Name
manage-account — manage state of directory server accounts
Synopsis
manage-account subcommand
Description
This utility can be used to retrieve and manipulate the values of password policy state variables.
Subcommands
The following subcommands are supported.
- manage-account clear-account-is-disabled
-
Clear account disabled state information from the user account
- manage-account get-account-expiration-time
-
Display when the user account will expire
- manage-account get-account-is-disabled
-
Display information about whether the user account has been administratively disabled
- manage-account get-all
-
Display all password policy state information for the user
- manage-account get-authentication-failure-times
-
Display the authentication failure times for the user
- manage-account get-grace-login-use-times
-
Display the grace login use times for the user
- manage-account get-last-login-time
-
Display the time that the user last authenticated to the server
- manage-account get-password-changed-by-required-time
-
Display the required password change time with which the user last complied
- manage-account get-password-changed-time
-
Display the time that the user's password was last changed
- manage-account get-password-expiration-warned-time
-
Display the time that the user first received an expiration warning notice
- manage-account get-password-history
-
Display password history state values for the user
- manage-account get-password-is-reset
-
Display information about whether the user will be required to change his or her password on the next successful authentication
- manage-account get-password-policy-dn
-
Display the DN of the password policy for the user
- manage-account get-remaining-authentication-failure-count
-
Display the number of remaining authentication failures until the user's account is locked
- manage-account get-remaining-grace-login-count
-
Display the number of grace logins remaining for the user
- manage-account get-seconds-until-account-expiration
-
Display the length of time in seconds until the user account expires
- manage-account get-seconds-until-authentication-failure-unlock
-
Display the length of time in seconds until the authentication failure lockout expires
- manage-account get-seconds-until-idle-lockout
-
Display the length of time in seconds until user's account is locked because it has remained idle for too long
- manage-account get-seconds-until-password-expiration
-
Display length of time in seconds until the user's password expires
- manage-account get-seconds-until-password-expiration-warning
-
Display the length of time in seconds until the user should start receiving password expiration warning notices
- manage-account get-seconds-until-password-reset-lockout
-
Display the length of time in seconds until user's account is locked because the user failed to change the password in a timely manner after an administrative reset
- manage-account get-seconds-until-required-change-time
-
Display the length of time in seconds that the user has remaining to change his or her password before the account becomes locked due to the required change time
- manage-account set-account-is-disabled
-
Specify whether the user account has been administratively disabled
Global Options
The following global options are supported.
-b, --targetDN {targetDN}-
The DN of the user entry for which to get and set password policy state information
LDAP Connection Options
-D, --bindDN {bindDN}-
DN to use to bind to the server
Default value: cn=Directory Manager
-h, --hostname {host}-
Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}-
Bind password file
-K, --keyStorePath {keyStorePath}-
Certificate key store path
-N, --certNickname {nickname}-
Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}-
SASL bind options
-p, --port {port}-
Directory server administration port number
Default value: 4444
-P, --trustStorePath {trustStorePath}-
Certificate trust store path
-T, --trustStorePassword {trustStorePassword}-
Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}-
Certificate key store PIN file
-U, --trustStorePasswordFile {path}-
Certificate trust store PIN file
-w, --bindPassword {bindPassword}-
Password to use to bind to the server
Use
-w -to have the command prompt for the password, rather than enter the password on the command line. -W, --keyStorePassword {keyStorePassword}-
Certificate key store PIN
-X, --trustAll-
Trust all server SSL certificates
Exit Codes
- 0
-
The command completed successfully.
- 89
-
An error occurred while parsing the command-line arguments.
Examples
For the following examples, the directory admin user, Kirsten Vaughan,
has ds-privilege-name: password-reset, and the following
ACI on ou=People,dc=example,dc=com.
(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")( version 3.0;acl "Admins can run amok"; allow(all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
The following command locks a user account.
$ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" -w bribery set-account-is-disabled -O true -b uid=bjensen,ou=people,dc=example,dc=com -X Account Is Disabled: true
The following command unlocks a user account.
$ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" -w bribery clear-account-is-disabled -b uid=bjensen,ou=people,dc=example,dc=com -X Account Is Disabled: false
