The manage-account Command-Line Tool

Retrieve or update information about the current state of a user account. Processing will be performed using the password policy state extended operation, and you must have the password-reset privilege to use this extended operation.

Usage

manage-account {subCommand} {arguments}

This tool uses subcommands to indicate which function you want to perform.
Jump to a list of the available subcommands.

LDAP Connection and Authentication Arguments

Arguments for Identifying Target Users

Arguments for Adjusting Performance

Additional Arguments

Required Argument Sets

Dependent Argument Sets

Exclusive Argument Sets

Examples

    manage-account get-all --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com
    manage-account get-account-usability-error-messages \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com
    manage-account set-account-is-disabled --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --accountIsDisabled true
    manage-account clear-authentication-failure-times \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Available Subcommands

 

Usage For Subcommand get-all

Retrieve all available state information for a user.

Examples

    manage-account get-all get-all --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-password-policy-dn

Retrieve the DN of the password policy that governs a user.

Examples

    manage-account get-password-policy-dn get-password-policy-dn \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-is-usable

Determine whether a user account will be allowed to authenticate or be used as an alternate authorization identity.

Examples

    manage-account get-account-is-usable get-account-is-usable \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-usability-notice-messages

Retrieve any password policy state account usability notice messages for a user. These messages may provide useful information about the state of the user account, but do not necessarily represent a current or imminent problem with the account.

Examples

    manage-account get-account-usability-notice-messages \
         get-account-usability-notice-messages --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-usability-warning-messages

Retrieve any password policy state account usability warning messages for a user. The messages may provide information about conditions that may leave a user account unusable in the near future unless corrective action is taken.

Examples

    manage-account get-account-usability-warning-messages \
         get-account-usability-warning-messages \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-usability-error-messages

Retrieve any password policy state account usability error messages for a user. The messages may provide information about conditions that prevent a user account from authenticating, being used as an alternate authorization identity, or otherwise functioning normally.

Examples

    manage-account get-account-usability-error-messages \
         get-account-usability-error-messages --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-password-changed-time

Retrieve the time that a user's password was last changed, whether via a self change or an administrative reset.

Examples

    manage-account get-password-changed-time get-password-changed-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-password-changed-time

Set the password changed time value for a user.

Arguments

Examples

    manage-account set-password-changed-time set-password-changed-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --passwordChangedTime 20241202212140.059Z

 

Usage For Subcommand clear-password-changed-time

Clear the password changed time value for a user. For password policy evaluations that require knowing when the user's password was last changed, the server will attempt to fall back to using the create timestamp, if available.

Examples

    manage-account clear-password-changed-time clear-password-changed-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-is-disabled

Determine whether a user account has been disabled by an administrator and cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP search operation by determining whether the user entry has a ds-pwp-account-disabled operational attribute with a value of true.

Examples

    manage-account get-account-is-disabled get-account-is-disabled \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-account-is-disabled

Specify whether a user account is administratively disabled. A disabled account cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP modify operation by setting the value of the ds-pwp-account-disabled operational attribute in the user's entry with a value of either true or false (or by removing the attribute from the user's entry, which is equivalent to giving it a value of false).

Arguments

Examples

    manage-account set-account-is-disabled set-account-is-disabled \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --accountIsDisabled true

 

Usage For Subcommand clear-account-is-disabled

Clear the account disabled state information from a user entry, which is logically equivalent to using the set-account-is-disabled subcommand with an accountIsDisabled value of false. This can also be accomplished with a standard LDAP modify operation by removing the ds-pwp-account-disabled operational attribute from the user's entry.

Examples

    manage-account clear-account-is-disabled clear-account-is-disabled \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-activation-time

Retrieve the account activation time for a user. If the activation time is in the future, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP search operation by retrieving the ds-pwp-account-activation-time operational attribute from the user's entry.

Examples

    manage-account get-account-activation-time get-account-activation-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-account-activation-time

Set the account activation time for a user. If the activation time is in the future, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP modify operation by setting the ds-pwp-account-activation-time attribute to have a generalized time representation of the desired activation time.

Arguments

Examples

    manage-account set-account-activation-time set-account-activation-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --accountActivationTime 20241202212140.059Z

 

Usage For Subcommand clear-account-activation-time

Clear the account activation time for a user. If the account previously had an activation time in the future, this will make it immediately eligible for use. This can also be accomplished with a standard LDAP modify operation by removing the ds-pwp-account-activation-time attribute from the user's entry.

Examples

    manage-account clear-account-activation-time \
         clear-account-activation-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-seconds-until-account-activation

Retrieve the length of time in seconds until a user's account is eligible for use.

