A user account or a set of accounts can be temporarily deactivated. After an account has been deactivated, that user cannot bind to the directory, and the authentication operation fails.

Account deactivation is implemented through the operational attribute nsAccountLock. When an entry contains the nsAccountLock attribute with a value of true, the server rejects the bind.

The procedures for deactivating users and roles are the same. However, deactivating a role deactivate all of the members of that role and not the role entry itself. For more information about roles, see Section 4.3.2, “About Roles”.