Retrieve or update information about the current state of a user account. Processing will be performed using the password policy state extended operation, and you must have the password-reset privilege to use this extended operation.
manage-account get-all --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
manage-account get-account-usability-error-messages \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
manage-account set-account-is-disabled --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com --accountIsDisabled true
manage-account clear-authentication-failure-times --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Adds one or more new values to the set of authentication failure times for a user. If the resulting set of authentication failure times has reached the configured lockout failure count, the user's account will be locked. This will have no effect if failure lockout is not enabled in the user's password policy.
manage-account add-authentication-failure-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
-O {timestamp}
--authenticationFailureTime {timestamp}
| Description | A timestamp for an authentication failure time to add to the user's entry. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. This argument may be provided multiple times to specify multiple authentication failure times. If this argument is not provided, the current time will be added to the set of authentication failure times. |
| Required | No |
| Multi-Valued | No |
Adds one or more new values to the set of grace login use times for a user. This will have no effect unless both password expiration and grace login support are configured in the user's password policy.
manage-account add-grace-login-use-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
-O {timestamp}
--graceLoginUseTime {timestamp}
| Description | A timestamp for a grace login use time to add to the user's entry. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. This argument may be provided multiple times to specify multiple grace login use times. If this argument is not provided, the current time will be used. |
| Required | No |
| Multi-Valued | No |
Adds a value to the set of registered YubiKey OTP public IDs for a user.
manage-account add-registered-yubikey-public-id --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com --publicID abcdefghijkl
-O {value}
--publicID {value}
| Description | The public ID for a YubiKey OTP device to register for a user. This argument must be provided at least once, but may be provided multiple times to specify multiple public IDs to register. |
| Required | Yes |
| Multi-Valued | Yes |
Adds a value to the set of TOTP shared secrets for a user.
manage-account add-totp-shared-secret --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com \
--totpSharedSecret abcdefghijklmnop
-O {value}
--totpSharedSecret {value}
| Description | The public ID for a YubiKey OTP device to register for a user. This argument must be provided at least once, but may be provided multiple times to specify multiple public IDs to register. |
| Required | Yes |
| Multi-Valued | Yes |
Clear the account activation time for a user. If the account previously had an activation time in the future, this will make it immediately eligible for use. This can also be accomplished with a standard LDAP modify operation by removing the ds-pwp-account-activation-time attribute from the user's entry.
manage-account clear-account-activation-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clear the account expiration time for a user. If the account previously had an expiration time in the past, this will make it immediately eligible for use. This can also be accomplished with a standard LDAP modify operation by removing the ds-pwp-account-expiration-time attribute from the user's entry.
manage-account clear-account-expiration-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clear the account disabled state information from a user entry, which is logically equivalent to using the set-account-is-disabled subcommand with an accountIsDisabled value of false. This can also be accomplished with a standard LDAP modify operation by removing the ds-pwp-account-disabled operational attribute from the users entry.
manage-account clear-account-is-disabled --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clears the set of authentication failure times for a user. If the user's account had been locked be of too many failed authentication attempts, this will also clear that lockout.
manage-account clear-authentication-failure-times --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clears the set of grace login use times for a user. This will have no effect unless both password expiration and grace login support are configured in the user's password policy.
manage-account clear-grace-login-use-times --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clears the last login IP address from a user's entry. This will have no effect if last login IP address tracking is not enabled in the user's password policy.
manage-account clear-last-login-ip-address --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clears the last login time from a user's entry. This will have no effect if last login time tracking is not enabled in the user's password policy.
manage-account clear-last-login-time --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clears the password reset state information from a user's account. If the account had previously been locked because the user failed to choose a new password in a timely manner after an administrative reset, that lockout will be lifted. This will have no effect if neither force change on add nor force change on reset is enabled in the user's password policy.
manage-account clear-must-change-password --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clears the record of the most recent required change time with which a user has complied. This will not have any effect unless a required change time is configured in the user's password policy.
manage-account clear-password-changed-by-required-time \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clear the password changed time value for a user. For password policy evaluations that require knowing when the user's password was last changed, the server will attempt to fall back to using the create timestamp, if available.
manage-account clear-password-changed-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clear a record of any password expiration warning from a user's entry.
