Linux Archive

Linux Archive (
-   Fedora Directory (
-   -   Problems with nsaccountlock attribute (

Arpit Tolani 05-08-2012 12:53 AM

Problems with nsaccountlock attribute

On Mon, May 7, 2012 at 10:41 AM, David Baird <> wrote:

Hi All,

Our instance of 389 (version running on Centos 5.7) has recently begun exhibiting problems with account locking.

Locking (or inactivating if you prefer) an account, either by using the 389 console, or the script works initially and the user object displays the correct attributes...

nsrole "cn=nsdisabledrole,dc=..." "cn=nsmanageddisabledrole,dc=..."

nsroledn "cn=nsManagedDisabledRole,dc=..."

nsaccountlock "true"

and an ldapsearch confirms the existence of the nsaccountlock attribute.

However, after some period of time has elapsed (haven't quite narrowed down exactly when it occurs) the nsaccountlock attribute is no longer present, meaning the account is no longer locked.

About two weeks ago, I removed all entries from nsManagedDisabledRole and restarted dirsrv, then inactivated approximately 16 accounts. *As of Thursday last week they were all still as expected with the nsaccountlock attribute present. *As of this morning (Monday) none of the accounts have the nsaccountlock attribute present. *The modifytimestamp for the user object remains unchanged, which would indicate an issue with the management of the virtual nsaccountlock attribute.

Does anyone have any idea what might be causing this? Replication is not an issue as we only have a single server. There is an AD sync agreement active, but it's my understanding that 389 cannot sync account locking with Active Directory.

Is the management of the virtual attribute nsaccountlock logged at all? *Is there a specific log level (either in access log or error log) that will give a clue as to what is happening?

May be
I recently faced this issue with disabledroles only & upgrading to latest version resolved the issue. Looks like this issue persists with disabled roles as well along with password policies.


389 users mailing list
Arpit Tolani

389 users mailing list

All times are GMT. The time now is 11:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.