Examples

    manage-account get-seconds-until-account-activation \
         get-seconds-until-account-activation --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-is-not-yet-active

Determine whether a user account has an activation time in the future and therefore cannot authenticate or be used as an alternate authorization identity.

Examples

    manage-account get-account-is-not-yet-active \
         get-account-is-not-yet-active --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-expiration-time

Retrieve the account expiration time for a user. If the expiration time is in the past, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP search operation by retrieving the ds-pwp-account-expiration-time operational attribute from the user's entry.

Examples

    manage-account get-account-expiration-time get-account-expiration-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-account-expiration-time

Set the account expiration time for a user. If the expiration time is in the past, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP modify operation by setting the ds-pwp-account-expiration-time attribute to have a generalized time representation of the desired expiration time.

Arguments

Examples

    manage-account set-account-expiration-time set-account-expiration-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --accountExpirationTime 20241202212140.059Z

 

Usage For Subcommand clear-account-expiration-time

Clear the account expiration time for a user. If the account previously had an expiration time in the past, this will make it immediately eligible for use. This can also be accomplished with a standard LDAP modify operation by removing the ds-pwp-account-expiration-time attribute from the user's entry.

Examples

    manage-account clear-account-expiration-time \
         clear-account-expiration-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-seconds-until-account-expiration

Retrieve the length of time in seconds until a user's account expires.

Examples

    manage-account get-seconds-until-account-expiration \
         get-seconds-until-account-expiration --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-is-expired

Determine whether a user account has an expiration time in the past and therefore cannot authenticate or be used as an alternate authorization identity.

Examples

    manage-account get-account-is-expired get-account-is-expired \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-password-expiration-warned-time

Retrieve the time that a user received the first warning about an upcoming password expiration. This will only be available if password expiration is enabled in the user's password policy.

Examples

    manage-account get-password-expiration-warned-time \
         get-password-expiration-warned-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-password-expiration-warned-time

Specify the time that a user received the first warning about an upcoming password expiration. Note that this will not in itself trigger a password expiration warning nor cause any account status notification handlers to be invoked. This will have no effect if password expiration is not enabled in the user's password policy.

Arguments

Examples

    manage-account set-password-expiration-warned-time \
         set-password-expiration-warned-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --passwordExpirationWarnedTime 20241202212140.059Z

 

Usage For Subcommand clear-password-expiration-warned-time

Clear a record of any password expiration warning from a user's entry.

Examples

    manage-account clear-password-expiration-warned-time \
         clear-password-expiration-warned-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-seconds-until-password-expiration-warning

Retrieve the length of time in seconds until a user will be eligible to start receiving warnings about an upcoming password expiration. This will only be available if password expiration is enabled in the user's password policy.

Examples

    manage-account get-seconds-until-password-expiration-warning \
         get-seconds-until-password-expiration-warning \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-password-expiration-time

Retrieves the time that a user's password will expire. This will only be available if password expiration is enabled in the user's password policy.

Examples

    manage-account get-password-expiration-time get-password-expiration-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-seconds-until-password-expiration

Retrieves the length of time in seconds until a user's password will expire. This will only be available if password expiration is available in the user's password policy.

Examples

    manage-account get-seconds-until-password-expiration \
         get-seconds-until-password-expiration --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-password-is-expired

Determine whether a user account has an expired password and therefore cannot authenticate or be used as an alternate authorization identity.

Examples

    manage-account get-password-is-expired get-password-is-expired \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-is-failure-locked

Determines whether a user's account is locked as a result of too many failed authentication attempts. This will only be available if failure lockout is enabled in the user's password policy.

Examples

    manage-account get-account-is-failure-locked \
         get-account-is-failure-locked --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-account-is-failure-locked

Specifies whether a user's account should be locked as a result of too many failed authentication attempts. This will have no effect if failure lockout is not enabled in the user's password policy.

Arguments

Examples

    manage-account set-account-is-failure-locked \
         set-account-is-failure-locked --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --accountIsFailureLocked true

 

Usage For Subcommand get-failure-lockout-time

Retrieves the time that a user's account was locked as a result of too many failed authentication attempts. This will only be available if failure lockout is enabled in the user's password policy.

Examples

    manage-account get-failure-lockout-time get-failure-lockout-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-seconds-until-authentication-failure-unlock

Retrieves the length of time in seconds until a user's temporary failure lockout expires. This will only be available if failure lockout is enabled in the user's password policy.

Examples

    manage-account get-seconds-until-authentication-failure-unlock \
         get-seconds-until-authentication-failure-unlock \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-authentication-failure-times

Retrieves the timestamps for any failed authentication attempts for a user since the user's last successful authentication. This will only be available if failure lockout is enabled in the user's password policy.

