<?xml version="1.0" encoding="UTF-8"?>
<!--
! CCPL HEADER START
!
! This work is licensed under the Creative Commons
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
! To view a copy of this license, visit
! http://creativecommons.org/licenses/by-nc-nd/3.0/
! or send a letter to Creative Commons, 444 Castro Street,
! Suite 900, Mountain View, California, 94041, USA.
!
! You can also obtain a copy of the license at
! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
! See the License for the specific language governing permissions
! and limitations under the License.
!
! If applicable, add the following below this CCPL HEADER, with the fields
! enclosed by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CCPL HEADER END
!
! Copyright 2011-2014 ForgeRock AS
!
-->
<refentry xml:id='manage-account-1'
xmlns='http://docbook.org/ns/docbook'
version='5.0' xml:lang='en'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://docbook.org/ns/docbook
http://docbook.org/xml/5.0/xsd/docbook.xsd'>
<info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
<refmeta>
<refentrytitle>manage-account</refentrytitle><manvolnum>1</manvolnum>
<refmiscinfo class="software">OpenDJ</refmiscinfo>
<refmiscinfo class="version"><?eval ${docTargetVersion}?></refmiscinfo>
</refmeta>
<refnamediv>
<refname>manage-account</refname>
<refpurpose>manage state of directory server accounts</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>manage-account</command>
<command><replaceable>subcommand</replaceable></command>
<arg choice="req">options</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This utility can be used to retrieve and manipulate the values of
password policy state variables.</para>
</refsect1>
<refsect1>
<title>Subcommands</title>
<para>The following subcommands are supported.</para>
<variablelist>
<varlistentry>
<term><command>manage-account clear-account-is-disabled</command></term>
<listitem>
<para>Clear account disabled state information from the user account</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-account-expiration-time</command></term>
<listitem>
<para>Display when the user account will expire</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-account-is-disabled</command></term>
<listitem>
<para>Display information about whether the user account has been
administratively disabled</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-all</command></term>
<listitem>
<para>Display all password policy state information for the user</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-authentication-failure-times</command></term>
<listitem>
<para>Display the authentication failure times for the user</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-grace-login-use-times</command></term>
<listitem>
<para>Display the grace login use times for the user</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-last-login-time</command></term>
<listitem>
<para>Display the time that the user last authenticated to the server</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-password-changed-by-required-time</command></term>
<listitem>
<para>Display the required password change time with which the user last
complied</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-password-changed-time</command></term>
<listitem>
<para>Display the time that the user's password was last changed</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-password-expiration-warned-time</command></term>
<listitem>
<para>Display the time that the user first received an expiration warning
notice</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-password-history</command></term>
<listitem>
<para>Display password history state values for the user</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-password-is-reset</command></term>
<listitem>
<para>Display information about whether the user will be required to
change his or her password on the next successful authentication</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-password-policy-dn</command></term>
<listitem>
<para>Display the DN of the password policy for the user</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-remaining-authentication-failure-count</command></term>
<listitem>
<para>Display the number of remaining authentication failures until the
user's account is locked</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-remaining-grace-login-count</command></term>
<listitem>
<para>Display the number of grace logins remaining for the user</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-seconds-until-account-expiration</command></term>
<listitem>
<para>Display the length of time in seconds until the user account
expires</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-seconds-until-authentication-failure-unlock</command></term>
<listitem>
<para>Display the length of time in seconds until the authentication
failure lockout expires</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-seconds-until-idle-lockout</command></term>
<listitem>
<para>Display the length of time in seconds until user's account is locked
because it has remained idle for too long</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-seconds-until-password-expiration</command></term>
<listitem>
<para>Display length of time in seconds until the user's password expires</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-seconds-until-password-expiration-warning</command></term>
<listitem>
