Configuring the Directory Server
Configuring Security in the Directory Server
Managing Root User, Global Administrator, and Administrator Accounts
Working With Multiple Root Users
Root Users and the Privilege Subsystem
Managing Root Users With dsconfig
To View the Default Root User Privileges
To Edit the Default Root User Privileges
To Change a Root User's Password
To Change a Root User's Privileges
Setting Root User Resource Limits
Managing Global Administrators
Password Policies in a Replicated Environment
To View the List of Password Policies
Properties of the Default Password Policy
To View the Properties of the Default Password Policy
To Create a New Password Policy
To Create a First Login Password Policy
To Assign a Password Policy to an Individual Account
To Prevent Password Policy Modifications
To Assign a Password Policy to a Group of Users
To Change the Directory Manager's Password
To Reset and Generate a New Password for a User
Managing a User's Account Information
To View a User's Account Information
Setting Resource Limits on a User Account
To Set Resource Limits on an Account
To Create a Static Group With groupOfNames
To Create a Static Group With groupOfUniqueNames
To Create a Static Group With groupOfEntries
To List All Members of a Static Group
To List All Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Group
To List All Members of a Dynamic Group
To List All Dynamic Groups of Which a User Is a Member
To Determine Whether a User Is a Member of a Dynamic Group
Defining Virtual Static Groups
To Create a Virtual Static Group
To List All Members of a Virtual Static Group
To List All Virtual-Static Groups of Which a User Is a Member
To Determine Whether a User is a Member of a Virtual Static Group
Maintaining Referential Integrity
Overview of the Referential Integrity Plug-In
To Enable the Referential Integrity Plug-In
Simulating DSEE Roles in an OpenDS Directory Server
To Determine Whether a User is a Member of a Role
You can use the manage-account command to display information about the user's account and any password policy that is applied to the user. You can also use this command to enable and disable a user's account. The manage-account command accesses the server over SSL via the administration port. For more information, see Managing Administration Traffic to the Server.
The manage-account command returns the DN of the password policy in effect on a user account, as well as the account status, and password and login related information
$ manage-account -D "cn=directory manager" -w password get-all \ --targetDN uid=kvaughan,ou=People,dc=example,dc=com Password Policy DN: cn=Default Password Policy,cn=Password Policies,cn=config Account Is Disabled: false Account Expiration Time: Seconds Until Account Expiration: Password Changed Time: 19700101000000.000Z Password Expiration Warned Time: Seconds Until Password Expiration: 432000 Seconds Until Password Expiration Warning: 0 Authentication Failure Times: Seconds Until Authentication Failure Unlock: Remaining Authentication Failure Count: Last Login Time: Seconds Until Idle Account Lockout: Password Is Reset: false Seconds Until Password Reset Lockout: Grace Login Use Times: Remaining Grace Login Count: 4 Password Changed by Required Time: Seconds Until Required Change Time: Password History:
For example, to view just the password history, run the following command:
$ manage-account -D "cn=directory manager" -w password get-password-history \ --targetDN "uid=kvaughan,ou=People,dc=example,dc=com"
For a complete list of subcommands, run the following command:
$ manage-account --help
You can use the manage-account command to assess whether an account is enabled or disabled.
$ manage-account -D "cn=directory manager" -w password get-account-is-disabled \ --targetDN "uid=kvaughan,ou=People,dc=example,dc=com" Account Is Disabled: false
$ manage-account -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-account-is-disabled --operationValue true \ --targetDN "uid=kvaughan,ou=People,dc=example,dc=com" Account Is Disabled: true
$ manage-account -D "cn=directory manager" -w password clear-account-is-disabled \ --targetDN "uid=kvaughan,ou=People,dc=example,dc=com" Account Is Disabled: false