Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Overriding password policy and unlocking accounts z/OS IBM Tivoli Directory Server Administration and Use for z/OS SC23-6788-00 |
|
An LDAP root administrator or an administrator with the appropriate authority can override typical password policy behavior for specific user entries by modifying the password policy operational attributes. See Administrative group and roles for more information about administrative role authority. This section shows examples of how the effective password policy is overridden for specific users. An LDAP administrator can prevent the password for a specific account
or user from expiring by setting the pwdChangedTime attribute
value to a date far in the future. This example uses the ldapmodify utility to set the password expiration
time to January 1, 2200 at midnight Coordinated Universal Time.
An LDAP administrator can unlock an account, that is locked because
of excessive login failures, by removing the pwdAccountLockedTime and pwdFailureTime attributes from the user entry.
This example uses the ldapmodify utility to
perform these modifications.
An LDAP administrator can unlock an account because the password
has expired by setting the pwdChangedTime attribute
to the current time and removing the pwdExpirationWarned and pwdGraceUseTime attributes. The pwdChangedTime attribute
value is set to the current time to avoid the user's password from
expiring immediately. This example uses the ldapmodify utility
to unlock or unexpire the user's account by setting the pwdChangedTime attribute
to the current time of June 1, 2010 at 1:00 Coordinated Universal
Time.
An LDAP administrator can bypass forcing a user to change the password
value after a password reset by removing the pwdReset attribute.
This example uses the ldapmodify utility to
remove the pwdReset attribute.
An LDAP administrator can force a user to change their password
value by setting the pwdReset attribute value
to true. This example uses the ldapmodify utility
to set the pwdReset attribute value to true.
An LDAP administrator can administratively lock a user's account
by setting the ibm-pwdAccountLocked operational
attribute to true. This prevents the user from authenticating successfully
to the LDAP server. This example uses the ldapmodify utility
to set the ibm-pwdAccountLocked attribute value
to true.
An LDAP administrator can administratively unlock a user's account
by setting the ibm-pwdAccountLocked operational
attribute to false. If a user's account is unlocked in this manner,
it does not affect the state of the account with respect to being
locked because of excessive password failures or an expired password.
If the Server administration server control is specified (the -k option in the ldapmodify utility) when modifying the ibm-pwdAccountLocked attribute from true to false, the pwdAccountLockedTime and pwdFailureTime attribute values are also automatically removed the user's entry. This removes the administrative lock and the lock from excessive password failures. However, it does not affect the state of the account for an expired password. |
Copyright IBM Corporation 1990, 2014
|