manage-account clear-password-expiration-warned-time \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clears the password history for a user. This will have no effect if the password history is not enabled in the user's password policy.
manage-account clear-password-history --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clears the list of the public IDs of the YubiKey OTP devices registered for a user.
manage-account clear-registered-yubikey-public-ids \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Purges a retired password from a user's entry so that it may no longer be used to authenticate.
manage-account clear-retired-password --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Clears the set of TOTP shared secrets registered for a user.
manage-account clear-totp-shared-secrets --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieve the account activation time for a user. If the activation time is in the future, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP search operation by retrieving the ds-pwp-account-activation-time operational attribute from the user's entry.
manage-account get-account-activation-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieve the account expiration time for a user. If the expiration time is in the past, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP search operation by retrieving the ds-pwp-account-expiration-time operational attribute from the user's entry.
manage-account get-account-expiration-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determine whether a user account has been disabled by an administrator and cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP search operation by determining whether the user entry has a ds-pwp-account-disabled operational attribute with a value of true.
manage-account get-account-is-disabled --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determine whether a user account has an expiration time in the past and therefore cannot authenticate or be used as an alternate authorization identity.
manage-account get-account-is-expired --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determines whether a user's account is locked as a result of too many failed authentication attempts. This will only be available if failure lockout is enabled in the user's password policy.
manage-account get-account-is-failure-locked --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determines whether a user's account is locked because it has been too long since the user last authenticated. This will only be available if idle lockout is enabled in the user's password policy.
manage-account get-account-is-idle-locked --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determine whether a user account has an activation time in the future and therefore cannot authenticate or be used as an alternate authorization identity.
manage-account get-account-is-not-yet-active --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determines whether the user's account is locked because the user failed to choose a new password in a timely manner after an administrative reset. This will only be available if either force change on add or force change on reset is enabled in the user's password policy, and if a maximum password reset age is defined in the user's password policy.
manage-account get-account-is-password-reset-locked \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determine whether a user account will be allowed to authenticate or be used as an alternate authorization identity.
manage-account get-account-is-usable --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieve any password policy state account usability error messages for a user. The messages may provide information about conditions that prevent a user account from authenticating, being used as an alternate authorization identity, or otherwise functioning normally.
manage-account get-account-usability-error-messages \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieve any password policy state account usability notice messages for a user. These messages may provide useful information about the state of the user account, but do not necessarily represent a current or imminent problem with the account.
manage-account get-account-usability-notice-messages \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieve any password policy state account usability warning messages for a user. The messages may provide information about conditions that may leave a user account unusable in the near future unless corrective action is taken.
manage-account get-account-usability-warning-messages \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieve all available state information for a user.
manage-account get-all --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the timestamps for any failed authentication attempts for a user since the user's last successful authentication. This will only be available if failure lockout is enabled in the user's password policy.
manage-account get-authentication-failure-times --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves a list of the one-time password delivery mechanisms that are available for a user. If the user's entry includes information about which OTP delivery mechanisms are preferred, then the values will be returned in order of most preferred to least preferred.
manage-account get-available-otp-delivery-mechanisms \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves a list of the SASL mechanisms that are available for a user. This will take into account the server configuration, the types of credentials the user has, and the authentication constraints defined for the user.
manage-account get-available-sasl-mechanisms --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the time that a user's account was locked as a result of too many failed authentication attempts. This will only be available if failure lockout is enabled in the user's password policy.
manage-account get-failure-lockout-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the times that a user has authenticated with grace logins after their password had expired. This will only be available if both password expiration and grace login supports are configured in the user's password policy.
manage-account get-grace-login-use-times --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determines whether a user has at least one registered YubiKey OTP device public ID.
manage-account get-has-registered-yubikey-public-id \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determines whether a user has an active retired password.
manage-account get-has-retired-password --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determines whether a user has one static password.
manage-account get-has-static-password --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determines whether a user has at least one TOTP shared secret that may be used in conjunction with the UNBOUNDID-TOTP SASL mechanism or the Verify TOTP extended operation.
