Externally modifiable user attributes
A limited set of operational attributes can be directly manipulated (for example, through LDAP add or modify operations) to manage certain aspects of a user’s password policy state.
They include:
ds-pwp-password-policy-dn
-
The distinguished name (DN) of the password policy that governs the user. If this is not present in the user’s entry (as either a real or virtual attribute), then the user is subject to the server’s default password policy.
ds-pwp-account-disabled
-
Indicates whether a user’s account should be administratively disabled. If this attribute is present with a value of true, then the account is disabled. If this attribute is present with a value of false, or if the attribute is absent, then the account is enabled.
ds-pwp-account-activation-time
-
Specifies the time at which a user’s account becomes active. Attempts to authenticate as the user (or use the account as an alternate authorization identity) fails before this time.
ds-pwp-account-expiration-time
-
Specifies the time at which a user’s account will expire. Attempts to authenticate as the user (or use the account as an alternate authorization identity) fails after this time.
ds-auth-totp-shared-secret
-
A shared secret that can be used to generate time-based one-time passwords in conjunction with the UNBOUNDID-TOTP SASL mechanism. Although this attribute can be manually updated, we recommend using the generate Time-based One-time Password (TOTP) shared secret extended operation for generating a shared secret and storing it in the user’s entry.
ds-auth-preferred-otp-delivery-mechanism
-
The public identifier of a YubiKey device that can be used to generate one-time passwords for use in conjunction with the UNBOUNDID-YUBIKEY-OTP SASL mechanism. Although this attribute can be manually updated, we recommend using the registered YubiKey OTP device extended operation.