Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
281282283284285286287288289290
The Password Sync utility must be installed locally on the Windows machine that will be
synchronized with a Directory Server.
Password Sync can only link the Windows machine to a single Directory Server; to sync
changes with multiple Directory Server instances, configure the Directory Server for
multi-master replication.
Password expiration warnings and times, failed bind attempts, and other password-related
information is enforced locally per server and is not synchronized between sync peer servers.
The same bind behavior should occur on all servers. Make sure to create the same or similar
password policies on both Directory Server and Active Directory servers.
Entries that are created for synchronization (for example, the server identities) need to have
passwords that never expire. To make sure that these special users have passwords that do
not expire, add the passwordExpirationTime attribute to the Directory Server entry, and give
it a value of 20380119031407Z (the top of the valid range).
See Chapter 19, Synchronizing Red Hat Directory Server with Microsoft Active Directory for
more information on synchronizing Directory Server and Windows users and passwords.
2. Inactivating Users and Roles
A single user account or set of accounts can be temporarily inactivated. Once an account is
inactivated, a user cannot bind to the directory. The authentication operation will fail.
Users and roles are inactivated using the operational attribute nsAccountLock. When an entry
contains the nsAccountLock attribute with a value of true, the server rejects the bind.
The same procedures are used to inactivate users and roles. However, when a role is
inactivated, the members of the role are inactivated, not the role entry itself. For more
information about roles in general and how roles interact with access control in particular, see
Chapter 5, Managing Entries with Roles, Class of Service, and Views.
Section 2.1, “Inactivating User and Roles Using the Console”
Section 2.2, “Inactivating User and Roles Using the Command-Line”
Section 2.3, “Activating User and Roles Using the Console”
Section 2.4, “Activating User and Roles Using the Command-Line”
CAUTION
The root entry (the entry corresponding to the root or sub suffix) on a database
cannot be inactivated. Chapter 2, Creating Directory Entries has information on
Replicated Environment
261