manage-account get-has-totp-shared-secret --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the time at which the user's account was locked because it had been too long since the user last authenticated, or the time it will be locked unless the user authenticates before that time. This will only be available if idle lockout is enabled in the user's password policy
manage-account get-idle-lockout-time --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the IP address of the client from which a user last authenticated. This will only be available if last login IP address tracking is enabled in the user's password policy.
manage-account get-last-login-ip-address --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the time that a user last authenticated. This will only be available if last login time tracking is enabled in the user's password policy.
manage-account get-last-login-time --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determines whether a user's password has been reset by an administrator and the user must choose a new password before they will be allowed to perform any other operations. This will only be available if force change on add or force change on reset is enabled in the user's password policy.
manage-account get-must-change-password --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the most recent required change time with which a user has complied. This will only be available if a required change time is configured in the user's password policy.
manage-account get-password-changed-by-required-time \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieve the time that a user's password was last changed, whether via a self change or an administrative reset.
manage-account get-password-changed-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the time that a user's password will expire. This will only be available if password expiration is enabled in the user's password policy.
manage-account get-password-expiration-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieve the time that a user received the first warning about an upcoming password expiration. This will only be available if password expiration is enabled in the user's password policy.
manage-account get-password-expiration-warned-time \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the number of passwords in a user's password history. This will only be available if the password history is enabled in the user's password policy.
manage-account get-password-history-count --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determine whether a user account has an expired password and therefore cannot authenticate or be used as an alternate authorization identity.
manage-account get-password-is-expired --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieve the DN of the password policy that governs a user.
manage-account get-password-policy-dn --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the time that a user's account was or will be locked for failing to choose a new password in a timely manner after an administrative reset. This will only be available if either force change on add or force change on reset is enabled in the user's password policy, and if a maximum password reset age is defined in the user's password policy.
manage-account get-password-reset-lockout-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the time that a user's former password was retired.
manage-account get-password-retired-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves a list of the public IDs of the YubiKey OTP devices registered for a user.
manage-account get-registered-yubikey-public-ids --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the number of additional failed authentication attempts that will be required to lock a user's account. This will only be available if failure lockout is enabled in the user's password policy.
manage-account get-remaining-authentication-failure-count \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the number of additional grace logins that will be available to a user before they will be unable to authenticate with an expired password. This will only be available if both password expiration and grace login support are enabled in the user's password policy.
manage-account get-remaining-grace-login-count --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the time that a user's retired password will expire.
manage-account get-retired-password-expiration-time \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieve the length of time in seconds until a user's account is eligible for use.
manage-account get-seconds-until-account-activation \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieve the length of time in seconds until a user's account expires.
manage-account get-seconds-until-account-expiration \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the length of time in seconds until a user's temporary failure lockout expires. This will only be available if failure lockout is enabled in the user's password policy.
manage-account get-seconds-until-authentication-failure-unlock \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the length of time in seconds until the user's account will be locked because it has been too long since the user last authenticated. This will only be available if idle lockout is enabled in the user's password policy.
manage-account get-seconds-until-idle-lockout --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the length of time in seconds until a user's password will expire. This will only be available if password expiration is available in the user's password policy.
manage-account get-seconds-until-password-expiration \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieve the length of time in seconds until a user will be eligible to start receiving warnings about an upcoming password expiration. This will only be available if password expiration is enabled in the user's password policy.
manage-account get-seconds-until-password-expiration-warning \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Determines the length of time in seconds until the user's account will be locked unless they choose a new password after an administrative password reset. This will only be available if either force change on add or force change on reset is enabled in the user's password policy, and if a maximum password reset age is defined in the user's password policy.
manage-account get-seconds-until-password-reset-lockout \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Retrieves the length of time in seconds until the user account is locked for failure to comply with a required change time. This will only be available if a required change time is configured in the user's password policy.
manage-account get-seconds-until-required-password-change-time \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
Removes a value from the set of registered YubiKey OTP public IDs for a user.
manage-account remove-registered-yubikey-public-id \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com --publicID abcdefghijkl
-O {value}
--publicID {value}
| Description | The public ID for a YubiKey OTP device to deregister for a user. This argument must be provided at least once, but may be provided multiple times to specify multiple public IDs to deregister. |
| Required | Yes |
| Multi-Valued | Yes |
Removes a value from the set of TOTP shared secrets for a user.
