The manage-account command manages user account information, primarily related to password policy state details.
manage-account subcommands options
The manage-account command manages user account information, primarily related to password policy state details. The command interacts with the Password Policy State extended operation, which returns account, login, and password information for a user. Although the Password Policy State extended operation allows multiple operations per use, the manage-account command can run only one operation at a time. Users must have the password-reset privilege to use the Password Policy State extended operation.
Note that all time values are returned in generalized time format. All duration values are returned in seconds.
The manage-account command connects to the server over SSL via the administration connector (described in Managing Administration Traffic to the Server in Sun OpenDS Standard Edition 2.0 Administration Guide.)
Clear the disabled state for the user account. This will have the effect of enabling the account if it is disabled.
Return the account expiration time.
Return the disabled state for the user account.
Return all Password Policy State information for the user account.
Return the authentication failure times for the user account.
Return the grace login use times for the user account.
Return the last login time for the user.
Return the password changed by the required time for the user.
Return the time the password was last changed.
Return the time the user was first warned about an upcoming password expiration.
Return the password history for the user account.
Return the password reset state for the user, which indicates whether the user will be forced to change his password on the next login.
Return the DN of the password policy for a given user.
Return the number of remaining authentication failures for the user before the user's account is locked.
Return the number of remaining grace logins for the user.
Return the length of time before the account expires.
Return the length of time before the user's account is automatically unlocked.
Return the length of time before the account is idle-locked.
Return the length of time before the password expires.
Return the length of time before the user is first warned about an upcoming password expiration.
Return the length of time before the password reset lockout occurs.
Return the length of time before the user is required to change his password due to the required change time.
Disable the account. Required suboption:
--operationValue true/false. If set to TRUE, disable the user. If set to FALSE, enable the user.
The manage-account command accepts an option in either its short form (for example, -b targetDN) or its long form equivalent (for example, --targetDN targetDN).
Specify the DN of the user entry for which to get and set password policy state information.
The manage-account command contacts the directory server over SSL via the administration connector. These connection options are used to contact the directory server.
Use the bind DN to authenticate to the directory server. This option is used when performing simple authentication and is not required if SASL authentication is to be used. The default value for this option is cn=Directory Manager.
Contact the directory server on the specified hostname or IP address. If this option is not provided, a default of localhost is used.
Use the bind password in the specified file when authenticating to the directory server. This option must not be used in conjunction with --bindPassword.
Use the client keystore certificate in the specified path.
Use the specified certificate for client authentication.
Use the specified options for SASL authentication.
Contact the directory server at the specified administration port. If this option is not provided, a default administration port of 4444 is used.
Use the client trust store certificate in the specified path. This option is not needed if --trustAll is used, although a trust store should be used when working in a production environment.
Use the password needed to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (which most trust stores do not require). This option must not be used in conjunction with --trustStorePasswordFile.
Use the password in the specified file to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePassword.
Use the password in the specified file to access the certificates in the client trust store. This option is only required if --trustStorePath is used and the specified trust store requires a password in order to access its contents (most trust stores do not require this). This option must not be used in conjunction with --trustStorePassword.
Use the bind password when authenticating to the directory server. This option can be used for simple authentication as well as password-based SASL mechanisms. This option must not be used in conjunction with --bindPasswordFile. To prompt for the password, type -w -.
Use the password needed to access the certificates in the client keystore. This option is only required if --keyStorePath is used. This option must not be used in conjunction with --keyStorePasswordFile.
Trust all server SSL certificates that the directory server presents. This option can be used for convenience and testing purposes, but for security reasons a trust store should be used to determine whether the client should accept the server certificate.
Display command-line usage information for the utility and exit without making any attempt to run the command.
Display the version information for the directory server.
The following examples show how to use the directory server commands. You can use the commands on any UNIX, Linux, or Windows system that has at least the Java SE 5 (at least Sun version 1.5.0_08, preferably the latest version of Java SE 6) runtime environment installed on its target system.
The following command returns the password policy state information for a user:
$ manage-account get-all -h localhost -p 4444 -D "cn=Directory Manager" \ -w password -X -b "uid=scarter,ou=People,dc=example,dc=com" \ Password Policy DN: cn=Default Password Policy,cn=Password Policies,cn=config Account Is Disabled: false Account Expiration Time: Seconds Until Account Expiration: Password Changed Time: 19700101000000.000Z Password Expiration Warned Time: Seconds Until Password Expiration: Seconds Until Password Expiration Warning: Authentication Failure Times: Seconds Until Authentication Failure Unlock: Remaining Authentication Failure Count: Last Login Time: Seconds Until Idle Account Lockout: Password Is Reset: false Seconds Until Password Reset Lockout: Grace Login Use Times: Remaining Grace Login Count: 0 Password Changed by Required Time: Seconds Until Required Change Time:
The following command disables a user's account uid=scarter:
$ manage-account set-account-is-disabled --operationValue true \ -h localhost -p 4444 -D "cn=Directory Manager" -w password -X \ -b "uid=scarter,ou=People,dc=example,dc=com" Account Is Disabled: true
The following command re-enables a user's disabled account:
$ manage-account clear-account-is-disabled \ -h localhost -p 4444 -D "cn=Directory Manager" -w password -X \ -b "uid=scarter,ou=People,dc=example,dc=com" Account Is Disabled: false
An exit code of 0 indicates that the operation completed successfully. A nonzero exit code indicates that an error occurred during processing.
UNIX and Linux: install-dir/bin/manage-account
Windows: install-dir\bat\manage-account.bat