Non-root users, such as uid=admin, with admin right privileges require access control permission to interact with certain password policy operational attributes when using the manage-account tool.

For example, the presence of the ds-pwp-account-disabled operational attribute in an entry determines that the entry is disabled. If the non-root admin user does not have the access privilege to read or interact with the ds-pwp-account-disabled operational attribute, the manage-account tool might report that the account is active. An account is considered active if the ds-pwp-account-disabled operational attribute does not exist in the entry or if the admin user does not have permission to see it.

  1. Create a non-root user admin account, such as uid=admin,dc=example,dc=com.
    1. Grant the password-reset privilege to the account.

      For more information, see steps 1 and 6 in the Setting up a single administrator account section in Configuring Administrators.

  2. To view the account status for an account, run the manage-account tool.
    $ bin/manage-account get-all \
      --targetDN uid=user.0,ou=People,dc=example,dc=com

    The system displays the following information for the account.

    Password Policy DN:  cn=Default Password Policy,cn=Password Policies,cn=config
    Account Is Disabled:  false
    Account Expiration Time:
    Seconds Until Account Expiration:
    Password Changed Time:  19700101000000.000Z
    Password Expiration Warned Time:
    Seconds Until Password Expiration:
    Seconds Until Password Expiration Warning:
    Authentication Failure Times:
    Seconds Until Authentication Failure Unlock:
    Remaining Authentication Failure Count:
    Last Login Time:
    Seconds Until Idle Account Lockout:
    Password Is Reset:  false
    Seconds Until Password Reset Lockout:
    Grace Login Use Times:
    Remaining Grace Login Count:  0
    Password Changed by Required Time:
    Seconds Until Required Change Time:
    Password History:
  3. Grant access control privileges to an account.

    The following allows access to manage accounts to a helpdesk user. Depending on the configuration requirements, this user might also need the permit-get-password-policy-state-issues and password-reset privileges.

    dn: dc=example,dc=com
     changetype: modify
     add: aci
     aci: (targetattr="userPassword||ds-pwp-last-login-time||ds-pwp-password-changed-by-required-time||ds-pwp-reset-time||ds-pwp-warned-time||
     ds-pwp-account-disabled||ds-pwp-account-expiration-time||ds-pwp-password-policy-dn||ds-pwp-auth-failure||ds-pwp-last-login-ip-address||
     ds-pwp-retired-password||ds-pwp-account-activation-time||pwdReset||pwdChangedTime||pwdAccountLockedTime")
     (version 3.0; acl "Grant full access to PWP related attributes to helpdesk"; allow (all) userdn="ldap:///uid=helpdesk,dc=example,dc=com";)
  4. To disable an account, run the manage-account tool.

    The following command sets the account-is-disabled property to true for the uid=user.0,dc=example,dc=com.

    $ bin/manage-account set-account-is-disabled \
      --targetDN uid=user.0,ou=People,dc=example,dc=com \
      --operationValue true

    You receive the following message.

    Account Is Disabled: true
  5. To view the presence of the ds-pwp-account-disabled operational attribute in the entry, run the ldapsearch tool.
    $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.0)" "+"

    The system displays the following information.

    dn: uid=user.0,ou=People,dc=example,dc=com
    ds-pwp-account-disabled: true