A directory administrator can override normal password policy behavior for specific entries by modifying the password policy operational attributes and using the server administration control (-k option of the LDAP command line utilities).
You can prevent the password for a particular account from expiring by setting the pwdChangedTime attribute to a date far in the future when setting the userPassword attribute. The following example sets the time to midnight, January 1, 2200.
idsldapmodify –D cn=root –w ? -k dn: uid=wasadmin,cn=users,o=sample changetype: modify replace: pwdChangedTime pwdChangedTime: 22000101000000Z
You can unlock an account which has been locked due to excessive login failures by removing the pwdAccountLockedTime and pwdFailureTime attributes:
idsldapmodify –D cn=root –w ? -k dn: uid=user1,cn=users,o=sample changetype: modify delete: pwdAccountLockedTime - delete: pwdFailureTime
You can unlock an expired account by changing the pwdChangedTime and clearing the pwdExpirationWarned and pwdGraceUseTime attributes:
idsldapmodify –D cn=root –w ? -k dn: uid=user1,cn=users,o=sample changetype: modify replace: pwdChangedTime pwdChangedTime: yyyymmddhhss.Z - delete: pwdExpirationWarned - delete: pwdGraceUseTime
You can clear and then reset the "password must be changed" status by deleting and adding the pwdReset attribute:
idsldapmodify –D cn=root –w ? -k dn: uid=user1,cn=users,o=sample changetype: modify delete: pwdReset idsldapmodify –D cn=root –w ? -k dn: uid=user2,cn=users,o=sample changetype: modify replace: pwdReset pwdReset: TRUE
An account can be administratively locked by setting the ibm-pwdAccountLocked operational attribute to TRUE. The account can be unlocked by setting the attribute to FALSE. Unlocking an account in this way does not affect the state of the account with respect to being locked due to excessive password failures or an expired password.
The user setting this attribute must have permission to write the ibm-pwdAccountLocked attribute, which is defined as being in the CRITICAL access class.
idsldapmodify –D uid=useradmin,cn=users,o=sample –w ? dn: uid=user1,cn=users,o=sample changetype: modify replace: ibm-pwdAccountLocked ibm-pwdAccountLocked: TRUE
To unlock the account:
idsldapmodify –D uid=useradmin,cn=users,o=sample –w ? dn: uid=user1,cn=users,o=sample changetype: modify replace: ibm-pwdAccountLocked ibm-pwdAccountLocked: FALSE
If the account is locked because the attribute ibm-pwdAccountLocked is set to TRUE and if the administrator clears this attribute (sets it to FALSE) and uses the administrative control (-k option), then the account is completely unlocked. The pwdAccountLockedTime and pwdFailureTime attributes are also cleared and reset.
[ Top of Page | Previous Page | Next Page ]