manage-account remove-totp-shared-secret --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com \
--totpSharedSecret abcdefghijklmnop
-O {value}
--totpSharedSecret {value}
| Description | The public ID for a YubiKey OTP device to deregister for a user. This argument must be provided at least once, but may be provided multiple times to specify multiple public IDs to deregister. |
| Required | Yes |
| Multi-Valued | Yes |
Set the account activation time for a user. If the activation time is in the future, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP modify operation by setting the ds-pwp-account-activation-time attribute to have a generalized time representation of the desired activation time.
manage-account set-account-activation-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com \
--accountActivationTime 20191210171733.517Z
-O {timestamp}
--accountActivationTime {timestamp}
| Description | The new value for the account activation time. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the account activation time will be set to the current time. |
| Required | No |
| Multi-Valued | No |
Set the account expiration time for a user. If the expiration time is in the past, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP modify operation by setting the ds-pwp-account-expiration-time attribute to have a generalized time representation of the desired expiration time.
manage-account set-account-expiration-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com \
--accountExpirationTime 20191210171733.517Z
-O {timestamp}
--accountExpirationTime {timestamp}
| Description | The new value for the account expiration time. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the account expiration time will be set to the current time. |
| Required | No |
| Multi-Valued | No |
Specify whether a user account is administratively disabled. A disabled account cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP modify operation by setting the value of the ds-pwp-account-disabled operational attribute in the user's entry with a value of either true or false (or by removing the attribute from the user's entry, which is equivalent to giving it a value of false).
manage-account set-account-is-disabled --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com --accountIsDisabled true
-O {true|false}
--accountIsDisabled {true|false}
| Description | The new value for the flag indicating whether the user's account is disabled. The value must be either 'true' or 'false'. |
| Required | Yes |
| Multi-Valued | No |
Specifies whether a user's account should be locked as a result of too many failed authentication attempts. This will have no effect if failure lockout is not enabled in the user's password policy.
manage-account set-account-is-failure-locked --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com \
--accountIsFailureLocked true
-O {true|false}
--accountIsFailureLocked {true|false}
| Description | Indicates whether the user's account should be locked as a result of too many failed authentication attempts. The value must be either 'true' (in which case the server will update the user's entry to include the necessary number of failed authentication attempts) or 'false' (in which case the server will clear information about any authentication failures from a user's entry). |
| Required | Yes |
| Multi-Valued | No |
Sets the timestamps for failed authentication attempts for a user. If the number of authentication failure times provided is greater than or equal to the lockout failure count for the user's password policy, the user's account will be locked. This will have no effect if failure lockout is not enabled in the user's password policy.
manage-account set-authentication-failure-times --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com \
--authenticationFailureTime 20191210171721.174Z \
--authenticationFailureTime 20191210171733.517Z
-O {timestamp}
--authenticationFailureTime {timestamp}
| Description | A timestamp for an authentication failure time to set in the user's entry. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. This argument may be provided multiple times to specify multiple authentication failure times. If this argument is not provided, the set of authentication failure times will be updated to include only the current time. |
| Required | No |
| Multi-Valued | No |
Replaces the set of grace login use times for a user. This will have no effect unless both password expiration and grace login support are configured in the user's password policy.
manage-account set-grace-login-use-times --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com \
--graceLoginUseTime 20191210171721.174Z \
--graceLoginUseTime 20191210171733.517Z
-O {timestamp}
--graceLoginUseTime {timestamp}
| Description | A timestamp for a grace login use time to set in the user's entry. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. This argument may be provided multiple times to specify multiple grace login use times. If this argument is not provided, the set of grace login use times will be updated to contain only the current time. |
| Required | No |
| Multi-Valued | No |
Specifies the IP address of the client from which a user last authenticated. This will have no effect if last login IP address tracking is not enabled in the user's password policy.
manage-account set-last-login-ip-address --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com \
--lastLoginIPAddress 1.2.3.4
-O {value}
--lastLoginIPAddress {value}
| Description | The last login IP address value to use. It may be an IPv4 or IPv6 address. |
| Required | Yes |
| Multi-Valued | No |
Specifies the time that a user last authenticated. This will have no effect if last login time tracking is not enabled in the user's password policy.
