Non-root users (e.g., uid=admin) with admin right privileges require access control permission to interact with certain password policy operational attributes when using the manage-account tool.

For example, the presence of the ds-pwp-account-disabled operational attribute in an entry determines that the entry is disabled. If the non-root admin user does not have the access privilege to read or interact with the ds-pwp-account-disabled operational attribute, the manage-account tool may report that the account is active. An account is considered active if the ds-pwp-account-disabled operational attribute does not exist in the entry or if the admin user does not have permission to see it.

Use the following procedure to give access rights to the non-root admin user.

  1. Create a non-root user admin account, such as uid=admin,dc=example,dc=com. Grant the password-reset privilege to the account. See step 1 and 6 in the Configuring Administrators section for more information.
  2. Run the manage-account tool to view the account status for an account.
    $ bin/manage-account get-all \
      --targetDN uid=user.0,ou=People,dc=example,dc=com
    Password Policy DN:  cn=Default Password Policy,cn=Password Policies,cn=config
    Account Is Disabled:  false
    Account Expiration Time:
    Seconds Until Account Expiration:
    Password Changed Time:  19700101000000.000Z
    Password Expiration Warned Time:
    Seconds Until Password Expiration:
    Seconds Until Password Expiration Warning:
    Authentication Failure Times:
    Seconds Until Authentication Failure Unlock:
    Remaining Authentication Failure Count:
    Last Login Time:
    Seconds Until Idle Account Lockout:
    Password Is Reset:  false
    Seconds Until Password Reset Lockout:
    Grace Login Use Times:
    Remaining Grace Login Count:  0
    Password Changed by Required Time:
    Seconds Until Required Change Time:
    Password History:
  3. Grant access control privileges to an account. The following allows access to manage accounts to a helpdesk user. Depending on the configuration requirements, this user may also need the permit-get-password-policy-state-issues and password-reset privileges.
    dn: dc=example,dc=com
     changetype: modify
     add: aci
     aci: (targetattr="userPassword||ds-pwp-last-login-time||ds-pwp-password-changed-by-required-time||ds-pwp-reset-time||ds-pwp-warned-time||
     ds-pwp-account-disabled||ds-pwp-account-expiration-time||ds-pwp-password-policy-dn||ds-pwp-auth-failure||ds-pwp-last-login-ip-address||
     ds-pwp-retired-password||ds-pwp-account-activation-time||pwdReset||pwdChangedTime||pwdAccountLockedTime")
     (version 3.0; acl "Grant full access to PWP related attributes to helpdesk"; allow (all) userdn="ldap:///uid=helpdesk,dc=example,dc=com";)
  4. Run the manage-account tool to disable an account. The following command sets the account-is-disabled property to true for the uid=user.0,dc=example,dc=com.
    $ bin/manage-account set-account-is-disabled \
      --targetDN uid=user.0,ou=People,dc=example,dc=com \
      --operationValue true
    Account Is Disabled:  true
  5. Run the ldapsearch tool to view the presence of the ds-pwp-account-disabled operational attribute in the entry.
    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" "+"
    dn: uid=user.0,ou=People,dc=example,dc=com
    ds-pwp-account-disabled: true