Announcement Announcement Module
No announcement yet.
Disable and Enable Users Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Disable and Enable Users

    I needed the ability for certain users to be able to enable/disable other user accounts via our web-app. I had a lot of trouble finding a clear-cut answer to how this should be accomplished and ended up struggling with this for a few days. So I thought I would post here and maybe save someone else all the trouble.

    Note: This was with 389 Directory Server (should be the same for Red Hat Directory Server or other open ldap implementations)

    Essentially, the answer was this:
    To lock an account, add the value "cn=nsmanageddisabledrole,dc=extranet,dc=mycompany ,dc=com" to the attribute nsroledn.

    However, to detect if an account was locked or not, I do a lookup for the "nsaccountlock" attribute, which is automatically added and set to true when the account is locked.

    Here is the code:

    public static final String ACCOUNT_LOCK = "nsaccountlock";
    public static final String ROLES_MANAGED = "nsroledn";
    private static final String ROLE_DISABLED = "cn=nsmanageddisabledrole,dc=mycompany,dc=com";
    public void lockUser(String username) throws Exception{
    		Attributes attributes = (Attributes)ldapTemplate.lookup(username, createGenericAttributesMapper());
    			LOGGER.debug("user already locked out");
    		Attribute attr = new BasicAttribute(ROLES_MANAGED);
    		ldapTemplate.rebind(username, null, attributes);
    	}catch(Exception e){
    		LOGGER.error("Error when trying to lock user: " + e);
    		throw new Exception(e);
    public void unlockUser(String username) throws Exception {
    	Attributes attributes = (Attributes)ldapTemplate.lookup(username, createGenericAttributesMapper());
    	Attribute attr = attributes.get(ROLES_MANAGED);
    	ModificationItem mods[] = new ModificationItem[1];
    	mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute(ROLES_MANAGED, ROLE_DISABLED));
    	ldapTemplate.modifyAttributes(username, mods);
    public Boolean isLocked(String username){
    	String[] attrs = {ACCOUNT_LOCK};
    	Boolean val = (Boolean)ldapTemplate.lookup(username, attrs,
    		   new AttributesMapper() {
    			public Object mapFromAttributes(Attributes arg0) throws NamingException {
    				if(arg0.get(ACCOUNT_LOCK) == null){
    					return false;
    				return Boolean.valueOf((String)arg0.get(ACCOUNT_LOCK).get());	
    	return val;