Inactivating Users and Roles272 Netscape Directory Server Administrator’s Guide • August 2002When configuration a password policy in a replicated environment, consider thefollowing points:• Warnings from the server of an impending password expiration will be issuedby all replicas. This information is kept locally on each server, so if a user bindsto several replicas in turn, they will be issued the same warning several times.In addition, if the user changes the password, it may take time for thisinformation to filter to the replicas. If a user changes a password and thenimmediately rebind, they may find that the bind fails until the replica registersthe changes.• You want the same bind behavior to occur on all servers, including mastersand replicas. Make sure to create the same password policy configurationinformation on each server.• Account lockout counters many not work as expected in a multi-masteredenvironment.• Entries that are created for replication (for example, the server identities) needto have passwords that never expire. To make sure that these special usershave passwords that do not expire, add the passwordExpirationTimeattribute to the entry and give it a value of 20380119031407Z (the top of thevalid range).Inactivating Users and RolesYou can temporarily inactivate a single user account or a set of accounts. Onceinactivated, a user cannot bind to the directory. The authentication operation willfail.Users and roles are inactivated using the operational attribute nsAccountLock.When an entry contains the nsAccountLock attribute with a value of true, theserver rejects the bind.You use the same procedures for inactivating users and roles. However, when youinactivate a role, you are inactivating the members of the role and not the role entryitself. For more information about roles in general and how roles interact withaccess control in particular, refer to Chapter 5, “Advanced Entry Management.”The rest of this section describes the following procedures:• Inactivating User and Roles Using the Console• Inactivating User and Roles Using the Command Line• Activating User and Roles Using the Console