Password policy queries
The password policy operational attributes can be used to view the status of a directory entry or to query for entries matching specified criteria. Operational attributes are returned on a search request only when specifically requested by the client. To use these attributes in search operations, you must have permission to critical attributes, or permission to the specific attributes used.
To view all password policy attributes for a given entry:
> ldapsearch -b "uid=user1,cn=users,o=ibm" -s base "(objectclass=*)" pwdChangedTime pwdAccountLockedTime pwdExpirationWarned pwdFailureTime pwdGraceUseTime pwdReset
To query for entries for which the password is about to expire, use the pwdChangedTime attribute. For example, to find passwords which expire August 26, 2004, with a password expiration policy of 186 days, query for entries for which the password was changed at least 186 days ago (February 22, 2004):
> ldapsearch -b "cn=users,o=ibm" -s sub "(!(pwdChangedTime>20040222000000Z))" 1.1
where the filter is equivalent to pwdChangedTime of midnight, February 22, 2004.
To query for locked accounts, use the pwdAccountLockedTime attribute:
> ldapsearch -b "cn=users,o=ibm" -s sub "(pwdAccountLockedTime=*)" 1.1
where "1.1" indicates that only the entry DNs are to be returned.
To query for accounts for which the password must be changed because the password was reset, use the pwdReset attribute:
> ldapsearch -b "cn=users,o=ibm" -s sub "(pwdReset=TRUE)" 1.1
Overriding password policy
A directory administrator can override normal password policy behavior for specific entries by modifying the password policy operational attributes and using the server administration control (-k option of the LDAP command line utilities).
You can prevent the password for a particular account from expiring by setting the pwdChangedTime attribute to a date far in the future when setting the userPassword attribute. The following example sets the time to midnight, January 1, 2200.
> ldapmodify -D cn=root -w ? -k dn: uid=wasadmin,cn=users,o=ibm changetype: modify replace: pwdChangedTime pwdChangedTime: 22000101000000Z
You can unlock an account which has been locked due to excessive login failures by removing the pwdAccountLockedTime and pwdFailureTime attributes:
> ldapmodify -D cn=root -w ? -k dn: uid=user1,cn=users,o=ibm changetype: modify delete: pwdAccountLockedTime - delete: pwdFailureTime
You can unlock an expired account by changing the pwdChangedTime and clearing the pwdExpirationWarned and pwdGraceUseTime attributes:
> ldapmodify -D cn=root -w ? -k dn: uid=user1,cn=users,o=ibm changetype: modify replace: pwdChangedTime pwdChangedTime: 20040826000000Z - delete: pwdExpirationWarned - delete: pwdGraceUseTime
You can clear or set the "password must be changed" status by setting the pwdReset attribute:
> ldapmodify -D cn=root -w ? -k dn: uid=user1,cn=users,o=ibm changetype: modify delete: pwdReset > ldapmodify -D cn=root -w ? -k dn: uid=user2,cn=users,o=ibm changetype: modify replace: pwdReset pwdReset: TRUE
An account can be administratively locked by setting the ibm-pwdAccountLocked operational attribute to TRUE. The account can be unlocked by setting the attribute to FALSE. Unlocking an account in this way does not affect the state of the account with respect to being locked due to excessive password failures or an expired password.
The user setting this attribute must have permission to write is the ibm-pwdAccountLocked attribute, which is defined as being in the CRITICAL access class.
> ldapmodify -D uid=useradmin,cn=users,o=ibm -w ? dn: uid=user1,cn=users,o=ibm changetype: modify replace: ibm-pwdAccountLocked ibm-pwdAccountLocked: TRUE
To unlock the account:
> ldapmodify -D uid=useradmin,cn=users,o=ibm -w ? dn: uid=user1,cn=users,o=ibm changetype: modify replace: ibm-pwdAccountLocked ibm-pwdAccountLocked: FALSE
Other password policy tips
There are two areas where the implementation of password policy may not behave as expected:
