PingDirectory

Assigning the manage-account access privileges to non-root users

Assign access rights to the non-root admin user.

About this task

Non-root users, such as uid=admin, with admin right privileges require access control permission to interact with certain password policy operational attributes when using the manage-account tool.

For example, the presence of the ds-pwp-account-disabled operational attribute in an entry determines that the entry is disabled. If the non-root admin user does not have the access privilege to read or interact with the ds-pwp-account-disabled operational attribute, the manage-account tool might report that the account is active. An account is considered active if the ds-pwp-account-disabled operational attribute does not exist in the entry or if the admin user does not have permission to see it.

Steps

  1. Create a non-root user admin account, such as uid=admin,dc=example,dc=com.

    1. Grant the password-reset privilege to the account.

    For more information, see steps 1 and 6 in the Setting up a single administrator account section in Configuring Administrators.

  2. To view the account status for an account, run the manage-account tool.

    Example:

    $ bin/manage-account get-all \
  --targetDN uid=user.0,ou=People,dc=example,dc=com

    Result:

    The system displays the following information for the account.

    Password Policy DN:  cn=Default Password Policy,cn=Password Policies,cn=config
Account Is Disabled:  false
Account Expiration Time:
Seconds Until Account Expiration:
Password Changed Time:  19700101000000.000Z
Password Expiration Warned Time:
Seconds Until Password Expiration:
Seconds Until Password Expiration Warning:
Authentication Failure Times:
Seconds Until Authentication Failure Unlock:
Remaining Authentication Failure Count:
Last Login Time:
Seconds Until Idle Account Lockout:
Password Is Reset:  false
Seconds Until Password Reset Lockout:
Grace Login Use Times:
Remaining Grace Login Count:  0
Password Changed by Required Time:
Seconds Until Required Change Time:
Password History:

  3. Grant access control privileges to an account.

    Example:

    The following allows access to manage accounts to a helpdesk user. Depending on the configuration requirements, this user might also need the permit-get-password-policy-state-issues and password-reset privileges.

    dn: dc=example,dc=com
 changetype: modify
 add: aci
 aci: (targetattr="userPassword||ds-pwp-last-login-time||ds-pwp-password-changed-by-required-time||ds-pwp-reset-time||ds-pwp-warned-time||
 ds-pwp-account-disabled||ds-pwp-account-expiration-time||ds-pwp-password-policy-dn||ds-pwp-auth-failure||ds-pwp-last-login-ip-address||
 ds-pwp-retired-password||ds-pwp-account-activation-time||pwdReset||pwdChangedTime||pwdAccountLockedTime")
 (version 3.0; acl "Grant full access to PWP related attributes to helpdesk"; allow (all) userdn="ldap:///uid=helpdesk,dc=example,dc=com";)

  4. To disable an account, run the manage-account tool.

    Example:

    The following command sets the account-is-disabled property to true for the uid=user.0,dc=example,dc=com.

    $ bin/manage-account set-account-is-disabled \
  --targetDN uid=user.0,ou=People,dc=example,dc=com \
  --operationValue true

    Result:

    You receive the following message.Account Is Disabled: true

  5. To view the presence of the ds-pwp-account-disabled operational attribute in the entry, run the ldapsearch tool.

    Example:

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" "+"

    Result:

    The system displays the following information.

    dn: uid=user.0,ou=People,dc=example,dc=com
ds-pwp-account-disabled: true