Managing Roles Using the Console

inactivating the role to which they belong.

When a role is inactivated, it does not mean that the user cannot bind to the server using that role entry. The meaning of an inactivated role is that the user cannot bind to the server using any of the entries that belong to that role; the entries that belong to an inactivated role will have the nsAccountLock attribute set to true.

In the case of the nested role, an inactivated nested role means that a user cannot bind to the server using an entry that belongs to a role that is a member of the nested role. All the entries that belong to a role that directly or indirectly are members of the nested role (one may have several levels of nested roles) will have nsAccountLock set to true.

NOTE

The nsAccountLock attribute is an operational attribute and must be explicitly requested in the search command in the list of search attributes. For example:

ldapsearch ... args ... “(uid=scarter)” \* nsAccountLock

The Console will automatically show the active/inactive status of entries.

1.2. Managing Roles Using the Console

This section contains the following procedures for creating and modifying roles:

Section 1.2.1, “Creating a Managed Role”

Section 1.2.2, “Creating a Filtered Role”

Section 1.2.3, “Creating a Nested Role”

Section 1.2.4, “Viewing and Editing an Entry's Roles”

Section 1.2.5, “Modifying a Role Entry”

Section 1.2.6, “Making a Role Inactive”

Section 1.2.7, “Reactivating a Role”

Section 1.2.8, “Deleting a Role”

When a role is created, determine whether a user can add themselves or remove themselves from the role. See Section 1.4, “Using Roles Securely” for more information about roles and access control.

133

Page 153
Image 153
HP UX Red Hat Direry Server Software manual Managing Roles Using the Console