manage-account set-last-login-time --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com \
--lastLoginTime 20191210171733.517Z
-O {timestamp}
--lastLoginTime {timestamp}
| Description | The timestamp to use for the last login time value. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the last login time will be set to the current time. |
| Required | No |
| Multi-Valued | No |
Specifies whether a user's password has been reset by an administrator and the user must choose a new password before they will be allowed to perform any other operations. This will have no effect if neither force change on add nor force change on reset is enabled in the user's password policy.
manage-account set-must-change-password --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com --mustChangePassword true
-O {true|false}
--mustChangePassword {true|false}
| Description | Indicates whether the user should be forced to choose a new password before being permitted to perform any other operations. The value must be either 'true' or 'false'. |
| Required | Yes |
| Multi-Valued | No |
Specifies the most recent required change time with which a user has complied. This will not have any effect unless a required change time is configured in the user's password policy.
manage-account set-password-changed-by-required-time \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com
-O {timestamp}
--passwordChangedByRequiredTime {timestamp}
| Description | The most recent required change time with which the user has complied. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the most recent required change time will be used. |
| Required | No |
| Multi-Valued | No |
Set the password changed time value for a user.
manage-account set-password-changed-time --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com \
--passwordChangedTime 20191210171733.517Z
-O {timestamp}
--passwordChangedTime {timestamp}
| Description | The new value for the password changed time. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the password changed time will be set to the current time. |
| Required | No |
| Multi-Valued | No |
Specify the time that a user received the first warning about an upcoming password expiration. Note that this will not in itself trigger a password expiration warning nor cause any account status notification handlers to be invoked. This will have no effect if password expiration is not enabled in the user's password policy.
manage-account set-password-expiration-warned-time \
--hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com \
--passwordExpirationWarnedTime 20191210171733.517Z
-O {timestamp}
--passwordExpirationWarnedTime {timestamp}
| Description | The new value for the password expiration warned time. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the password expiration warned time will be set to the current time. |
| Required | No |
| Multi-Valued | No |
Replaces the list of the public IDs of the YubiKey OTP devices registered for a user.
manage-account set-registered-yubikey-public-ids --hostname server.example.com \
--port 389 --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com --publicID abcdefghijkl
-O {value}
--publicID {value}
| Description | The public ID for a YubiKey OTP device to register for a user. This argument must be provided at least once, but may be provided multiple times to specify multiple public IDs to register. |
| Required | Yes |
| Multi-Valued | Yes |
Replaces the set of TOTP shared secrets registered for a user.
manage-account set-totp-shared-secrets --hostname server.example.com --port 389 \
--bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
--targetDN uid=jdoe,ou=People,dc=example,dc=com \
--totpSharedSecret abcdefghijklmnop
-O {value}
--totpSharedSecret {value}
| Description | The TOTP shared secret to register for a user. This argument must be provided at least once, but may be provided multiple times to specify multiple TOTP shared secrets to register. |
| Required | Yes |
| Multi-Valued | Yes |
-V
--version
| Description | Display Directory Server version information |
-H
--help
| Description | Display general usage information |
--help-ldap
| Description | Display help for using LDAP options |
--help-sasl
| Description | Display help for using SASL options |
--help-debug
| Description | Display help for using debug options |
| Advanced | Yes |
-h {host}
--hostname {host}
| Description | The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used. |
| Default Value | localhost |
| Required | Yes |
| Multi-Valued | Yes |
-p {port}
--port {port}
| Description | The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used. |
| Default Value | 389 |
| Required | Yes |
| Multi-Valued | No |
-D {dn}
--bindDN {dn}
| Description | The DN to use to bind to the directory server when performing simple authentication. |
| Required | No |
| Multi-Valued | No |
-w {password}
--bindPassword {password}
| Description | The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
| Required | No |
| Multi-Valued | No |
-j {path}
--bindPasswordFile {path}
| Description | The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism. |
| Required | No |
| Multi-Valued | No |
--promptForBindPassword
