An LDAP root administrator or an administrator with the appropriate
authority can override typical password policy behavior for specific
user entries by modifying the password policy operational attributes.
See Administrative group and roles for more information about administrative
role authority. This section shows examples of how the effective password
policy is overridden for specific users.
An LDAP administrator can prevent the password for a specific account
or user from expiring by setting the
pwdChangedTime attribute
value to a date far in the future. This example uses the
ldapmodify utility to set the password expiration
time to January 1, 2200 at midnight Coordinated Universal Time.
ldapmodify –D adminDn –w adminPw
dn: cn=user1,c=us
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 22000101000000Z
An LDAP administrator can unlock an account, that is locked because
of excessive login failures, by removing the
pwdAccountLockedTime and
pwdFailureTime attributes from the user entry.
This example uses the
ldapmodify utility to
perform these modifications.
ldapmodify –D adminDn –w adminPw
dn: cn=user2,c=us
changetype: modify
delete: pwdAccountLockedTime
-
delete: pwdFailureTime
An LDAP administrator can unlock an account because the password
has expired by setting the
pwdChangedTime attribute
to the current time and removing the
pwdExpirationWarned and
pwdGraceUseTime attributes. The
pwdChangedTime attribute
value is set to the current time to avoid the user's password from
expiring immediately. This example uses the
ldapmodify utility
to unlock or unexpire the user's account by setting the
pwdChangedTime attribute
to the current time of June 1, 2010 at 1:00 Coordinated Universal
Time.
ldapmodify –D adminDn –w adminPw
dn: cn=user3,c=us
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 20100601010000Z
-
replace: pwdExpirationWarned
-
replace: pwdGraceUseTime
An LDAP administrator can bypass forcing a user to change the password
value after a password reset by removing the
pwdReset attribute.
This example uses the
ldapmodify utility to
remove the
pwdReset attribute.
ldapmodify –D adminDn –w adminPw
dn: cn=user4,c=us
changetype: modify
delete: pwdReset
An LDAP administrator can force a user to change their password
value by setting the
pwdReset attribute value
to true. This example uses the
ldapmodify utility
to set the
pwdReset attribute value to true.
ldapmodify –D adminDn –w adminPw
dn: cn=user5,c=us
changetype: modify
replace: pwdReset
pwdReset: true
An LDAP administrator can administratively lock a user's account
by setting the
ibm-pwdAccountLocked operational
attribute to true. This prevents the user from authenticating successfully
to the LDAP server. This example uses the
ldapmodify utility
to set the
ibm-pwdAccountLocked attribute value
to true.
ldapmodify –D adminDn –w adminPw
dn: cn=user6,c=us
changetype: modify
replace: ibm-pwdAccountLocked
ibm-pwdAccountLocked: true
An LDAP administrator can administratively unlock a user's account
by setting the
ibm-pwdAccountLocked operational
attribute to false. If a user's account is unlocked in this manner,
it does not affect the state of the account with respect to being
locked because of excessive password failures or an expired password.
ldapmodify –D adminDn –w adminPw
dn: cn=user7,c=us
changetype: modify
replace: ibm-pwdAccountLocked
ibm-pwdAccountLocked: false
If the Server administration server control
is specified (the -k option in the ldapmodify utility)
when modifying the ibm-pwdAccountLocked attribute
from true to false, the pwdAccountLockedTime and pwdFailureTime attribute values are also automatically
removed the user's entry. This removes the administrative lock and
the lock from excessive password failures. However, it does not affect
the state of the account for an expired password.