Examples

    manage-account get-authentication-failure-times \
         get-authentication-failure-times --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand add-authentication-failure-time

Adds one or more new values to the set of authentication failure times for a user. If the resulting set of authentication failure times has reached the configured lockout failure count, the user's account will be locked. This will have no effect if failure lockout is not enabled in the user's password policy.

Arguments

Examples

    manage-account add-authentication-failure-time \
         add-authentication-failure-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-authentication-failure-times

Sets the timestamps for failed authentication attempts for a user. If the number of authentication failure times provided is greater than or equal to the lockout failure count for the user's password policy, the user's account will be locked. This will have no effect if failure lockout is not enabled in the user's password policy.

Arguments

Examples

    manage-account set-authentication-failure-times \
         set-authentication-failure-times --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --authenticationFailureTime 20241202212127.715Z \
         --authenticationFailureTime 20241202212140.059Z

 

Usage For Subcommand clear-authentication-failure-times

Clears the set of authentication failure times for a user. If the user's account had been locked be of too many failed authentication attempts, this will also clear that lockout.

Examples

    manage-account clear-authentication-failure-times \
         clear-authentication-failure-times --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-remaining-authentication-failure-count

Retrieves the number of additional failed authentication attempts that will be required to lock a user's account. This will only be available if failure lockout is enabled in the user's password policy.

Examples

    manage-account get-remaining-authentication-failure-count \
         get-remaining-authentication-failure-count \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-is-idle-locked

Determines whether a user's account is locked because it has been too long since the user last authenticated. This will only be available if idle lockout is enabled in the user's password policy.

Examples

    manage-account get-account-is-idle-locked get-account-is-idle-locked \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-seconds-until-idle-lockout

Retrieves the length of time in seconds until the user's account will be locked because it has been too long since the user last authenticated. This will only be available if idle lockout is enabled in the user's password policy.

Examples

    manage-account get-seconds-until-idle-lockout \
         get-seconds-until-idle-lockout --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-idle-lockout-time

Retrieves the time at which the user's account was locked because it had been too long since the user last authenticated, or the time it will be locked unless the user authenticates before that time. This will only be available if idle lockout is enabled in the user's password policy

Examples

    manage-account get-idle-lockout-time get-idle-lockout-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-must-change-password

Determines whether a user's password has been reset by an administrator and the user must choose a new password before they will be allowed to perform any other operations.

Examples

    manage-account get-must-change-password get-must-change-password \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-must-change-password

Specifies whether a user's password has been reset by an administrator and the user must choose a new password before they will be allowed to perform any other operations.

Arguments

Examples

    manage-account set-must-change-password set-must-change-password \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --mustChangePassword true

 

Usage For Subcommand clear-must-change-password

Clears the password reset state information from a user's account. If the account had previously been locked because the user failed to choose a new password in a timely manner after an administrative reset, that lockout will be lifted.

Examples

    manage-account clear-must-change-password clear-must-change-password \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-is-password-reset-locked

Determines whether the user's account is locked because the user failed to choose a new password in a timely manner after an administrative reset. This will only be available if a maximum password reset age is defined in the user's password policy.

Examples

    manage-account get-account-is-password-reset-locked \
         get-account-is-password-reset-locked --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-seconds-until-password-reset-lockout

Determines the length of time in seconds until the user's account will be locked unless they choose a new password after an administrative password reset. This will only be available if a maximum password reset age is defined in the user's password policy.

Examples

    manage-account get-seconds-until-password-reset-lockout \
         get-seconds-until-password-reset-lockout \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-password-reset-lockout-time

Retrieves the time that a user's account was or will be locked for failing to choose a new password in a timely manner after an administrative reset. This will only be available if a maximum password reset age is defined in the user's password policy.

Examples

    manage-account get-password-reset-lockout-time \
         get-password-reset-lockout-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-last-login-time

Retrieves the time that a user last authenticated. This will only be available if last login time tracking is enabled in the user's password policy.

Examples

    manage-account get-last-login-time get-last-login-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-last-login-time

Specifies the time that a user last authenticated. This will have no effect if last login time tracking is not enabled in the user's password policy.

Arguments

Examples

    manage-account set-last-login-time set-last-login-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --lastLoginTime 20241202212140.059Z

 

Usage For Subcommand clear-last-login-time

Clears the last login time from a user's entry. This will have no effect if last login time tracking is not enabled in the user's password policy.

Examples

    manage-account clear-last-login-time clear-last-login-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-last-login-ip-address

Retrieves the IP address of the client from which a user last authenticated. This will only be available if last login IP address tracking is enabled in the user's password policy.

