Managing User Accounts
Use the manage-account command to display information about accounts and to lock or unlock accounts.
Use the ldappasswordmodify command to reset a user password.
|
By default user accounts are locked for 15 minutes after five unsuccessful login attempts.
|
The following sections provide a starting point that you can use to determine how to manage your user accounts. The example commands in the sections assume the following:
• The commands are entered on the host where Windchill Directory Server resides (localhost is used).
• The Windchill Directory Server administrative port is 4444.
• The Windchill Directory Server bind DN is “cn=Manager” and the bind password is “admin”.
The commands require the DN of a user. To get the user DN, you can view the user entry from the Windchill Directory Server control panel.
Displaying the Status of User Accounts
To display the password policy state information for a specific user, use a command similar to the following:
manage-account get-all --targetDN <user-DN>"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin
Replace <user-DN> with the DN of the user.
Typical output from this command includes the following:
Password Policy DN: cn=Default Password Policy,cn=Password Policies,cn=config
Account Is Disabled: false
Account Expiration Time:
Seconds Until Account Expiration:
Password Changed Time: 20091008144013.142Z
Password Expiration Warned Time:
Seconds Until Password Expiration:
Seconds Until Password Expiration Warning:
Authentication Failure Times:
Seconds Until Authentication Failure Unlock:
Remaining Authentication Failure Count: 3
Last Login Time:Seconds Until Idle Account Lockout:
Password Is Reset: false
Seconds Until Password Reset Lockout:
Grace Login Use Times:
Remaining Grace Login Count: 0
Password Changed by Required Time:
Seconds Until Required Change Time:
Password History:
Depending on your password policy settings, your output may be different than the typical output.
Locking and Unlocking User Accounts
You can manually lock user accounts and you can unlock accounts that have been locked manually or by password policy events.
|
By default user accounts are locked for 15 minutes after five unsuccessful login attempts.
|
To lock the account of a specific user, use a command similar to the following:
manage-account set-account-is-disabled
--targetDN "uid=<user-DN>"
--operationValue "true" --hostname "localhost"
--port "4444" --trustAll --bindDN "cn=manager" --bindPassword admin
Replace <user-DN> with the full distinguished name of the user.
To unlock the account that has been locked, use a command similar to the following:
manage-account clear-account-is-disabled
--targetDN <user-DN>"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin
Replace <user-DN> with the DN of the user.
Resetting User Passwords
You can reset user passwords to specific passwords or to randomly generated passwords.
To reset the password for a specific user to a specific password, use a command similar to the following:
ldappasswordmodify --authzID dn:"uid=<user-DN>"
--newPassword <new password> --hostname "localhost"
--port "4444" --trustAll --bindDN "cn=manager" --bindPassword admin
--useSSL
Replace <user-DN> with the DN of the user.
When successful, the following output is returned:
The LDAP password modify operation was successful
If you have set up email notifications, users are notified when passwords are reset; however, the message sent does not include the password.
To reset the password for a specific user to a randomly generated password, remove the --newPassword option from the previous command as follows:
ldappasswordmodify --authzID dn:<user-DN>"
--hostname "localhost" --port "4444"
--trustAll --bindDN "cn=manager" --bindPassword admin --useSSL
Replace <user-DN> with the DN of the user.
The following output is returned when the password has been generated:
The LDAP password modify operation was successful
Generated Password: <new_password>
If you have set up email notifications, users are notified when passwords are reset; however, you must still inform the user of the generated password.