Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

Manually Locking Accounts

Directory Server allows you to configure password policy to force the lockout of accounts after a specified number of failed bind attempts. See Policy for Account Lockout for details. This section covers manual account locking and activation tools that the Directory Manager can use.

The Directory Manager can manage account lockout without using the lockout duration timer. The locked account remains locked until the account is explicitly activated. The Directory Manager can also render certain accounts inactive for an indefinite period of time.

This section shows how to check account status, render accounts inactive, and reactivate accounts.

ProcedureTo Check Account Status

Check account status as shown here.


Note –

You must bind as the Directory Manager.


You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Use the dsutil account-status command to check the status the account or role.

    The following command checks Barbara Jensen's account status:


    $ dsutil account-status -p port-number -w pwd.txt \
    uid=bjensen,ou=people,dc=example,dc=com
    
    uid=bjensen,ou=people,dc=example,dc=com activated.

    See the dsutil(1M) man page for details.

ProcedureTo Render Accounts Inactive

Render an account or a role inactive as shown here.


Note –

You must bind as the Directory Manager.


You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Use the dsutil account-inactivate command to render the account or role inactive.

    The following command renders Barbara Jensen's account inactive:


    $ dsutil account-inactivate -p port-number -w pwd.txt \
    uid=bjensen,ou=people,dc=example,dc=com
    
    uid=bjensen,ou=people,dc=example,dc=com inactivated.
    $

    See the dsutil(1M) man page for details.

ProcedureTo Reactivate Accounts

Unlock an account or a role as shown here.


Note –

You must bind as the Directory Manager.


You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Use the dsutil account-activate command to reactivate the account or role.

    The following command renders Barbara Jensen's account active again:


    $ dsutil account-activate -p port-number -w pwd.txt \
    uid=bjensen,ou=people,dc=example,dc=com
    
    uid=bjensen,ou=people,dc=example,dc=com activated.

    dsutil(1M) man page for details.