A limited set of operational attributes can be directly manipulated (for example, through LDAP add or modify operations) to manage certain aspects of a user’s password policy state.
- The distinguished name (DN) of the password policy that governs the user. If this is not present in the user’s entry (as either a real or virtual attribute), then the user is subject to the server’s default password policy.
- Indicates whether a user’s account should be administratively disabled. If this attribute is present with a value of true, then the account is disabled. If this attribute is present with a value of false, or if the attribute is absent, then the account is enabled.
- Specifies the time at which a user’s account becomes active. Attempts to authenticate as the user (or use the account as an alternate authorization identity) fails before this time.
- Specifies the time at which a user’s account will expire. Attempts to authenticate as the user (or use the account as an alternate authorization identity) fails after this time.
- A shared secret that can be used to generate time-based one-time passwords in conjunction with the UNBOUNDID-TOTP SASL mechanism. Although this attribute can be manually updated, we recommend using the generate Time-based One-time Password (TOTP) shared secret extended operation for generating a shared secret and storing it in the user’s entry.
- The public identifier of a YubiKey device that can be used to generate one-time passwords for use in conjunction with the UNBOUNDID-YUBIKEY-OTP SASL mechanism. Although this attribute can be manually updated, we recommend using the registered YubiKey OTP device extended operation.