[389-users] Deactivating accounts

Rich Megginson rmeggins at redhat.com
Tue Jul 17 19:38:23 UTC 2012 

On 07/17/2012 11:13 AM, Arpit Tolani wrote:
> Hello
>
>
> On Tue, Jul 17, 2012 at 10:10 PM, <harry.devine at faa.gov 
> <mailto:harry.devine at faa.gov>> wrote:
>
>
>     We have several users who no longer need access, but may in the
>     future, so we have set them to be Inactive in their profile.
>      However, we noticed that these accounts have re-activated
>     themselves and those users could log back in if they wanted to.
>      How do we make accounts that we specifically make inactive by
>     pressing the Inactivate button stay that way?
>
>     We are using the following 389 versions on CentOS 5.7 64-bit:
>
>     389-ds-base-1.2.9.9-1.el5
>     389-admin-1.1.29-1.el5
>     389-ds-console-1.2.6-1.el5
>     389-adminutil-1.1.15-1.el5
>     389-admin-console-1.1.8-1.el5
>     389-ds-console-doc-1.2.6-1.el5
>     389-ds-base-libs-1.2.9.9-1.el5
>     389-dsgw-1.1.9-1.el5
>     389-console-1.1.7-3.el5
>     389-admin-console-doc-1.1.8-1.el5
>     389-ds-1.2.1-1.el5
>
>     Thanks for any help!
>     Harry
>
>
> Add below attribute with same value in user's ldap entry.
>
> nsAccountLock: true
>
> # cat entry.ldif
> dn: uid=tuser, ou=people,dc=example,dc=com
> changetype: modify
> add: nsaccountlock
> nsaccountlock: true
>
> # ldapmodify -x -a -D "cn=Directory manager" -w password -f entry.ldif

I don't think so.  The original poster mentioned the Inactivate button.  
I assume this means using the Console feature to inactivate users.  
Users inactivated in this way should not just magically become 
re-activated.  This is a problem.

The problem with using plain ldapmodify is that it doesn't work with the 
mechanism used by the Console and the ns-inactivate.pl script, which use 
a Roles/CoS scheme to put inactive users into a specific Role and then 
use CoS to add nsAccountLock: TRUE to all members of that Role.

The first step is to make sure that when you do a search of the 
supposedly inactive user's entry like this:

ldapsearch -xLLL .... uid=inactiveuser \* nsAccountLock

you see nsAccountLock: TRUE

and then at some point in the future you see nsAccountLock: FALSE or 
just don't see it at all.

When you say "log back in" - just after inactivating the user in the 
Console, did you verify that the user could not log in?  And then did 
you at some point in the future see that the user could log in again?  
When you say "log back in" - do you mean the operating system login?

>
>
> Regards
> Arpit Tolani
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120717/e5dbec20/attachment.html>

More information about the 389-users mailing list