Password policy operational attributes
Attribute and description |
---|
pwdChangedTime Specifies the Coordinated Universal Time in Zulu format when the userPassword value was last changed or the ibm-pwdPolicyStartTime attribute value of the effective password policy entry's start time whatever time is later. The pwdChangedTime attribute is only updated when the user's effective password policy has either the pwdMinAge attribute or the pwdMaxAge attribute set to a value other than 0. Example:
|
pwdAccountLockedTime Specifies the Coordinated Universal Time in Zulu format when the user's account was locked. If the user's account is not locked, this attribute is not present in the user's entry. If the user's password is reset by an LDAP root or password administrator, this attribute is automatically removed from the entry. Example:
|
pwdExpirationWarned Specifies the Coordinated Universal Time in Zulu format of the first password expiration warning for this user. Example:
|
pwdFailureTime A multi-valued attribute specifying the Coordinated Universal Time in Zulu format of the previous consecutive authentication failures for this user. If the pwdLockout attribute is set to true in the effective password policy entry, then the number of consecutive authentication failures by this user is limited by the pwdMaxFailure attribute value in the effective password policy entry. On a successful authentication, all pwdFailureTime attribute values are removed from the user's entry. If the pwdLockout attribute is set to false in the effective password policy entry, then consider setting pwdLockoutDuration in the effective password policy entry to avoid recording an unlimited number of pwFailureTime values. Example:
|
pwdGraceUseTime A multi-valued attribute specifying the Coordinated Universal Time in Zulu format of the previous grace logins for this user. The number of grace logins that are allowed by this user with an expired password is limited by the pwdGraceLoginLimit attribute value in the effective password policy entry. If grace logins are not allowed by the effective password policy, this attribute is not present in the user's entry. If the user's password is changed before the grace logins limit is exceeded, all pwdGraceUseTime attribute values are removed from the user's entry. Example:
|
pwdHistory A multi-valued attribute containing the history of previously used passwords for this user entry. The number of previous password values that are stored for this user is limited by the pwdHistory attribute value in the effective password policy entry. When the current userPassword attribute value is changed for this user, the previous password values in the history are compared to ensure that the user does not reuse an old password value. The format for this attribute
is:
Where,
Example:
|
pwdReset A Boolean (true or false) indicating whether the user's password is changed or set by another user. When set to true, the password value must be changed by the user after successful authentication before the user is allowed to perform any other operations. If the userPassword value in this entry is changed by the user, this attribute is removed from the user's entry. Example:
|
ibm-pwdAccountLocked By default, an LDAP root or directory data administrator can query these password policy operational attributes for user entries in a particular state. When a user's account is locked, the user is unable to successfully authenticate to the server. This attribute is not present in the user's entry if the account has never been administratively locked. Example:
|
By default, an LDAP root or directory data administrator can query these password policy
operational attributes for user entries in a particular state. Because these attributes are
operational, each attribute name or the special '+
' attribute must be specified on
the search request so that they are returned on the search response. If the authenticated user has
access to operational attributes, the '+' attribute returns all operational
attributes other than the ibm-allMembers, ibm-allGroups,
ibm-entryCheckSum, ibm-entryCheckSumOp, and
hasSubordinates attributes.
ldapsearch -D adminDn -w adminPw -s sub -b "c=us" "objectclass=*" +
ldapsearch -D adminDn -w adminPw -s sub –b "c=us" "(!(pwdChangedTime>=20100502000000Z))" dn
The pwdAccountLockedTime attribute is used in a search filter to retrieve a list of candidate users that might be locked. Users are not always locked when this attribute is present in their entries because the effective password policy lockout duration might already be exceeded. This example uses the ldapsearch utility to search for all entries that have an pwdAccountLockedTime attribute value:
ldapsearch -D adminDn -w adminPw –s sub –b "c=us" "(pwdaccountlockedtime=*)" dn
ldapsearch -D adminDn -w adminPw -s sub –b "c=us” "(pwdreset=true)" dn