The manage-account Command-Line Tool

Retrieve or update information about the current state of a user account. Processing will be performed using the password policy state extended operation, and you must have the password-reset privilege to use this extended operation.

Usage

manage-account {subCommand} {arguments}

This tool uses subcommands to indicate which function you want to perform.
Jump to a list of the available subcommands.

LDAP Connection and Authentication Arguments

• -h {host} / --hostname {host} — The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used.
  
  
• -p {port} / --port {port} — The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used.
  The specified value must not be less than 1 or greater than 65,535.
  
  
• -D {dn} / --bindDN {dn} — The DN to use to bind to the directory server when performing simple authentication.
  A provided value must be able to be parsed as an LDAP distinguished name as described in RFC 4514.
  
  
• -w {password} / --bindPassword {password} — The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
  
  
• -j {path} / --bindPasswordFile {path} — The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
  The specified path must refer to a file that exists.
  
  
• --promptForBindPassword — Indicates that the tool should interactively prompt the user for the bind password.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -Z / --useSSL — Use SSL when communicating with the directory server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -q / --useStartTLS — Use StartTLS when communicating with the directory server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --defaultTrust — Use the JVM's default trust store, and optionally an additional trust store specified using the --trustStorePath argument, to non-interactively determine whether to trust any certificate chain presented during TLS negotiation. If the chain cannot be trusted based on any of those sources, then negotiation will fail without prompting about whether to trust it.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -X / --trustAll — Trust any certificate presented by the directory server.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -K {path} / --keyStorePath {path} — The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server.
  
  
• -W {password} / --keyStorePassword {password} — The password to use to access the key store contents.
  
  
• -u {path} / --keyStorePasswordFile {path} — The path to the file containing the password to use to access the key store contents.
  The specified path must refer to a file that may or may not exist.
  
  
• --promptForKeyStorePassword — Indicates that the tool should interactively prompt the user for the password to use to access the key store contents.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --keyStoreFormat {format} — The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file.
  
  
• -P {path} / --trustStorePath {path} — The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server.
  
  
• -T {password} / --trustStorePassword {password} — The password to use to access the trust store contents.
  
  
• -U {path} / --trustStorePasswordFile {path} — The path to the file containing the password to use to access the trust store contents.
  The specified path must refer to a file that may or may not exist.
  
  
• --promptForTrustStorePassword — Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --trustStoreFormat {format} — The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file.
  
  
• --verifyCertificateHostnames — Indicates that the tool should verify that the hostname or IP addressed used to establish connections ot the LDAP server matches an address for which the server's TLS certificate was issued.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -N {nickname} / --certNickname {nickname} — The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication.
  
  
• --enableSSLDebugging — Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the 'javax.net.debug' property to 'all'.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -o {name=value} / --saslOption {name=value} — A name-value pair providing information to use when performing SASL authentication.
  
  
• --useSASLExternal — Use the SASL EXTERNAL mechanism to authenticate.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --helpSASL — Provide information about the supported SASL mechanisms, including the properties available for use with each.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

Arguments for Identifying Target Users

• -b {dn} / --targetDN {dn} — The DN of the user entry on which to operate. This argument may be provided multiple times to specify multiple user DNs.
  A provided value must be able to be parsed as an LDAP distinguished name as described in RFC 4514.
  
  
• --dnInputFile {path} — The path to a file containing the DNs of the user entries on which to operate. The DN file must contain one DN per line, and blank lines and lines starting with an octothorpe (#) will be ignored. This argument may be provided multiple times to use multiple DN files.
  The specified path must refer to a file that exists.
  
  
• --targetFilter {filter} — An LDAP filter that may be used to identify the user entries on which to operate. The baseDN argument may be used to specify the base DN for the search. This argument may be provided multiple times to specify multiple target filters.
  A provided value must be able to be parsed as an LDAP search filter as described in RFC 4515.
  
  
• --filterInputFile {path} — The path to a file containing a set of LDAP filters to use to identify the user entries on which to operate. The baseDN argument may be used to specify the base DN for the searches. The filter file must contain one filter per line, and blank lines and lines starting with an octothorpe (#) will be ignored. This argument may be provided multiple times to use multiple filter files.
  The specified path must refer to a file that exists.
  
