pressing the
Inactivate button stay that way?</font>
<br>
<br>
<font face="sans-serif">We are using the following 389
versions
on CentOS 5.7 64-bit:</font>
<br>
<br>
<font face="sans-serif">389-ds-base-1.2.9.9-1.el5</font>
<br>
<font face="sans-serif">389-admin-1.1.29-1.el5</font>
<br>
<font face="sans-serif">389-ds-console-1.2.6-1.el5</font>
<br>
<font face="sans-serif">389-adminutil-1.1.15-1.el5</font>
<br>
<font face="sans-serif">389-admin-console-1.1.8-1.el5</font>
<br>
<font face="sans-serif">389-ds-console-doc-1.2.6-1.el5</font>
<br>
<font face="sans-serif">389-ds-base-libs-1.2.9.9-1.el5</font>
<br>
<font face="sans-serif">389-dsgw-1.1.9-1.el5</font>
<br>
<font face="sans-serif">389-console-1.1.7-3.el5</font>
<br>
<font face="sans-serif">389-admin-console-doc-1.1.8-1.el5</font>
<br>
<font face="sans-serif">389-ds-1.2.1-1.el5</font>
<br>
<br>
<font face="sans-serif">Thanks for any help!</font>
<br>
<font face="sans-serif">Harry</font><br>
<br>
</blockquote>
<div><br>
Add below attribute with same value in user's ldap entry.<br>
<span id="DWT2068" class="ZmSearchResult"><br>
nsAccountLock</span>: true<br>
<br>
# cat entry.ldif<br>
dn: uid=tuser, ou=people,dc=example,dc=com<br>
changetype: modify<br>
add: nsaccountlock<br>
nsaccountlock: true<br>
<br>
# ldapmodify -x -a -D "cn=Directory manager" -w password -f
entry.ldif<br>
</div>
</div>
</blockquote>
<br>
I don't think so. The original poster mentioned the Inactivate
button. I assume this means using the Console feature to inactivate
users. Users inactivated in this way should not just magically
become re-activated. This is a problem.<br>
<br>
The problem with using plain ldapmodify is that it doesn't work with
the mechanism used by the Console and the ns-inactivate.pl script,
which use a Roles/CoS scheme to put inactive users into a specific
Role and then use CoS to add nsAccountLock: TRUE to all members of
that Role.<br>
<br>
The first step is to make sure that when you do a search of the
supposedly inactive user's entry like this:<br>
<br>
ldapsearch -xLLL .... uid=inactiveuser \* nsAccountLock<br>
<br>
you see nsAccountLock: TRUE<br>
<br>
and then at some point in the future you see nsAccountLock: FALSE or
just don't see it at all.<br>
<br>
When you say "log back in" - just after inactivating the user in the
Console, did you verify that the user could not log in? And then
did you at some point in the future see that the user could log in
again? When you say "log back in" - do you mean the operating
system login?<br>
<br>
<blockquote
cite="mid:CAD3MydAZvhpTQ1o+tCBN+NNukEDCYbUQvx4Am3jqqHB_Httoxw@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div><br>
<br>
Regards<br>
Arpit Tolani <br>
</div>
</div>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>