Examples

    manage-account get-last-login-ip-address get-last-login-ip-address \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-last-login-ip-address

Specifies the IP address of the client from which a user last authenticated. This will have no effect if last login IP address tracking is not enabled in the user's password policy.

Arguments

Examples

    manage-account set-last-login-ip-address set-last-login-ip-address \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --lastLoginIPAddress 1.2.3.4

 

Usage For Subcommand clear-last-login-ip-address

Clears the last login IP address from a user's entry. This will have no effect if last login IP address tracking is not enabled in the user's password policy.

Examples

    manage-account clear-last-login-ip-address clear-last-login-ip-address \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-grace-login-use-times

Retrieves the times that a user has authenticated with grace logins after their password had expired. This will only be available if both password expiration and grace login supports are configured in the user's password policy.

Examples

    manage-account get-grace-login-use-times get-grace-login-use-times \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand add-grace-login-use-time

Adds one or more new values to the set of grace login use times for a user. This will have no effect unless both password expiration and grace login support are configured in the user's password policy.

Arguments

Examples

    manage-account add-grace-login-use-time add-grace-login-use-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-grace-login-use-times

Replaces the set of grace login use times for a user. This will have no effect unless both password expiration and grace login support are configured in the user's password policy.

Arguments

Examples

    manage-account set-grace-login-use-times set-grace-login-use-times \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --graceLoginUseTime 20241202212127.715Z \
         --graceLoginUseTime 20241202212140.059Z

 

Usage For Subcommand clear-grace-login-use-times

Clears the set of grace login use times for a user. This will have no effect unless both password expiration and grace login support are configured in the user's password policy.

Examples

    manage-account clear-grace-login-use-times clear-grace-login-use-times \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-remaining-grace-login-count

Retrieves the number of additional grace logins that will be available to a user before they will be unable to authenticate with an expired password. This will only be available if both password expiration and grace login support are enabled in the user's password policy.

Examples

    manage-account get-remaining-grace-login-count \
         get-remaining-grace-login-count --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-password-changed-by-required-time

Retrieves the most recent required change time with which a user has complied. This will only be available if a required change time is configured in the user's password policy.

Examples

    manage-account get-password-changed-by-required-time \
         get-password-changed-by-required-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-password-changed-by-required-time

Specifies the most recent required change time with which a user has complied. This will not have any effect unless a required change time is configured in the user's password policy.

Arguments

Examples

    manage-account set-password-changed-by-required-time \
         set-password-changed-by-required-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand clear-password-changed-by-required-time

Clears the record of the most recent required change time with which a user has complied. This will not have any effect unless a required change time is configured in the user's password policy.

Examples

    manage-account clear-password-changed-by-required-time \
         clear-password-changed-by-required-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-seconds-until-required-password-change-time

Retrieves the length of time in seconds until the user account is locked for failure to comply with a required change time. This will only be available if a required change time is configured in the user's password policy.

Examples

    manage-account get-seconds-until-required-password-change-time \
         get-seconds-until-required-password-change-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-password-history-count

Retrieves the number of passwords in a user's password history. This will only be available if the password history is enabled in the user's password policy.

Examples

    manage-account get-password-history-count get-password-history-count \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand clear-password-history

Clears the password history for a user. This will have no effect if the password history is not enabled in the user's password policy.

Examples

    manage-account clear-password-history clear-password-history \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-has-retired-password

Determines whether a user has an active retired password.

Examples

    manage-account get-has-retired-password get-has-retired-password \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-password-retired-time

Retrieves the time that a user's former password was retired.

Examples

    manage-account get-password-retired-time get-password-retired-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-retired-password-expiration-time

Retrieves the time that a user's retired password will expire.

Examples

    manage-account get-retired-password-expiration-time \
         get-retired-password-expiration-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand clear-retired-password

Purges a retired password from a user's entry so that it may no longer be used to authenticate.

Examples

    manage-account clear-retired-password clear-retired-password \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-available-sasl-mechanisms

Retrieves a list of the SASL mechanisms that are available for a user. This will take into account the server configuration, the types of credentials the user has, and the authentication constraints defined for the user.

Examples

    manage-account get-available-sasl-mechanisms \
         get-available-sasl-mechanisms --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-available-otp-delivery-mechanisms

Retrieves a list of the one-time password delivery mechanisms that are available for a user. If the user's entry includes information about which OTP delivery mechanisms are preferred, then the values will be returned in order of most preferred to least preferred.