  
• --targetUserID {value} — A string that identifies a user on which to operate. The tool will search for the user with a base DN specified by the baseDN argument and a user ID attribute specified by the userIDAttribute argument. This argument may be provided multiple times to specify multiple target user IDs.
  
  
• --userIDInputFile {path} — The path to a file containing a set of user ID values. The file must contain one user ID per line, and blank lines and lines starting with an octothorpe (#) will be ignored. The tool will search for the users with a base DN specified by the baseDN argument and a user ID attribute specified by the userIDAttribute argument. This argument may be provided multiple times to use multiple user ID files.
  The specified path must refer to a file that exists.
  
  
• --userIDAttribute {value} — The name or OID of the attribute used to identify users with IDs specified using the targetUserID and userIDInputFile arguments. If this argument is not provided, a default user ID attribute of uid will be used.
  
  
• --baseDN {dn} — The base DN to use when searching for user entries when using any of the targetFilter, filterInputFile, targetUserID, or userIDInputFile arguments. If this argument is not provided, the default base DN will be the null DN.
  A provided value must be able to be parsed as an LDAP distinguished name as described in RFC 4514.
  
  
• -z {value} / --simplePageSize {value} — Indicates that any searches performed to identify which users to target should make use of the simple paged results control to cause the entries to be returned in sets of no more than the specified number of entries. When processing searches that may return a large number of entries, setting a page size can help reduce the likelihood that the server will need to block while sending results to the client if matching entries are identified much more quickly than the client can process the desired manage-account operations against those entries. Further, when performing searches that may return a large number of entries, and especially for unindexed searches, setting a page size can help the client more efficiently resume processing in the event that the connection used to process the search becomes unusable.
  The specified value must not be less than 1 or greater than 2,147,483,647.
  
  

Arguments for Adjusting Performance

• -t {value} / --numThreads {value} — The number of concurrent threads to use when performing manage-account operations against user entries. If this argument is not provided, a default value of one will be used.
  The specified value must not be less than 1 or greater than 2,147,483,647.
  
  
• --numSearchThreads {value} — The number of concurrent threads to use when searching for entries to target with manage-account operations. This will only be used if arguments are provided that require the tool to perform searches to identify which entries to target (and will primarily be useful only in cases in which there will be multiple searches, as when reading filters or user IDs from a file). If this argument is not provided, a default value of one will be used.
  The specified value must not be less than 1 or greater than 2,147,483,647.
  
  
• -r {value} / --ratePerSecond {value} — The maximum rate, in operations per second, at which to target user entries. If neither this nor the variableRateData argument is provided, then the tool will not perform any rate limiting.
  The specified value must not be less than 1 or greater than 2,147,483,647.
  
  
• --variableRateData {path} — The path to a file containing a variable rate definition that may be used to cause the tool to vary the amount of load it generates over time. If neither this nor the ratePerSecond argument is provided, then the tool will not perform any rate limiting.
  The specified path must refer to a file that exists.
  
  
• --generateSampleRateFile {path} — The path to a file to create with a sample variable rate definition. This file will contain comments that describe the expected format for the file to use with the variableRateData argument.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  

Additional Arguments

• -R {path} / --rejectFile {path} — The path to a file to write with a record of any unsuccessful attempts to retrieve or update account information for a user.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• --appendToRejectFile — Indicates that the tool should append to the file specified by the --rejectFile argument if it already exists. If this argument is not provided and the reject file already exists, it will be overwritten.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --suppressEmptyResultOperations — Indicates that the result information for each manage-account operation processed should suppress information about password policy state operations included in the result that do not have any values. Operations presented without values generally indicated that the user's password policy is not configured for the associated functionality (e.g., if the password expiration time was requested but password expiration is not enabled in the user's password policy).
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --interactive — Launch the tool in interactive mode.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --outputFile {path} — Write all standard output and standard error messages to the specified file instead of to the console.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• --appendToOutputFile — Indicates that the tool should append to the file specified by the --outputFile argument if it already exists. If this argument is not provided and the output file already exists, it will be overwritten.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --teeOutput — Write all standard output and standard error messages to the console as well as to the specified output file. The --outputFile argument must also be provided.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• -H / --help — Display usage information for this program.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --help-subcommands — Display the names and descriptions of the supported subcommands.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --help-debug — Display usage information for debug logging.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --enable-debug-logging — Enables debug logging for the tool.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --debug-log-level {level} — The debug log level to use for the tool. Allowed values include 'off', 'severe', 'warning', 'info', 'fine', 'finer', and 'finest'. If this is not specified, a default level of 'severe' will be used.
  
