HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

301

302

303

304

305

306

307

308

309

310

not expire, add the passwordExpirationTime attribute to the Directory Server entry,

and give it a value of 20380119031407Z (the top of the valid range).

See Chapter 9 “Synchronizing Directory Server with Microsoft Active Directory” for more

information on synchronizing Directory Server and Windows users and passwords.

7.2 Inactivating users and roles

A single user account or set of accounts can be temporarily inactivated. After an account is

inactivated, a user cannot bind to the directory. The authentication operation will fail.

Users and roles are inactivated using the operational attribute nsAccountLock. When an entry

contains the nsAccountLock attribute with a value of true, the server rejects the bind.

The same procedures are used to inactivate users and roles. However, when a role is inactivated,

the members of the role are inactivated, not the role entry itself. For more information about

roles in general and how roles interact with access control in particular, see Chapter 5 “Organizing

entries with roles, class of service, and views”.

• “Inactivating user and roles using the console”

• “Inactivating user and roles using the command line”

• “Activating user and roles using the console”

• “Activating user and roles using the command line”

CAUTION:

The root entry (the entry corresponding to the root or sub suffix) on a database cannot be

inactivated. Chapter 3 (page 99) has information on creating the entry for a root or sub suffix,

and Chapter 2 (page 31) has information on creating root and sub suffixes.

7.2.1 Inactivating user and roles using the console

The following procedure describes inactivating a user or a role using the Console:

1. Select the Directory tab.

2. Browse the navigation tree in the left navigation pane, and double-click the user or role to

inactivate.

The Edit Entry dialog box appears.

Alternatively, select Inactivate from the Object menu.

3. Click Account in the left pane. The right pane states that the role or user is activate. Click

the Inactivate to inactivate the user or role.

4. Click OK.

After it is inactivated, the state of the object can be viewed by selecting Inactivation State

from the View→Display menu. The icon of the object then appears in the right pane of the

Console with a red slash through it.

7.2.2 Inactivating user and roles using the command line

To inactivate a user account, use the ns-inactivate.pl script. The following example describes

using the ns-inactivate.pl script to inactivate Joe Frasier's user account:

ns-inactivate.pl -D Directory Manager -w secret -p 389 -h example.com

-I "uid=jfrasier,ou=people,dc=example,dc=com"

304 Managing user authentication