An LDAP root administrator or an administrator with the appropriate
authority can override typical password policy behavior for specific
user entries by modifying the password policy operational attributes.
See Administrative group and roles for more information about administrative
role authority. This section shows examples of how the effective password
policy is overridden for specific users.
An LDAP administrator can prevent the password for a specific account or user from expiring
by setting the
pwdChangedTime attribute value to a date far in the future. This example uses
the
ldapmodify utility to set the password expiration time to January 1, 2200 at
midnight Coordinated Universal
Time.
ldapmodify –D adminDn –w adminPw
dn: cn=user1,c=us
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 22000101000000Z
An LDAP administrator can unlock an account, that is locked because of excessive login
failures, by removing the
pwdAccountLockedTime and
pwdFailureTime attributes from the
user entry. This example uses the
ldapmodify utility to perform these
modifications.
ldapmodify –D adminDn –w adminPw
dn: cn=user2,c=us
changetype: modify
delete: pwdAccountLockedTime
-
delete: pwdFailureTime
An LDAP administrator can unlock an account because the password has expired by setting the
pwdChangedTime attribute to the current time and removing the
pwdExpirationWarned and
pwdGraceUseTime attributes. The
pwdChangedTime attribute value is set to the current
time to avoid the user's password from expiring immediately. This example uses the
ldapmodify utility to unlock or unexpire the user's account by setting the
pwdChangedTime attribute to the current time of June 1, 2010 at 1:00 Coordinated Universal
Time.
ldapmodify –D adminDn –w adminPw
dn: cn=user3,c=us
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 20100601010000Z
-
replace: pwdExpirationWarned
-
replace: pwdGraceUseTime
An LDAP administrator can bypass forcing a user to change the password value after a
password reset by removing the
pwdReset attribute. This example uses the
ldapmodify utility to remove the
pwdReset
attribute.
ldapmodify –D adminDn –w adminPw
dn: cn=user4,c=us
changetype: modify
delete: pwdReset
An LDAP administrator can force a user to change their password value by setting the
pwdReset attribute value to true. This example uses the
ldapmodify utility
to set the
pwdReset attribute value to
true.
ldapmodify –D adminDn –w adminPw
dn: cn=user5,c=us
changetype: modify
replace: pwdReset
pwdReset: true
An LDAP administrator can administratively lock a user's account by setting the
ibm-pwdAccountLocked operational attribute to true. This prevents the user from
authenticating successfully to the LDAP server. This example uses the
ldapmodify
utility to set the
ibm-pwdAccountLocked attribute value to
true.
ldapmodify –D adminDn –w adminPw
dn: cn=user6,c=us
changetype: modify
replace: ibm-pwdAccountLocked
ibm-pwdAccountLocked: true
An LDAP administrator can administratively unlock a user's account by setting the
ibm-pwdAccountLocked operational attribute to false. If a user's account is unlocked in this
manner, it does not affect the state of the account with respect to being locked because of
excessive password failures or an expired password.
ldapmodify –D adminDn –w adminPw
dn: cn=user7,c=us
changetype: modify
replace: ibm-pwdAccountLocked
ibm-pwdAccountLocked: false
If the Server administration server control is specified (the -k
option in the ldapmodify utility) when modifying the ibm-pwdAccountLocked
attribute from true to false, the pwdAccountLockedTime and pwdFailureTime attribute
values are also automatically removed the user's entry. This removes the administrative lock and the
lock from excessive password failures. However, it does not affect the state of the account for an
expired password.