  
• --debug-log-category {category} — The message categories to include in the debug log output. Allowed values include 'asn1', 'connect', 'exception', 'ldap', 'connectionpool', 'ldif', 'monitor', 'codingerror', and 'other'. This argument may be provided multiple times to indicate that multiple categories should be included. If this is not specified, then all categories will be included.
  
  
• --include-debug-stack-traces — Indicates that debug log messages should include a stack trace with the code location from which each debug message originated.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --use-multi-line-debug-messages — Indicates that debug log messages (which will be JSON objects) should be written as multi-line strings rather than single-line strings.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --debug-log-file {path} — The path to the debug log file to be written. If this is not specified, a default path of 'manage-account.debug' will be used.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• -V / --version — Display version information for this program.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --propertiesFilePath {path} — The path to a properties file used to specify default values for arguments not supplied on the command line.
  The specified path must refer to a file that exists.
  
  
• --generatePropertiesFile {path} — Write an empty properties file that may be used to specify default values for arguments.
  The specified path must refer to a file which may or may not exist, but whose parent directory must exist.
  
  
• --noPropertiesFile — Do not obtain any argument values from a properties file.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  
• --suppressPropertiesFileComment — Suppress output listing the arguments obtained from a properties file.
  This argument is not allowed to have a value. If this argument is included in a set of arguments, then it will be assumed to have a value of 'true'. If it is absent from a set of arguments, then it will be assumed to have a value of 'false'.
  
  

Required Argument Sets

• At least one of the following arguments must be provided: --targetDN, --dnInputFile, --targetFilter, --filterInputFile, --targetUserID, --userIDInputFile

Dependent Argument Sets

• If the --keyStorePassword argument is provided, then the --keyStorePath argument must also be provided.
• If the --keyStorePasswordFile argument is provided, then the --keyStorePath argument must also be provided.
• If the --promptForKeyStorePassword argument is provided, then the --keyStorePath argument must also be provided.
• If the --trustStorePassword argument is provided, then the --trustStorePath argument must also be provided.
• If the --trustStorePasswordFile argument is provided, then the --trustStorePath argument must also be provided.
• If the --promptForTrustStorePassword argument is provided, then the --trustStorePath argument must also be provided.
• If the --keyStorePath argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --trustStorePath argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --defaultTrust argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --trustAll argument is provided, then at least one of the following arguments must also be provided: --useSSL, --useStartTLS
• If the --bindPassword argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
• If the --bindPasswordFile argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
• If the --promptForBindPassword argument is provided, then at least one of the following arguments must also be provided: --bindDN, --saslOption
• If the --appendToRejectFile argument is provided, then the --rejectFile argument must also be provided.
• If the --appendToOutputFile argument is provided, then the --outputFile argument must also be provided.
• If the --teeOutput argument is provided, then the --outputFile argument must also be provided.

Exclusive Argument Sets

• The following arguments cannot be used together: --useSSL, --useStartTLS
• The following arguments cannot be used together: --keyStorePassword, --keyStorePasswordFile, --promptForKeyStorePassword
• The following arguments cannot be used together: --trustStorePassword, --trustStorePasswordFile, --promptForTrustStorePassword
• The following arguments cannot be used together: --defaultTrust, --trustAll
• The following arguments cannot be used together: --trustAll, --trustStorePath
• The following arguments cannot be used together: --bindDN, --saslOption, --useSASLExternal
• The following arguments cannot be used together: --bindPassword, --bindPasswordFile, --promptForBindPassword
• The following arguments cannot be used together: --propertiesFilePath, --noPropertiesFile

Examples

• Retrieve all available state information for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-all --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

• Retrieve any password policy state account usability error messages for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-account-usability-error-messages \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

• Update user 'uid=jdoe,ou=People,dc=example,dc=com' to make the account administratively disabled.

    manage-account set-account-is-disabled --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --accountIsDisabled true

• Clears the authentication failure times for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-authentication-failure-times \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Available Subcommands

• get-all — Retrieve all available state information for a user.
  
  
• get-password-policy-dn — Retrieve the DN of the password policy that governs a user.
  