| Description | Indicates that the tool should interactively prompt the user for the bind password. |
-Z
--useSSL
| Description | Use SSL when communicating with the directory server. |
-q
--useStartTLS
| Description | Use StartTLS when communicating with the directory server. |
-X
--trustAll
| Description | Trust any certificate presented by the directory server. |
-K {path}
--keyStorePath {path}
| Description | The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server. |
| Required | No |
| Multi-Valued | No |
-W {password}
--keyStorePassword {password}
| Description | The password to use to access the key store contents. |
| Required | No |
| Multi-Valued | No |
-u {path}
--keyStorePasswordFile {path}
| Description | The path to the file containing the password to use to access the key store contents. |
| Required | No |
| Multi-Valued | No |
--promptForKeyStorePassword
| Description | Indicates that the tool should interactively prompt the user for the password to use to access the key store contents. |
--keyStoreFormat {format}
| Description | The format (e.g., jks, jceks, pkcs12, etc.) for the key store file. |
| Required | No |
| Multi-Valued | No |
-P {path}
--trustStorePath {path}
| Description | The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server. |
| Required | No |
| Multi-Valued | No |
-T {password}
--trustStorePassword {password}
| Description | The password to use to access the trust store contents. |
| Required | No |
| Multi-Valued | No |
-U {path}
--trustStorePasswordFile {path}
| Description | The path to the file containing the password to use to access the trust store contents. |
| Required | No |
| Multi-Valued | No |
--promptForTrustStorePassword
| Description | Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents. |
--trustStoreFormat {format}
| Description | The format (e.g., jks, jceks, pkcs12, etc.) for the trust store file. |
| Required | No |
| Multi-Valued | No |
-N {nickname}
--certNickname {nickname}
| Description | The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication. |
| Required | No |
| Multi-Valued | No |
--enableSSLDebugging
| Description | Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the "javax.net.debug" property to "all". |
-o {name=value}
--saslOption {name=value}
| Description | A name-value pair providing information to use when performing SASL authentication. |
| Required | No |
| Multi-Valued | Yes |
--useSASLExternal
| Description | Use the SASL EXTERNAL mechanism to authenticate. |
--helpSASL
| Description | Provide information about the supported SASL mechanisms, including the properties available for use with each. |
-b {dn}
--targetDN {dn}
| Description | The DN of the user entry on which to operate. This argument may be provided multiple times to specify multiple user DNs. |
| Required | No |
| Multi-Valued | Yes |
--dnInputFile {path}
| Description | The path to a file containing the DNs of the user entries on which to operate. The DN file must contain one DN per line, and blank lines and lines starting with an octothorpe (#) will be ignored. This argument may be provided multiple times to use multiple DN files. |
| Required | No |
| Multi-Valued | Yes |
--targetFilter {filter}
| Description | An LDAP filter that may be used to identify the user entries on which to operate. The baseDN argument may be used to specify the base DN for the search. This argument may be provided multiple times to specify multiple target filters. |
| Required | No |
| Multi-Valued | No |
--filterInputFile {path}
| Description | The path to a file containing a set of LDAP filters to use to identify the user entries on which to operate. The baseDN argument may be used to specify the base DN for the searches. The filter file must contain one filter per line, and blank lines and lines starting with an octothorpe (#) will be ignored. This argument may be provided multiple times to use multiple filter files. |
| Required | No |
| Multi-Valued | Yes |
--targetUserID {value}
| Description | A string that identifies a user on which to operate. The tool will search for the user with a base DN specified by the baseDN argument and a user ID attribute specified by the userIDAttribute argument. This argument may be provided multiple times to specify multiple target user IDs. |
| Required | No |
| Multi-Valued | Yes |
--userIDInputFile {path}
| Description | The path to a file containing a set of user ID values. The file must contain one user ID per line, and blank lines and lines starting with an octothorpe (#) will be ignored. The tool will search for the users with a base DN specified by the baseDN argument and a user ID attribute specified by the userIDAttribute argument. This argument may be provided multiple times to use multiple user ID files. |
| Required | No |
| Multi-Valued | Yes |
--userIDAttribute {value}
| Description | The name or OID of the attribute used to identify users with IDs specified using the targetUserID and userIDInputFile arguments. If this argument is not provided, a default user ID attribute of uid will be used. |
| Default Value | uid |
| Required | No |
| Multi-Valued | No |
--baseDN {dn}
| Description | The base DN to use when searching for user entries when using any of the targetFilter, filterInputFile, targetUserID, or userIDInputFile arguments. If this argument is not provided, the default base DN will be the null DN. |