Examples

    manage-account get-available-otp-delivery-mechanisms \
         get-available-otp-delivery-mechanisms --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-has-totp-shared-secret

Determines whether a user has at least one TOTP shared secret that may be used in conjunction with the UNBOUNDID-TOTP SASL mechanism or the Verify TOTP extended operation.

Examples

    manage-account get-has-totp-shared-secret get-has-totp-shared-secret \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand add-totp-shared-secret

Adds a value to the set of TOTP shared secrets for a user.

Arguments

Examples

    manage-account add-totp-shared-secret add-totp-shared-secret \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --totpSharedSecret abcdefghijklmnop

 

Usage For Subcommand remove-totp-shared-secret

Removes a value from the set of TOTP shared secrets for a user.

Arguments

Examples

    manage-account remove-totp-shared-secret remove-totp-shared-secret \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --totpSharedSecret abcdefghijklmnop

 

Usage For Subcommand set-totp-shared-secrets

Replaces the set of TOTP shared secrets registered for a user.

Arguments

Examples

    manage-account set-totp-shared-secrets set-totp-shared-secrets \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --totpSharedSecret abcdefghijklmnop

 

Usage For Subcommand clear-totp-shared-secrets

Clears the set of TOTP shared secrets registered for a user.

Examples

    manage-account clear-totp-shared-secrets clear-totp-shared-secrets \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-has-registered-yubikey-public-id

Determines whether a user has at least one registered YubiKey OTP device public ID.

Examples

    manage-account get-has-registered-yubikey-public-id \
         get-has-registered-yubikey-public-id --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-registered-yubikey-public-ids

Retrieves a list of the public IDs of the YubiKey OTP devices registered for a user.

Examples

    manage-account get-registered-yubikey-public-ids \
         get-registered-yubikey-public-ids --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand add-registered-yubikey-public-id

Adds a value to the set of registered YubiKey OTP public IDs for a user.

Arguments

Examples

    manage-account add-registered-yubikey-public-id \
         add-registered-yubikey-public-id --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --publicID abcdefghijkl

 

Usage For Subcommand remove-registered-yubikey-public-id

Removes a value from the set of registered YubiKey OTP public IDs for a user.

Arguments

Examples

    manage-account remove-registered-yubikey-public-id \
         remove-registered-yubikey-public-id --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --publicID abcdefghijkl

 

Usage For Subcommand set-registered-yubikey-public-ids

Replaces the list of the public IDs of the YubiKey OTP devices registered for a user.

Arguments

Examples

    manage-account set-registered-yubikey-public-ids \
         set-registered-yubikey-public-ids --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --publicID abcdefghijkl

 

Usage For Subcommand clear-registered-yubikey-public-ids

Clears the list of the public IDs of the YubiKey OTP devices registered for a user.

Examples

    manage-account clear-registered-yubikey-public-ids \
         clear-registered-yubikey-public-ids --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-has-static-password

Determines whether a user has one static password.

Examples

    manage-account get-has-static-password get-has-static-password \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-last-bind-password-validation-time

Retrieves the time the server last invoked password validators during a bind operation for a user.

Examples

    manage-account get-last-bind-password-validation-time \
         get-last-bind-password-validation-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-seconds-since-last-bind-password-validation

Retrieves the length of time in seconds since the server last invoked password validators during a bind operation for a user.

Examples

    manage-account get-seconds-since-last-bind-password-validation \
         get-seconds-since-last-bind-password-validation \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-last-bind-password-validation-time

Specifies the time the server last invoked password validators during a bind operation for a user.

Arguments

Examples

    manage-account set-last-bind-password-validation-time \
         set-last-bind-password-validation-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --validationTime 20241202212140.059Z

 

Usage For Subcommand clear-last-bind-password-validation-time

Clears the time the server last invoked password validators during a bind operation for a user.

Examples

    manage-account clear-last-bind-password-validation-time \
         clear-last-bind-password-validation-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand get-account-is-validation-locked

Determines whether a user's account is locked because it contains a password that does not satisfy all of the configured password validators.

Examples

    manage-account get-account-is-validation-locked \
         get-account-is-validation-locked --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand set-account-is-validation-locked

Specifies whether a user's account should be locked because it contains a password that does not satisfy all of the configured password validators.

Arguments

Examples

    manage-account set-account-is-validation-locked \
         set-account-is-validation-locked --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --accountIsValidationLocked true

 

Usage For Subcommand get-recent-login-history

Retrieves the user's recent login history.

Examples

    manage-account get-recent-login-history get-recent-login-history \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

 

Usage For Subcommand clear-recent-login-history

Clears the user's recent login history.

Examples

    manage-account clear-recent-login-history clear-recent-login-history \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com