The CLI can be used for that purpose since 389-ds-base-1.4.2:
dsconf ldap://localhost:389 -D "cn=Directory Manager" -w password -b dc=example,dc=com account lock USER_DN
dsconf ldap://localhost:389 -D "cn=Directory Manager" -w password -b dc=example,dc=com account unlock USER_DN
And the legacy command:
ns-inactivate.pl -Z instance_name -h localhost -p 389 -D "cn=directory manager" -w password -I USER_DN
ns-activate.pl -Z instance_name -h localhost -p 389 -D "cn=directory manager" -w password -I USER_DN
If you want to do that manually, the simpliest option is to set nsAccountLock: true to the user entry. This way the server will reject the bind.
If we remove nsAccountLock: true attribute it will allow the user to bind again (if nothing else prevents it from doing so).
ldapmodify -D "cn=directory manager" -w password
dn: USER_DN
changetype: modify
replace: nsAccountLock
nsAccountLock: true
ldapmodify -D "cn=directory manager" -w password
dn: USER_DN
changetype: modify
delete: nsAccountLock
For the group of entries we should use role subcommand instead of account. Like this:
dsconf ldap://localhost:389 -D "cn=Directory Manager" -w password -b dc=example,dc=com role lock ROLE_DN
dsconf ldap://localhost:389 -D "cn=Directory Manager" -w password -b dc=example,dc=com role unlock ROLE_DN
And for the legacy command:
ns-inactivate.pl -Z instance_name -h localhost -p 389 -D "cn=directory manager" -w password -I ROLE_DN
ns-activate.pl -Z instance_name -h localhost -p 389 -D "cn=directory manager" -w password -I ROLE_DN
If you want to do that manually, it’ll be tricker. We should use CoS definition and Role if we want to set nsAccountLock to a group of entries. It can be done this way:
Create an entry cn=nsManagedDisabledRole,dc=example,dc=com. This role will be assigned to the accounts we want to lock.
ldapmodify -D ”cn=directory manager” -w password dn: cn=nsManagedDisabledRole,dc=example,dc=com changetype: add objectClass: nsSimpleRoleDefinition objectClass: nsManagedRoleDefinition objectClass: nsRoleDefinition objectClass: ldapSubEntry objectClass: top cn: nsManagedDisabledRole
Create an entry cn=nsDisabledRole,dc=example,dc=com. This role will distribute nsAccountLock through other roles.
ldapmodify -D ”cn=directory manager” -w password dn: cn=nsDisabledRole,dc=example,dc=com changetype: add objectClass: nsComplexRoleDefinition objectClass: nsNestedRoleDefinition objectClass: nsRoleDefinition objectClass: ldapSubEntry objectClass: top cn: nsDisabledRole nsRoleDN: cn=nsManagedDisabledRole,dc=example,dc=com
Now create a Classic CoS set up for the cn=nsDisabledRole,dc=example,dc=com.
ldapmodify -D ”cn=directory manager” -w password dn: cn=nsAccountInactivationTmp,dc=example,dc=com changetype: add objectClass: top objectClass: nscontainer cn: nsAccountInactivationTmp
dn: cn=cn\3DnsDisabledRole\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsAccountInactivationTmp,dc=example,dc=com changetype: add objectClass: top objectClass: cosTemplate objectClass: extensibleObject cosPriority: 1 nsAccountLock: true cn: cn=nsDisabledRole,dc=example,dc=com
dn: cn=nsAccountInactivation_cos,dc=example,dc=com c objectClass: nscontainer cn: nsAccountInactivationTmp
dn: cn=cn\3DnsDisabledRole\2Cdc\3Dexample\2Cdc\3Dcom,cn=nsAccountInactivationTmp,dc=example,dc=com changetype: add objectClass: top objectClass: cosTemplate objectClass: extensibleObject cosPriority: 1 nsAccountLock: true cn: cn=nsDisabledRole,dc=example,dc=com
dn: cn=nsAccountInactivation_cos,dc=example,dc=com changetype: add objectClass: top objectClass: cossuperdefinition objectClass: cosClassicDefinition objectClass: ldapSubEntry cosAttribute: nsAccountLock operational cosspecifier: nsRole costemplatedn: cn=nsAccountInactivationTmp,dc=example,dc=com cn: nsAccountInactivation_cos
You can set more roles to cn=nsDisabledRole,dc=example,dc=com and all of entries of these roles and their children will be locked.
ldapmodify -D ”cn=directory manager” -w password dn: cn=nsDisabledRole,dc=example,dc=com changetype: modify add: nsRoleDN nsRoleDN: cn=managers,ou=groups,dc=example,dc=com
If you need to unlock the role, you can just remove nsRoleDN attribute from cn=nsDisabledRole,dc=example,dc=com entry.
ldapmodify -D "cn=directory manager" -w password
dn: cn=nsDisabledRole,dc=example,dc=com
changetype: modify
delete: nsRoleDN
nsRoleDN: cn=managers,ou=groups,dc=example,dc=com
You can check the status of a single entry or a subtree using these CLI tools:
dsconf ldap://localhost:389 -D "cn=Directory Manager" -w password -b dc=example,dc=com account entry-status USER_DN
dsconf ldap://localhost:389 -D "cn=Directory Manager" -w password -b dc=example,dc=com account subtree-status SUBTREE_DN
dsconf ldap://localhost:389 -D "cn=Directory Manager" -w password -b dc=example,dc=com role entry-status USER_DN
dsconf ldap://localhost:389 -D "cn=Directory Manager" -w password -b dc=example,dc=com role subtree-status SUBTREE_DN
The legacy tools option:
ns-accountstatus.pl -Z standalone1 -h localhost -p 389 -D "cn=directory manager" -w password -I ENTRY_DN
ns-accountstatus.pl -Z standalone1 -h localhost -p 389 -D "cn=directory manager" -w password -b SUBTREE_DN -f "(objectclass=*)"