| Default Value | |
| Required | No |
| Multi-Valued | No |
-z {value}
--simplePageSize {value}
| Description | Indicates that any searches performed to identify which users to target should make use of the simple paged results control to cause the entries to be returned in sets of no more than the specified number of entries. When processing searches that may return a large number of entries, setting a page size can help reduce the likelihood that the server will need to block while sending results to the client if matching entries are identified much more quickly than the client can process the desired manage-account operations against those entries. Further, when performing searches that may return a large number of entries, and especially for unindexed searches, setting a page size can help the client more efficiently resume processing in the event that the connection used to process the search becomes unusable. |
| Upper Bound | 2147483647 |
| Required | No |
| Multi-Valued | No |
-t {value}
--numThreads {value}
| Description | The number of concurrent threads to use when performing manage-account operations against user entries. If this argument is not provided, a default value of one will be used. |
| Upper Bound | 2147483647 |
| Default Value | 1 |
| Required | No |
| Multi-Valued | No |
--numSearchThreads {value}
| Description | The number of concurrent threads to use when searching for entries to target with manage-account operations. This will only be used if arguments are provided that require the tool to perform searches to identify which entries to target (and will primarily be useful only in cases in which there will be multiple searches, as when reading filters or user IDs from a file). If this argument is not provided, a default value of one will be used. |
| Upper Bound | 2147483647 |
| Default Value | 1 |
| Required | No |
| Multi-Valued | No |
-r {value}
--ratePerSecond {value}
| Description | The maximum rate, in operations per second, at which to target user entries. If neither this nor the variableRateData argument is provided, then the tool will not perform any rate limiting. |
| Upper Bound | 2147483647 |
| Required | No |
| Multi-Valued | No |
--variableRateData {path}
| Description | The path to a file containing a variable rate definition that may be used to cause the tool to vary the amount of load it generates over time. If neither this nor the ratePerSecond argument is provided, then the tool will not perform any rate limiting. |
| Required | No |
| Multi-Valued | No |
--generateSampleRateFile {path}
| Description | The path to a file to create with a sample variable rate definition. This file will contain comments that describe the expected format for the file to use with the variableRateData argument. |
| Required | No |
| Multi-Valued | No |
-R {path}
--rejectFile {path}
| Description | The path to a file to write with a record of any unsuccessful attempts to retrieve or update account information for a user. |
| Required | No |
| Multi-Valued | No |
--appendToRejectFile
| Description | Indicates that the tool should append to the file specified by the --rejectFile argument if it already exists. If this argument is not provided and the reject file already exists, it will be overwritten. |
--suppressEmptyResultOperations
| Description | Indicates that the result information for each manage-account operation processed should suppress information about password policy state operations included in the result that do not have any values. Operations presented without values generally indicated that the users password policy is not configured for the associated functionality (e.g., if the password expiration time was requested but password expiration is not enabled in the users password policy). |
--interactive
| Description | Launch the tool in interactive mode. |
--outputFile {path}
| Description | Write all standard output and standard error messages to the specified file instead of to the console. |
| Required | No |
| Multi-Valued | No |
--appendToOutputFile
| Description | Indicates that the tool should append to the file specified by the --outputFile argument if it already exists. If this argument is not provided and the output file already exists, it will be overwritten. |
--teeOutput
| Description | Write all standard output and standard error messages to the console as well as to the specified output file. The --outputFile argument must also be provided. |
--helpSubcommands
| Description | Display the names and descriptions of the supported subcommands. |
--propertiesFilePath {path}
| Description | The path to a properties file used to specify default values for arguments not supplied on the command line. |
| Required | No |
| Multi-Valued | No |
--generatePropertiesFile {path}
| Description | Write an empty properties file that may be used to specify default values for arguments. |
| Required | No |
| Multi-Valued | No |
--noPropertiesFile
| Description | Do not obtain any argument values from a properties file. |
--suppressPropertiesFileComment
| Description | Suppress output listing the arguments obtained from a properties file. |