Overriding password policy attributes

 

Use this information to override password policy attributes. You need to do this first. A directory administrator can override normal password policy behavior for specific entries by modifying the password policy operational attributes and using the server administration control (-k option of the LDAP command line utilities).

  1. You can prevent the password for a particular account from expiring by setting the pwdChangedTime attribute to a date far in the future when setting the userPassword attribute. The following example sets the time to midnight, January 1, 2200.
    > ldapmodify -D cn=root -w ? -k dn: uid=wasadmin,cn=users,o=ibm changetype: modify replace: pwdChangedTime pwdChangedTime: 22000101000000Z

  2. You can unlock an account which has been locked due to excessive login failures by removing the pwdAccountLockedTime and pwdFailureTime attributes: 
    > ldapmodify -D cn=root -w ? -k dn: uid=user1,cn=users,o=ibm changetype: modify delete: pwdAccountLockedTime -
delete: pwdFailureTime

  3. You can unlock an expired account by changing the pwdChangedTime and clearing the pwdExpirationWarned and pwdGraceUseTime attributes: 
    > ldapmodify -D cn=root -w ? -k dn: uid=user1,cn=users,o=ibm changetype: modify replace: pwdChangedTime pwdChangedTime: 20040826000000Z -
delete: pwdExpirationWarned -
delete: pwdGraceUseTime

  4. You can clear or set the "password must be changed" status by setting the pwdReset attribute: 
    > ldapmodify -D cn=root -w ? -k dn: uid=user1,cn=users,o=ibm changetype: modify delete: pwdReset 
> ldapmodify -D cn=root -w ? -k dn: uid=user2,cn=users,o=ibm changetype: modify replace: pwdReset pwdReset: TRUE

  5. An account can be administratively locked by setting the ibm-pwdAccountLocked operational attribute to TRUE.

    The user setting this attribute must have permission to write is the ibm-pwdAccountLocked attribute, which is defined as being in the CRITICAL access class. 

    > ldapmodify -D uid=useradmin,cn=users,o=ibm -w ?
dn: uid=user1,cn=users,o=ibm changetype: modify replace: ibm-pwdAccountLocked ibm-pwdAccountLocked: TRUE

  6. The account can be unlocked by setting the attribute to FALSE. Unlocking an account in this way does not affect the state of the account with respect to being locked due to excessive password failures or an expired password.

    The user setting this attribute must have permission to write is the ibm-pwdAccountLocked attribute, which is defined as being in the CRITICAL access class. 

    > ldapmodify -D uid=useradmin,cn=users,o=ibm -w ?
dn: uid=user1,cn=users,o=ibm changetype: modify replace: ibm-pwdAccountLocked ibm-pwdAccountLocked: FALSE

 

Parent topic:

Password tasks