  
• get-account-is-usable — Determine whether a user account will be allowed to authenticate or be used as an alternate authorization identity.
  
  
• get-account-usability-notice-messages — Retrieve any password policy state account usability notice messages for a user. These messages may provide useful information about the state of the user account, but do not necessarily represent a current or imminent problem with the account.
  
  
• get-account-usability-warning-messages — Retrieve any password policy state account usability warning messages for a user. The messages may provide information about conditions that may leave a user account unusable in the near future unless corrective action is taken.
  
  
• get-account-usability-error-messages — Retrieve any password policy state account usability error messages for a user. The messages may provide information about conditions that prevent a user account from authenticating, being used as an alternate authorization identity, or otherwise functioning normally.
  
  
• get-password-changed-time — Retrieve the time that a user's password was last changed, whether via a self change or an administrative reset.
  
  
• set-password-changed-time — Set the password changed time value for a user.
  
  
• clear-password-changed-time — Clear the password changed time value for a user. For password policy evaluations that require knowing when the user's password was last changed, the server will attempt to fall back to using the create timestamp, if available.
  
  
• get-account-is-disabled — Determine whether a user account has been disabled by an administrator and cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP search operation by determining whether the user entry has a ds-pwp-account-disabled operational attribute with a value of true.
  
  
• set-account-is-disabled — Specify whether a user account is administratively disabled. A disabled account cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP modify operation by setting the value of the ds-pwp-account-disabled operational attribute in the user's entry with a value of either true or false (or by removing the attribute from the user's entry, which is equivalent to giving it a value of false).
  
  
• clear-account-is-disabled — Clear the account disabled state information from a user entry, which is logically equivalent to using the set-account-is-disabled subcommand with an accountIsDisabled value of false. This can also be accomplished with a standard LDAP modify operation by removing the ds-pwp-account-disabled operational attribute from the user's entry.
  
  
• get-account-activation-time — Retrieve the account activation time for a user. If the activation time is in the future, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP search operation by retrieving the ds-pwp-account-activation-time operational attribute from the user's entry.
  
  
• set-account-activation-time — Set the account activation time for a user. If the activation time is in the future, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP modify operation by setting the ds-pwp-account-activation-time attribute to have a generalized time representation of the desired activation time.
  
  
• clear-account-activation-time — Clear the account activation time for a user. If the account previously had an activation time in the future, this will make it immediately eligible for use. This can also be accomplished with a standard LDAP modify operation by removing the ds-pwp-account-activation-time attribute from the user's entry.
  
  
• get-seconds-until-account-activation — Retrieve the length of time in seconds until a user's account is eligible for use.
  
  
• get-account-is-not-yet-active — Determine whether a user account has an activation time in the future and therefore cannot authenticate or be used as an alternate authorization identity.
  
  
• get-account-expiration-time — Retrieve the account expiration time for a user. If the expiration time is in the past, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP search operation by retrieving the ds-pwp-account-expiration-time operational attribute from the user's entry.
  
  
• set-account-expiration-time — Set the account expiration time for a user. If the expiration time is in the past, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP modify operation by setting the ds-pwp-account-expiration-time attribute to have a generalized time representation of the desired expiration time.
  
  
• clear-account-expiration-time — Clear the account expiration time for a user. If the account previously had an expiration time in the past, this will make it immediately eligible for use. This can also be accomplished with a standard LDAP modify operation by removing the ds-pwp-account-expiration-time attribute from the user's entry.
  
  
• get-seconds-until-account-expiration — Retrieve the length of time in seconds until a user's account expires.
  
  
• get-account-is-expired — Determine whether a user account has an expiration time in the past and therefore cannot authenticate or be used as an alternate authorization identity.
  
  
• get-password-expiration-warned-time — Retrieve the time that a user received the first warning about an upcoming password expiration. This will only be available if password expiration is enabled in the user's password policy.
  
  
• set-password-expiration-warned-time — Specify the time that a user received the first warning about an upcoming password expiration. Note that this will not in itself trigger a password expiration warning nor cause any account status notification handlers to be invoked. This will have no effect if password expiration is not enabled in the user's password policy.
  
  
• clear-password-expiration-warned-time — Clear a record of any password expiration warning from a user's entry.
  
  
• get-seconds-until-password-expiration-warning — Retrieve the length of time in seconds until a user will be eligible to start receiving warnings about an upcoming password expiration. This will only be available if password expiration is enabled in the user's password policy.
  