<para>Display the length of time in seconds until the user should start
receiving password expiration warning notices</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-seconds-until-password-reset-lockout</command></term>
<listitem>
<para>Display the length of time in seconds until user's account is locked
because the user failed to change the password in a timely manner after an
administrative reset</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account get-seconds-until-required-change-time</command></term>
<listitem>
<para>Display the length of time in seconds that the user has remaining to
change his or her password before the account becomes locked due to the
required change time</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>manage-account set-account-is-disabled</command></term>
<listitem>
<para>Specify whether the user account has been administratively disabled</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Global Options</title>
<para>The following global options are supported.</para>
<variablelist>
<varlistentry>
<term><option>-b, --targetDN {targetDN}</option></term>
<listitem>
<para>The DN of the user entry for which to get and set password policy
state information</para>
</listitem>
</varlistentry>
</variablelist>
<refsect2>
<title>LDAP Connection Options</title>
<variablelist>
<varlistentry>
<term><option>-D, --bindDN {bindDN}</option></term>
<listitem>
<para>DN to use to bind to the server</para>
<para>Default value: cn=Directory Manager</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-h, --hostname {host}</option></term>
<listitem>
<para>Directory server hostname or IP address</para>
<para>Default value: localhost.localdomain</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-j, --bindPasswordFile {bindPasswordFile}</option></term>
<listitem>
<para>Bind password file</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-K, --keyStorePath {keyStorePath}</option></term>
<listitem>
<para>Certificate key store path</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-N, --certNickname {nickname}</option></term>
<listitem>
<para>Nickname of certificate for SSL client authentication</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-o, --saslOption {name=value}</option></term>
<listitem>
<para>SASL bind options</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-p, --port {port}</option></term>
<listitem>
<para>Directory server administration port number</para>
<para>Default value: 4444</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-P, --trustStorePath {trustStorePath}</option></term>
<listitem>
<para>Certificate trust store path</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-T, --trustStorePassword {trustStorePassword}</option></term>
<listitem>
<para>Certificate trust store PIN</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-u, --keyStorePasswordFile {keyStorePasswordFile}</option></term>
<listitem>
<para>Certificate key store PIN file</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-U, --trustStorePasswordFile {path}</option></term>
<listitem>
<para>Certificate trust store PIN file</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-w, --bindPassword {bindPassword}</option></term>
<listitem>
<para>Password to use to bind to the server</para>
<para>Use <option>-w -</option> to have the command prompt for the
password, rather than enter the password on the command line.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-W, --keyStorePassword {keyStorePassword}</option></term>
<listitem>
<para>Certificate key store PIN</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-X, --trustAll</option></term>
<listitem>
<para>Trust all server SSL certificates</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
<refsect2>
<title>General Options</title>
<variablelist>
<varlistentry>
<term><option>-V, --version</option></term>
<listitem>
<para>Display version information</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-?, -H, --help</option></term>
<listitem>
<para>Display usage information</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
</refsect1>
<refsect1>
<title>Exit Codes</title>
<variablelist>
<varlistentry>
<term>0</term>
<listitem>
<para>The command completed successfully.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>89</term>
<listitem>
<para>An error occurred while parsing the command-line arguments.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<para>For the following examples, the directory admin user, Kirsten Vaughan,
has <literal>ds-privilege-name: password-reset</literal>, and the following
ACI on <literal>ou=People,dc=example,dc=com</literal>.</para>
<programlisting language="aci">
(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(
version 3.0;acl "Admins can run amok"; allow(all) groupdn =
"ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
</programlisting>
<para>The following command locks a user account.</para>
<screen>
$ <userinput>manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \
-w bribery set-account-is-disabled -O true \
-b uid=bjensen,ou=people,dc=example,dc=com -X</userinput>
<computeroutput>Account Is Disabled: true</computeroutput>
</screen>
<para>The following command unlocks a user account.</para>
<screen>
$ <userinput>manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \
-w bribery clear-account-is-disabled \
-b uid=bjensen,ou=people,dc=example,dc=com -X</userinput>
<computeroutput>Account Is Disabled: false</computeroutput>
</screen>
</refsect1>
</refentry>