3 files changed, 5 insertions, 86 deletions

diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index fdb2cc4fe..52f0c97ba 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -352,50 +352,12 @@ ipaDefaultEmailDomain: $DOMAIN
 ipaMigrationEnabled: FALSE
 ipaConfigString: AllowNThash
 
-dn: cn=account inactivation,cn=accounts,$SUFFIX
-changetype: add
-description: Lock accounts based on group membership
-objectClass: top
-objectClass: ldapsubentry
-objectClass: cosSuperDefinition
-objectClass: cosClassicDefinition
-cosTemplateDn: cn=cosTemplates,cn=accounts,$SUFFIX
-cosAttribute: nsAccountLock operational
-cosSpecifier: memberOf
-cn: Account Inactivation
-
 dn: cn=cosTemplates,cn=accounts,$SUFFIX
 changetype: add
 objectclass: top
 objectclass: nsContainer
 cn: cosTemplates
 
-dn: cn=cn\=inactivated\,cn\=account inactivation\,cn\=accounts\,$ESCAPED_SUFFIX,cn=cosTemplates,cn=accounts,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: cosTemplate
-objectClass: extensibleobject
-nsAccountLock: True
-cosPriority: 1
-
-dn: cn=inactivated,cn=account inactivation,cn=accounts,$SUFFIX
-changetype: add
-objectclass: top
-objectclass: groupofnames
-
-dn: cn=cn\=activated\,cn\=account inactivation\,cn\=accounts\,$ESCAPED_SUFFIX,cn=cosTemplates,cn=accounts,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: cosTemplate
-objectClass: extensibleobject
-nsAccountLock: False
-cosPriority: 0
-
-dn: cn=Activated,cn=Account Inactivation,cn=accounts,$SUFFIX
-changetype: add
-objectclass: top
-objectclass: groupofnames
-
 # templates for this cos definition are managed by the pwpolicy plugin
 dn: cn=Password Policy,cn=accounts,$SUFFIX
 changetype: add
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index f1686291c..3d9b7e6d4 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -204,7 +204,7 @@ class user(LDAPObject):
             label=_('Car License'),
         ),
         Bool('nsaccountlock?',
-            label=_('Account activation status:'),
+            label=_('Account activation status'),
             flags=['no_create', 'no_update', 'no_search'],
         ),
     )
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index 06a940773..f90b40564 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -904,7 +904,7 @@ class ldap2(CrudBackend, Encoder):
         """Mark entry active/inactive."""
         assert isinstance(active, bool)
         # get the entry in question
-        (dn, entry_attrs) = self.get_entry(dn, ['nsaccountlock', 'memberof'])
+        (dn, entry_attrs) = self.get_entry(dn, ['nsaccountlock'])
 
         # check nsAccountLock attribute
         account_lock_attr = entry_attrs.get('nsaccountlock', ['false'])
@@ -915,53 +915,10 @@ class ldap2(CrudBackend, Encoder):
         else:
             if account_lock_attr == 'true':
                 raise errors.AlreadyInactive()
+        account_lock_attr = str(not active)
 
-        # check if nsAccountLock attribute is in the entry itself
-        is_member = False
-        member_of_attr = entry_attrs.get('memberof', [])
-        for m in member_of_attr:
-            if m.find('cn=activated') >= 0 or m.find('cn=inactivated') >=0:
-                is_member = True
-                break
-        if not is_member and entry_attrs.has_key('nsaccountlock'):
-            raise errors.HasNSAccountLock()
-
-        activated_filter = '(cn=activated)'
-        inactivated_filter = '(cn=inactivated)'
-        parent_rdn = self.get_container_rdn('accounts')
-
-        # try to remove the entry from activated/inactivated group
-        if active:
-            entries = self.find_entries(inactivated_filter, [], parent_rdn)[0]
-        else:
-            entries = self.find_entries(activated_filter, [], parent_rdn)[0]
-        (group_dn, group_entry_attrs) = entries[0]
-        try:
-            self.remove_entry_from_group(dn, group_dn)
-        except errors.NotGroupMember:
-            pass
-
-        # add the entry to the activated/inactivated group if necessary
-        if active:
-            (dn, entry_attrs) = self.get_entry(dn, ['nsaccountlock'])
-
-            # check if we still need to add entry to the activated group
-            account_lock_attr = entry_attrs.get('nsaccountlock', ['false'])
-            account_lock_attr = account_lock_attr[0].lower()
-            if account_lock_attr == 'false':
-                return  # we don't
-
-            entries = self.find_entries(activated_filter, [], parent_rdn)[0]
-        else:
-            entries = self.find_entries(inactivated_filter, [], parent_rdn)[0]
-        (group_dn, group_entry_attrs) = entries[0]
-        try:
-            self.add_entry_to_group(dn, group_dn)
-        except errors.EmptyModlist:
-            if active:
-                raise errors.AlreadyActive()
-            else:
-                raise errors.AlreadyInactive()
+        entry_attrs['nsaccountlock'] = account_lock_attr
+        self.update_entry(dn, entry_attrs)
 
     def activate_entry(self, dn):
         """Mark entry active."""