  
• get-password-expiration-time — Retrieves the time that a user's password will expire. This will only be available if password expiration is enabled in the user's password policy.
  
  
• get-seconds-until-password-expiration — Retrieves the length of time in seconds until a user's password will expire. This will only be available if password expiration is available in the user's password policy.
  
  
• get-password-is-expired — Determine whether a user account has an expired password and therefore cannot authenticate or be used as an alternate authorization identity.
  
  
• get-account-is-failure-locked — Determines whether a user's account is locked as a result of too many failed authentication attempts. This will only be available if failure lockout is enabled in the user's password policy.
  
  
• set-account-is-failure-locked — Specifies whether a user's account should be locked as a result of too many failed authentication attempts. This will have no effect if failure lockout is not enabled in the user's password policy.
  
  
• get-failure-lockout-time — Retrieves the time that a user's account was locked as a result of too many failed authentication attempts. This will only be available if failure lockout is enabled in the user's password policy.
  
  
• get-seconds-until-authentication-failure-unlock — Retrieves the length of time in seconds until a user's temporary failure lockout expires. This will only be available if failure lockout is enabled in the user's password policy.
  
  
• get-authentication-failure-times — Retrieves the timestamps for any failed authentication attempts for a user since the user's last successful authentication. This will only be available if failure lockout is enabled in the user's password policy.
  
  
• add-authentication-failure-time — Adds one or more new values to the set of authentication failure times for a user. If the resulting set of authentication failure times has reached the configured lockout failure count, the user's account will be locked. This will have no effect if failure lockout is not enabled in the user's password policy.
  
  
• set-authentication-failure-times — Sets the timestamps for failed authentication attempts for a user. If the number of authentication failure times provided is greater than or equal to the lockout failure count for the user's password policy, the user's account will be locked. This will have no effect if failure lockout is not enabled in the user's password policy.
  
  
• clear-authentication-failure-times — Clears the set of authentication failure times for a user. If the user's account had been locked be of too many failed authentication attempts, this will also clear that lockout.
  
  
• get-remaining-authentication-failure-count — Retrieves the number of additional failed authentication attempts that will be required to lock a user's account. This will only be available if failure lockout is enabled in the user's password policy.
  
  
• get-account-is-idle-locked — Determines whether a user's account is locked because it has been too long since the user last authenticated. This will only be available if idle lockout is enabled in the user's password policy.
  
  
• get-seconds-until-idle-lockout — Retrieves the length of time in seconds until the user's account will be locked because it has been too long since the user last authenticated. This will only be available if idle lockout is enabled in the user's password policy.
  
  
• get-idle-lockout-time — Retrieves the time at which the user's account was locked because it had been too long since the user last authenticated, or the time it will be locked unless the user authenticates before that time. This will only be available if idle lockout is enabled in the user's password policy
  
  
• get-must-change-password — Determines whether a user's password has been reset by an administrator and the user must choose a new password before they will be allowed to perform any other operations.
  
  
• set-must-change-password — Specifies whether a user's password has been reset by an administrator and the user must choose a new password before they will be allowed to perform any other operations.
  
  
• clear-must-change-password — Clears the password reset state information from a user's account. If the account had previously been locked because the user failed to choose a new password in a timely manner after an administrative reset, that lockout will be lifted.
  
  
• get-account-is-password-reset-locked — Determines whether the user's account is locked because the user failed to choose a new password in a timely manner after an administrative reset. This will only be available if a maximum password reset age is defined in the user's password policy.
  
  
• get-seconds-until-password-reset-lockout — Determines the length of time in seconds until the user's account will be locked unless they choose a new password after an administrative password reset. This will only be available if a maximum password reset age is defined in the user's password policy.
  
  
• get-password-reset-lockout-time — Retrieves the time that a user's account was or will be locked for failing to choose a new password in a timely manner after an administrative reset. This will only be available if a maximum password reset age is defined in the user's password policy.
  
  
• get-last-login-time — Retrieves the time that a user last authenticated. This will only be available if last login time tracking is enabled in the user's password policy.
  
  
• set-last-login-time — Specifies the time that a user last authenticated. This will have no effect if last login time tracking is not enabled in the user's password policy.
  
