This includes:

  • Retrieving the DN of the password policy that governs the user
  • Retrieving a flag that indicates whether the server considers the account usable
  • Retrieving a set of error, warning, and notice conditions that can affect the account’s usability
  • Determining whether the account has a static password

    Retrieving and updating the flag indicating whether an account is disabled

  • Retrieving and updating the account’s activation and expiration times
  • Retrieving and updating the account’s password changed time
  • Determining whether the user’s password is expired
  • Retrieving the account’s password expiration time, which is computed from the password changed time
  • Retrieving and updating the account’s password expiration warned time
  • Retrieving and updating the set of grace login use times
  • Retrieving and updating the record of failed authentication attempts
  • Retrieving and overriding a failure-based account lockout
  • Retrieving the time that an account was failure locked
  • Retrieving and updating an account’s last login time
  • Retrieving and updating an account’s last login IP address
  • Retrieving and clearing an account’s recent login history
  • Retrieving the length of time until an upcoming idle lockout
  • Retrieving and updating the account’s “must change password” flag
  • Determining whether an account is reset locked
  • Retrieving the length of time until an password reset lockout
  • Retrieving the number of passwords in the user’s history and clearing the history
  • Determining whether a user has a retired password and purging the retired password
  • Retrieving the set of SASL mechanisms that are available to the user
  • Retrieving the set of one-time passcode (OTP) delivery mechanisms that are available to the user
  • Determining whether the user has any TOTP shared secrets
  • Registering and deregistering TOTP shared secrets
  • Determining whether the user has any registered YubiKey OTP devices
  • Registering and deregistering YubiKey OTP devices
  • Retrieving and updating the time that bind password validation was last performed for the user
  • Retrieving and clearing password validation lockout

The server also includes a manage-account tool that provides command-line access to the functionality of the password policy state extended operation.