Managing user accounts
Manage user accounts with the manage-account tool.
About this task
The PingDirectory server provides a user management utility, the manage-account tool, that provides a means to quickly view and manipulate several password and account policy properties for a user or group of users.
The server also hosts the Self Service Account Manager project at https://github.com/pingidentity/ssam, which is a customizable web application that allows users to perform their own account registration, profile updates, and password changes.
|
The project is for testing and development purposes and is not a supported PingDirectory server application. |
Steps
-
Unlock a user account with the
manage-accounttool. -
To enable a disabled account, contact the administrator for assistance.
Password resets are not used.
Returning the password policy state information
Steps
-
To get information about the account’s password policy, run the
manage-accounttool.Example:
$ bin/manage-account get-all \ --targetDN uid=user.1,ou=People,dc=example,dc=comResult:
Password Policy DN: cn=Demo Password Policy,cn=Password Policies,cn=config Account Is Disabled: false Account Expiration Time: Seconds Until Account Expiration: Password Changed Time: 19700101000000.000Z Password Expiration Warned Time: Seconds Until Password Expiration: 1209600 Seconds Until Password Expiration Warning: 0 Authentication Failure Times: Seconds Until Authentication Failure Unlock: Remaining Authentication Failure Count: 3 Last Login Time: Seconds Until Idle Account Lockout: Password Is Reset: false Seconds Until Password Reset Lockout: Grace Login Use Times: Remaining Grace Login Count: 0 Password Changed by Required Time: Seconds Until Required Change Time: Password History:
Determining whether an account is disabled
Steps
-
To determine whether a user’s account has been disabled, run the
manage-accounttool with theget-account-is-disabledsubcommand.Example:
$ bin/manage-account get-account-is-disabled \ --targetDN uid=user.1,ou=People,dc=example,dc=comResult:
If the account has been disabled, you receive the following message.
Account Is Disabled: true
Disabling an account
Steps
-
To disable a user’s account, run the
manage-accounttool.Example:
$ bin/manage-account set-account-is-disabled \ --operationValue true --targetDN uid=user.1,ou=People,dc=example,dc=comResult:
You receive the following message.
Account Is Disabled: true
Enabling a disabled account
Steps
-
To enable a user’s account, run the
manage-accounttool with theclear-account-is-disabledsubcommand.Example:
$ bin/manage-account clear-account-is-disabled \ --targetDN uid=user.1,ou=People,dc=example,dc=comResult:
You receive the following message.
Account Is Disabled: false
Assigning the manage-account access privileges to non-root users
Assign access rights to the non-root admin user.
About this task
Non-root users, such as uid=admin, with admin right privileges require access control permission to interact with certain password policy operational attributes when using the manage-account tool.
For example, the presence of the ds-pwp-account-disabled operational attribute in an entry determines that the entry is disabled. If the non-root admin user does not have the access privilege to read or interact with the ds-pwp-account-disabled operational attribute, the manage-account tool might report that the account is active. An account is considered active if the ds-pwp-account-disabled operational attribute does not exist in the entry or if the admin user does not have permission to see it.
Steps
-
Create a non-root user admin account, such as
uid=admin,dc=example,dc=com.-
Grant the
password-resetprivilege to the account.
For more information, see steps 1 and 6 in the Setting up a single administrator account section in Configuring Administrators.
-
-
To view the account status for an account, run the
manage-accounttool.Example:
$ bin/manage-account get-all \ --targetDN uid=user.0,ou=People,dc=example,dc=comResult:
The system displays the following information for the account.
Password Policy DN: cn=Default Password Policy,cn=Password Policies,cn=config Account Is Disabled: false Account Expiration Time: Seconds Until Account Expiration: Password Changed Time: 19700101000000.000Z Password Expiration Warned Time: Seconds Until Password Expiration: Seconds Until Password Expiration Warning: Authentication Failure Times: Seconds Until Authentication Failure Unlock: Remaining Authentication Failure Count: Last Login Time: Seconds Until Idle Account Lockout: Password Is Reset: false Seconds Until Password Reset Lockout: Grace Login Use Times: Remaining Grace Login Count: 0 Password Changed by Required Time: Seconds Until Required Change Time: Password History:
-
Grant access control privileges to an account.
Example:
The following allows access to manage accounts to a helpdesk user. Depending on the configuration requirements, this user might also need the
permit-get-password-policy-state-issuesandpassword-resetprivileges.dn: dc=example,dc=com changetype: modify add: aci aci: (targetattr="userPassword||ds-pwp-last-login-time||ds-pwp-password-changed-by-required-time||ds-pwp-reset-time||ds-pwp-warned-time|| ds-pwp-account-disabled||ds-pwp-account-expiration-time||ds-pwp-password-policy-dn||ds-pwp-auth-failure||ds-pwp-last-login-ip-address|| ds-pwp-retired-password||ds-pwp-account-activation-time||pwdReset||pwdChangedTime||pwdAccountLockedTime") (version 3.0; acl "Grant full access to PWP related attributes to helpdesk"; allow (all) userdn="ldap:///uid=helpdesk,dc=example,dc=com";)
-
To disable an account, run the
manage-accounttool.Example:
The following command sets the
account-is-disabledproperty to true for theuid=user.0,dc=example,dc=com.$ bin/manage-account set-account-is-disabled \ --targetDN uid=user.0,ou=People,dc=example,dc=com \ --operationValue trueResult:
You receive the following message.
Account Is Disabled: true -
To view the presence of the
ds-pwp-account-disabledoperational attribute in the entry, run theldapsearchtool.Example:
$ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" "+"Result:
The system displays the following information.
dn: uid=user.0,ou=People,dc=example,dc=com ds-pwp-account-disabled: true