  
• clear-last-login-time — Clears the last login time from a user's entry. This will have no effect if last login time tracking is not enabled in the user's password policy.
  
  
• get-last-login-ip-address — Retrieves the IP address of the client from which a user last authenticated. This will only be available if last login IP address tracking is enabled in the user's password policy.
  
  
• set-last-login-ip-address — Specifies the IP address of the client from which a user last authenticated. This will have no effect if last login IP address tracking is not enabled in the user's password policy.
  
  
• clear-last-login-ip-address — Clears the last login IP address from a user's entry. This will have no effect if last login IP address tracking is not enabled in the user's password policy.
  
  
• get-grace-login-use-times — Retrieves the times that a user has authenticated with grace logins after their password had expired. This will only be available if both password expiration and grace login supports are configured in the user's password policy.
  
  
• add-grace-login-use-time — Adds one or more new values to the set of grace login use times for a user. This will have no effect unless both password expiration and grace login support are configured in the user's password policy.
  
  
• set-grace-login-use-times — Replaces the set of grace login use times for a user. This will have no effect unless both password expiration and grace login support are configured in the user's password policy.
  
  
• clear-grace-login-use-times — Clears the set of grace login use times for a user. This will have no effect unless both password expiration and grace login support are configured in the user's password policy.
  
  
• get-remaining-grace-login-count — Retrieves the number of additional grace logins that will be available to a user before they will be unable to authenticate with an expired password. This will only be available if both password expiration and grace login support are enabled in the user's password policy.
  
  
• get-password-changed-by-required-time — Retrieves the most recent required change time with which a user has complied. This will only be available if a required change time is configured in the user's password policy.
  
  
• set-password-changed-by-required-time — Specifies the most recent required change time with which a user has complied. This will not have any effect unless a required change time is configured in the user's password policy.
  
  
• clear-password-changed-by-required-time — Clears the record of the most recent required change time with which a user has complied. This will not have any effect unless a required change time is configured in the user's password policy.
  
  
• get-seconds-until-required-password-change-time — Retrieves the length of time in seconds until the user account is locked for failure to comply with a required change time. This will only be available if a required change time is configured in the user's password policy.
  
  
• get-password-history-count — Retrieves the number of passwords in a user's password history. This will only be available if the password history is enabled in the user's password policy.
  
  
• clear-password-history — Clears the password history for a user. This will have no effect if the password history is not enabled in the user's password policy.
  
  
• get-has-retired-password — Determines whether a user has an active retired password.
  
  
• get-password-retired-time — Retrieves the time that a user's former password was retired.
  
  
• get-retired-password-expiration-time — Retrieves the time that a user's retired password will expire.
  
  
• clear-retired-password — Purges a retired password from a user's entry so that it may no longer be used to authenticate.
  
  
• get-available-sasl-mechanisms — Retrieves a list of the SASL mechanisms that are available for a user. This will take into account the server configuration, the types of credentials the user has, and the authentication constraints defined for the user.
  
  
• get-available-otp-delivery-mechanisms — Retrieves a list of the one-time password delivery mechanisms that are available for a user. If the user's entry includes information about which OTP delivery mechanisms are preferred, then the values will be returned in order of most preferred to least preferred.
  
  
• get-has-totp-shared-secret — Determines whether a user has at least one TOTP shared secret that may be used in conjunction with the UNBOUNDID-TOTP SASL mechanism or the Verify TOTP extended operation.
  
  
• add-totp-shared-secret — Adds a value to the set of TOTP shared secrets for a user.
  
  
• remove-totp-shared-secret — Removes a value from the set of TOTP shared secrets for a user.
  
  
• set-totp-shared-secrets — Replaces the set of TOTP shared secrets registered for a user.
  
  
• clear-totp-shared-secrets — Clears the set of TOTP shared secrets registered for a user.
  
  
• get-has-registered-yubikey-public-id — Determines whether a user has at least one registered YubiKey OTP device public ID.
  
  
• get-registered-yubikey-public-ids — Retrieves a list of the public IDs of the YubiKey OTP devices registered for a user.
  
  
• add-registered-yubikey-public-id — Adds a value to the set of registered YubiKey OTP public IDs for a user.
  
  
• remove-registered-yubikey-public-id — Removes a value from the set of registered YubiKey OTP public IDs for a user.
  
  
• set-registered-yubikey-public-ids — Replaces the list of the public IDs of the YubiKey OTP devices registered for a user.
  
