Red Hat Directory Server 8.0 Administrator's Guide
inactivating the role to which they belong.
When a role is inactivated, it does not mean that the user cannot bind to the server using that
role entry. The meaning of an inactivated role is that the user cannot bind to the server using
any of the entries that belong to that role; the entries that belong to an inactivated role will have
the nsAccountLock attribute set to true.
In the case of the nested role, an inactivated nested role means that a user cannot bind to the
server using an entry that belongs to a role that is a member of the nested role. All the entries
that belong to a role that directly or indirectly are members of the nested role (one may have
several levels of nested roles) will have nsAccountLock set to true.
NOTE
The nsAccountLock attribute is an operational attribute and must be explicitly
requested in the search command in the list of search attributes. For example:
ldapsearch ... args ... “(uid=scarter)” \* nsAccountLock
The Console will automatically show the active/inactive status of entries.
1.2. Managing Roles Using the Console
This section contains the following procedures for creating and modifying roles:
• Section 1.2.1, “Creating a Managed Role”
• Section 1.2.2, “Creating a Filtered Role”
• Section 1.2.3, “Creating a Nested Role”
• Section 1.2.4, “Viewing and Editing an Entry's Roles”
• Section 1.2.5, “Modifying a Role Entry”
• Section 1.2.6, “Making a Role Inactive”
• Section 1.2.7, “Reactivating a Role”
• Section 1.2.8, “Deleting a Role”
When a role is created, determine whether a user can add themselves or remove themselves
from the role. See Section 1.4, “Using Roles Securely” for more information about roles and
access control.
Managing Roles Using the Console
133