User accounts are locked when passwords expire. When you reset the password, you unlock the account. The password can be reset by another user such as an administrator. After password reset, Directory Server unlocks the user account. Directory Server provides support for RFC 3062, LDAP Password Modify Extended Operation. The extended operation enables you to allow a directory administrator or a directory application to unlock accounts through password reset.
Be cautious when allowing use of the password modify extended operation, as shown in this procedure. Limit access to administrators and applications that you trust. Do not allow passwords to travel over the network in clear text.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
Give users access to a password administrator or to a password administration application.
Allow the password administrator access to use the password modify extended operation.
The following commands set an ACI to allow members of a Password Managers role to use the password modify extended operation when connected over SSL:
$ cat exop.ldif dn: oid=220.127.116.11.4.1.418.104.22.168,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 22.214.171.124.4.1.4126.96.36.199 cn: Password Modify Extended Operation aci: (targetattr != "aci")(version 3.0; acl "Password Modify Extended Operation "; allow( read, search, compare, proxy ) (roledn = " ldap:///cn=Password Managers,dc=example,dc=com" and authmethod = "SSL");) $ ldapmodify -a -D cn=admin,cn=Administrators,cn=config -w - -f exop.ldif Enter bind password: adding new entry oid=188.8.131.52.4.1.4184.108.40.206,cn=features,cn=config $
The entry under cn=features,cn=config allows you to manage access to operations that use the password modify extended operation.
Have the password administrator reset the user password.
This step unlocks the user account, and can be completed with the ldappasswd(1) command.
(Optional) If the user must change the password, have the password administrator notify the user.
Users must change their passwords after reset if the password policy that governs their entries includes pwdMustChange: TRUE.