  
• clear-registered-yubikey-public-ids — Clears the list of the public IDs of the YubiKey OTP devices registered for a user.
  
  
• get-has-static-password — Determines whether a user has one static password.
  
  
• get-last-bind-password-validation-time — Retrieves the time the server last invoked password validators during a bind operation for a user.
  
  
• get-seconds-since-last-bind-password-validation — Retrieves the length of time in seconds since the server last invoked password validators during a bind operation for a user.
  
  
• set-last-bind-password-validation-time — Specifies the time the server last invoked password validators during a bind operation for a user.
  
  
• clear-last-bind-password-validation-time — Clears the time the server last invoked password validators during a bind operation for a user.
  
  
• get-account-is-validation-locked — Determines whether a user's account is locked because it contains a password that does not satisfy all of the configured password validators.
  
  
• set-account-is-validation-locked — Specifies whether a user's account should be locked because it contains a password that does not satisfy all of the configured password validators.
  
  
• get-recent-login-history — Retrieves the user's recent login history.
  
  
• clear-recent-login-history — Clears the user's recent login history.
  
  

Usage For Subcommand get-all

Retrieve all available state information for a user.

Examples

• Retrieve all available state information for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-all get-all --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-password-policy-dn

Retrieve the DN of the password policy that governs a user.

Examples

• Retrieve the DN of the password policy that governs user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-password-policy-dn get-password-policy-dn \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-is-usable

Determine whether a user account will be allowed to authenticate or be used as an alternate authorization identity.

Examples

• Determine whether user 'uid=jdoe,ou=People,dc=example,dc=com' will be permitted to authenticate or be used as an alternate authorization identity.

    manage-account get-account-is-usable get-account-is-usable \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-usability-notice-messages

Retrieve any password policy state account usability notice messages for a user. These messages may provide useful information about the state of the user account, but do not necessarily represent a current or imminent problem with the account.

Examples

• Retrieve any password policy state account usability notice messages for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-account-usability-notice-messages \
         get-account-usability-notice-messages --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-usability-warning-messages

Retrieve any password policy state account usability warning messages for a user. The messages may provide information about conditions that may leave a user account unusable in the near future unless corrective action is taken.

Examples

• Retrieve any password policy state account usability warning messages for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-account-usability-warning-messages \
         get-account-usability-warning-messages \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-usability-error-messages

Retrieve any password policy state account usability error messages for a user. The messages may provide information about conditions that prevent a user account from authenticating, being used as an alternate authorization identity, or otherwise functioning normally.

Examples

• Retrieve any password policy state account usability error messages for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-account-usability-error-messages \
         get-account-usability-error-messages --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-password-changed-time

Retrieve the time that a user's password was last changed, whether via a self change or an administrative reset.

Examples

• Retrieve the time that the password for user 'uid=jdoe,ou=People,dc=example,dc=com' was last changed.

    manage-account get-password-changed-time get-password-changed-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-password-changed-time

Set the password changed time value for a user.

Arguments

• -O {timestamp} / --passwordChangedTime {timestamp} — The new value for the password changed time. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the password changed time will be set to the current time.
  A provided value must be able to be parsed as a valid generalized time (as described in RFC 4517 section 3.1.13) or as a timestamp in the local time zone using any of the formats 'YYYYMMDDhhmmss.uuu', 'YYYYMMDDhhmmss', or 'YYYYMMDDhhmm'.
  
  

Examples

• Set the password changed time for user 'uid=jdoe,ou=People,dc=example,dc=com' to '20240618150744.248Z'.

    manage-account set-password-changed-time set-password-changed-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --passwordChangedTime 20240618150744.248Z

Usage For Subcommand clear-password-changed-time

Clear the password changed time value for a user. For password policy evaluations that require knowing when the user's password was last changed, the server will attempt to fall back to using the create timestamp, if available.

Examples

• Clear the password changed time for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-password-changed-time clear-password-changed-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-is-disabled

Determine whether a user account has been disabled by an administrator and cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP search operation by determining whether the user entry has a ds-pwp-account-disabled operational attribute with a value of true.

