Name

manage-account — manage state of OpenDJ server accounts

Synopsis

manage-account {subcommand} {options}

Description

This utility can be used to retrieve and manipulate the values of password policy state variables.

Options

The manage-account command takes the following options:

Command options:

-b | --targetDN {targetDN}

The DN of the user entry for which to get and set password policy state information.

LDAP connection options:

-D | --bindDN {bindDN}

The DN to use to bind to the server.

-h | --hostname {host}

Directory server hostname or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

The path to the file containing the bind password.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of certificate for SSL client authentication.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

Default: 4444

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-w | --bindPassword {bindPassword}

The password to use to bind to the server.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Subcommands

The manage-account command supports the following subcommands:

manage-account clear-account-is-disabled

Clear account disabled state information from the user account.

manage-account get-account-expiration-time

Display when the user account will expire.

manage-account get-account-is-disabled

Display information about whether the user account has been administratively disabled.

manage-account get-all

Display all password policy state information for the user.

manage-account get-authentication-failure-times

Display the authentication failure times for the user.

manage-account get-grace-login-use-times

Display the grace login use times for the user.

manage-account get-last-login-time

Display the time that the user last authenticated to the server.

manage-account get-password-changed-by-required-time

Display the required password change time with which the user last complied.

manage-account get-password-changed-time

Display the time that the user's password was last changed.

manage-account get-password-expiration-warned-time

Display the time that the user first received an expiration warning notice.

manage-account get-password-history

Display password history state values for the user.

manage-account get-password-is-reset

Display information about whether the user will be required to change his or her password on the next successful authentication.

manage-account get-password-policy-dn

Display the DN of the password policy for the user.

manage-account get-remaining-authentication-failure-count

Display the number of remaining authentication failures until the user's account is locked.

manage-account get-remaining-grace-login-count

Display the number of grace logins remaining for the user.

manage-account get-seconds-until-account-expiration

Display the length of time in seconds until the user account expires.

manage-account get-seconds-until-authentication-failure-unlock

Display the length of time in seconds until the authentication failure lockout expires.

manage-account get-seconds-until-idle-lockout

Display the length of time in seconds until user's account is locked because it has remained idle for too long.

manage-account get-seconds-until-password-expiration

Display length of time in seconds until the user's password expires.

manage-account get-seconds-until-password-expiration-warning

Display the length of time in seconds until the user should start receiving password expiration warning notices.

manage-account get-seconds-until-password-reset-lockout

Display the length of time in seconds until user's account is locked because the user failed to change the password in a timely manner after an administrative reset.

manage-account get-seconds-until-required-change-time

Display the length of time in seconds that the user has remaining to change his or her password before the account becomes locked due to the required change time.

manage-account set-account-is-disabled

Specify whether the user account has been administratively disabled.

Options

The manage-account set-account-is-disabled command takes the following options:

-O | --operationValue {true|false}

'true' to indicate that the account is disabled, or 'false' to indicate that it is not disabled.

Exit Codes

0

The command completed successfully.

89

An error occurred while parsing the command-line arguments.

Examples

For the following examples the directory admin user, Kirsten Vaughan, has ds-privilege-name: password-reset and the following ACI on ou=People,dc=example,dc=com.

(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(
 version 3.0;acl "Admins can run amok"; allow(all) groupdn =
 "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
 

The following command locks a user account.

$ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \
 -w bribery set-account-is-disabled -O true \
 -b uid=bjensen,ou=people,dc=example,dc=com -X
Account Is Disabled:  true
 

The following command unlocks a user account.

$ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \
 -w bribery clear-account-is-disabled \
 -b uid=bjensen,ou=people,dc=example,dc=com -X
Account Is Disabled:  false