Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
20.16. Manually Inactivating Users and Roles
A single user account or set of accounts can be temporarily inactivated. Once an account is inactivated, a user cannot bind to the directory. The authentication operation will fail.
Users and roles are inactivated using the operational attribute
nsAccountLock. When an entry contains the nsAccountLock attribute with a value of true, the server rejects the bind.
The same procedures are used to inactivate users and roles. However, when a role is inactivated, the members of the role are inactivated, not the role entry itself. For more information about roles in general and how roles interact with access control in particular, see Chapter 8, Organizing and Grouping Entries.
Warning
The root entry (the entry corresponding to the root or sub suffix) on a database cannot be inactivated. Chapter 3, Managing Directory Entries has information on creating the entry for a root or sub suffix, and Chapter 2, Configuring Directory Databases has information on creating root and sub suffixes.
20.16.1. Displaying the Status of an Account or Role
링크 복사링크가 클립보드에 복사되었습니다!
To display the status of:
- An account, enter:
# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" account entry-status "uid=user_name,ou=People,dc=example,dc=com" Entry DN: uid=user_name,ou=People,dc=example,dc=com Entry Creation Date: 20200813085535Z (2020-08-13 08:55:35) Entry Modification Date: 20200813085535Z (2020-08-13 08:55:35) Entry State: activatedOptional: Pass the-Voption to the command to display additional details:# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" account entry-status "uid=user_name,ou=People,dc=example,dc=com" -V Entry DN: uid=user_name,ou=People,dc=example,dc=com Entry Creation Date: 20200824160645Z (2020-08-24 16:06:45) Entry Modification Date: 20200824160645Z (2020-08-24 16:06:45) Entry Last Login Date: 20200824160645Z (2020-08-24 16:06:45) Entry Time Until Inactive: 2 seconds (2020-08-24 16:07:45) Entry State: activatedThe previous output is an example of an active account, as indicated by the last two lines of the output. An inactive account would instead provide output similar to the following:# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" account entry-status "uid=user_name,ou=People,dc=example,dc=com" -V Entry DN: uid=user_name,ou=People,dc=example,dc=com Entry Creation Date: 20200824160645Z (2020-08-24 16:06:45) Entry Modification Date: 20200824160645Z (2020-08-24 16:06:45) Entry Last Login Date: 20200824160645Z (2020-08-24 16:06:45) Entry Time Since Inactive: 3 seconds (2020-08-24 16:07:45) Entry State: inactivity limit exceeded - A role, enter:
# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" role entry-status "cn=Marketing,ou=People,dc=example,dc=com" Entry DN: cn=Marketing,ou=people,dc=example,dc=com Entry State: activated
To display the status of a sub-tree instead of an entry, use the
subtree-status instead of the entry-status option. When you use the subtree-status option, you can specify a filter (-f) and a search scope (-s) to narrow down the results. Additionally, you can refine the search using the -i option to return only inactive accounts or the -o date option to return only accounts which will be inactive before the specified date:
# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" account account "ou=People,dc=example,dc=com" -f "(uid=*)" -V -o "2020-08-25T14:30:30"
Specify the date in the following format: YYYY-MM-DDTHH:MM:SS
20.16.2. Inactivating and Activating Users and Roles Using the Command Line
링크 복사링크가 클립보드에 복사되었습니다!
To inactivate:
- A user account, enter:
# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" account lock "uid=user_name,ou=People,dc=example,dc=com - A role, enter:
# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" role lock "cn=Marketing,ou=People,dc=example,dc=com
To activate:
- A user account, enter:
# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" account unlock "uid=user_name,ou=People,dc=example,dc=com - A role, enter:
# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" role unlock "cn=Marketing,ou=People,dc=example,dc=com
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}