PingDirectory

Managing user accounts

Manage user accounts with the manage-account tool.

About this task

The PingDirectory server provides a user management utility, the manage-account tool, that provides a means to quickly view and manipulate several password and account policy properties for a user or group of users.

The server also hosts the Self Service Account Manager project at https://github.com/pingidentity/ssam, which is a customizable web application that allows users to perform their own account registration, profile updates, and password changes.

The project is for testing and development purposes and is not a supported PingDirectory server application.

Steps

  • Unlock a user account with the manage-account tool.

  • To enable a disabled account, contact the administrator for assistance.

    Password resets are not used.

Returning the password policy state information

Steps

  • To get information about the account’s password policy, run the manage-account tool.

    Example:

    $ bin/manage-account get-all \
      --targetDN uid=user.1,ou=People,dc=example,dc=com

    Result:

    Password Policy DN: cn=Demo Password Policy,cn=Password Policies,cn=config
    Account Is Disabled: false
    Account Expiration Time:
    Seconds Until Account Expiration:
    Password Changed Time: 19700101000000.000Z
    Password Expiration Warned Time:
    Seconds Until Password Expiration: 1209600
    Seconds Until Password Expiration Warning: 0
    Authentication Failure Times:
    Seconds Until Authentication Failure Unlock:
    Remaining Authentication Failure Count: 3
    Last Login Time:
    Seconds Until Idle Account Lockout:
    Password Is Reset: false
    Seconds Until Password Reset Lockout:
    Grace Login Use Times:
    Remaining Grace Login Count: 0
    Password Changed by Required Time:
    Seconds Until Required Change Time:
    Password History:

Determining whether an account is disabled

Steps

  • To determine whether a user’s account has been disabled, run the manage-account tool with the get-account-is-disabled subcommand.

    Example:

    $ bin/manage-account get-account-is-disabled \
      --targetDN uid=user.1,ou=People,dc=example,dc=com

    Result:

    If the account has been disabled, you receive the following message.

    Account Is Disabled: true

Disabling an account

Steps

  • To disable a user’s account, run the manage-account tool.

    Example:

    $ bin/manage-account set-account-is-disabled \
      --operationValue true --targetDN uid=user.1,ou=People,dc=example,dc=com

    Result:

    You receive the following message.Account Is Disabled: true

Enabling a disabled account

Steps

  • To enable a user’s account, run the manage-account tool with the clear-account-is-disabled subcommand.

    Example:

    $ bin/manage-account clear-account-is-disabled \
      --targetDN uid=user.1,ou=People,dc=example,dc=com

    Result:

    You receive the following message.Account Is Disabled: false

Assigning the manage-account access privileges to non-root users

Assign access rights to the non-root admin user.

About this task

Non-root users, such as uid=admin, with admin right privileges require access control permission to interact with certain password policy operational attributes when using the manage-account tool.

For example, the presence of the ds-pwp-account-disabled operational attribute in an entry determines that the entry is disabled. If the non-root admin user does not have the access privilege to read or interact with the ds-pwp-account-disabled operational attribute, the manage-account tool might report that the account is active. An account is considered active if the ds-pwp-account-disabled operational attribute does not exist in the entry or if the admin user does not have permission to see it.

Steps

  1. Create a non-root user admin account, such as uid=admin,dc=example,dc=com.

    1. Grant the password-reset privilege to the account.

    For more information, see steps 1 and 6 in the Setting up a single administrator account section in Configuring Administrators.

  2. To view the account status for an account, run the manage-account tool.

    Example:

    $ bin/manage-account get-all \
      --targetDN uid=user.0,ou=People,dc=example,dc=com

    Result:

    The system displays the following information for the account.

    Password Policy DN:  cn=Default Password Policy,cn=Password Policies,cn=config
    Account Is Disabled:  false
    Account Expiration Time:
    Seconds Until Account Expiration:
    Password Changed Time:  19700101000000.000Z
    Password Expiration Warned Time:
    Seconds Until Password Expiration:
    Seconds Until Password Expiration Warning:
    Authentication Failure Times:
    Seconds Until Authentication Failure Unlock:
    Remaining Authentication Failure Count:
    Last Login Time:
    Seconds Until Idle Account Lockout:
    Password Is Reset:  false
    Seconds Until Password Reset Lockout:
    Grace Login Use Times:
    Remaining Grace Login Count:  0
    Password Changed by Required Time:
    Seconds Until Required Change Time:
    Password History:
  3. Grant access control privileges to an account.

    Example:

    The following allows access to manage accounts to a helpdesk user. Depending on the configuration requirements, this user might also need the permit-get-password-policy-state-issues and password-reset privileges.

    dn: dc=example,dc=com
     changetype: modify
     add: aci
     aci: (targetattr="userPassword||ds-pwp-last-login-time||ds-pwp-password-changed-by-required-time||ds-pwp-reset-time||ds-pwp-warned-time||
     ds-pwp-account-disabled||ds-pwp-account-expiration-time||ds-pwp-password-policy-dn||ds-pwp-auth-failure||ds-pwp-last-login-ip-address||
     ds-pwp-retired-password||ds-pwp-account-activation-time||pwdReset||pwdChangedTime||pwdAccountLockedTime")
     (version 3.0; acl "Grant full access to PWP related attributes to helpdesk"; allow (all) userdn="ldap:///uid=helpdesk,dc=example,dc=com";)
  4. To disable an account, run the manage-account tool.

    Example:

    The following command sets the account-is-disabled property to true for the uid=user.0,dc=example,dc=com.

    $ bin/manage-account set-account-is-disabled \
      --targetDN uid=user.0,ou=People,dc=example,dc=com \
      --operationValue true

    Result:

    You receive the following message.Account Is Disabled: true

  5. To view the presence of the ds-pwp-account-disabled operational attribute in the entry, run the ldapsearch tool.

    Example:

    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" "+"

    Result:

    The system displays the following information.

    dn: uid=user.0,ou=People,dc=example,dc=com
    ds-pwp-account-disabled: true