Examples

• Determine whether the account for user 'uid=jdoe,ou=People,dc=example,dc=com' has been disabled by an administrator.

    manage-account get-account-is-disabled get-account-is-disabled \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-account-is-disabled

Specify whether a user account is administratively disabled. A disabled account cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP modify operation by setting the value of the ds-pwp-account-disabled operational attribute in the user's entry with a value of either true or false (or by removing the attribute from the user's entry, which is equivalent to giving it a value of false).

Arguments

• -O {true|false} / --accountIsDisabled {true|false} — The new value for the flag indicating whether the user's account is disabled. The value must be either 'true' or 'false'.
  A provided value should be either 'true' or 'false'.
  
  

Examples

• Update user 'uid=jdoe,ou=People,dc=example,dc=com' to make the account administratively disabled.

    manage-account set-account-is-disabled set-account-is-disabled \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --accountIsDisabled true

Usage For Subcommand clear-account-is-disabled

Clear the account disabled state information from a user entry, which is logically equivalent to using the set-account-is-disabled subcommand with an accountIsDisabled value of false. This can also be accomplished with a standard LDAP modify operation by removing the ds-pwp-account-disabled operational attribute from the user's entry.

Examples

• Clear the account disabled state information for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-account-is-disabled clear-account-is-disabled \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-activation-time

Retrieve the account activation time for a user. If the activation time is in the future, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP search operation by retrieving the ds-pwp-account-activation-time operational attribute from the user's entry.

Examples

• Retrieve the account activation time for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-account-activation-time get-account-activation-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-account-activation-time

Set the account activation time for a user. If the activation time is in the future, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP modify operation by setting the ds-pwp-account-activation-time attribute to have a generalized time representation of the desired activation time.

Arguments

• -O {timestamp} / --accountActivationTime {timestamp} — The new value for the account activation time. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the account activation time will be set to the current time.
  A provided value must be able to be parsed as a valid generalized time (as described in RFC 4517 section 3.1.13) or as a timestamp in the local time zone using any of the formats 'YYYYMMDDhhmmss.uuu', 'YYYYMMDDhhmmss', or 'YYYYMMDDhhmm'.
  
  

Examples

• Set the account activation time for user 'uid=jdoe,ou=People,dc=example,dc=com' to '20240618150744.248Z'.

    manage-account set-account-activation-time set-account-activation-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --accountActivationTime 20240618150744.248Z

Usage For Subcommand clear-account-activation-time

Clear the account activation time for a user. If the account previously had an activation time in the future, this will make it immediately eligible for use. This can also be accomplished with a standard LDAP modify operation by removing the ds-pwp-account-activation-time attribute from the user's entry.

Examples

• Clear the account activation time for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-account-activation-time \
         clear-account-activation-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-seconds-until-account-activation

Retrieve the length of time in seconds until a user's account is eligible for use.

Examples

• Retrieve the length of time in seconds until user account 'uid=jdoe,ou=People,dc=example,dc=com' will be eligible for use.

    manage-account get-seconds-until-account-activation \
         get-seconds-until-account-activation --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-is-not-yet-active

Determine whether a user account has an activation time in the future and therefore cannot authenticate or be used as an alternate authorization identity.

Examples

• Determine whether user 'uid=jdoe,ou=People,dc=example,dc=com' has an account activation time in the future.

    manage-account get-account-is-not-yet-active \
         get-account-is-not-yet-active --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-expiration-time

Retrieve the account expiration time for a user. If the expiration time is in the past, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP search operation by retrieving the ds-pwp-account-expiration-time operational attribute from the user's entry.

Examples

• Retrieve the account expiration time for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-account-expiration-time get-account-expiration-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-account-expiration-time

Set the account expiration time for a user. If the expiration time is in the past, the user cannot authenticate or be used as an alternate authorization identity. This can also be accomplished with a standard LDAP modify operation by setting the ds-pwp-account-expiration-time attribute to have a generalized time representation of the desired expiration time.

Arguments

• -O {timestamp} / --accountExpirationTime {timestamp} — The new value for the account expiration time. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the account expiration time will be set to the current time.
  A provided value must be able to be parsed as a valid generalized time (as described in RFC 4517 section 3.1.13) or as a timestamp in the local time zone using any of the formats 'YYYYMMDDhhmmss.uuu', 'YYYYMMDDhhmmss', or 'YYYYMMDDhhmm'.
  
  

Examples

• Set the account expiration time for user 'uid=jdoe,ou=People,dc=example,dc=com' to '20240618150744.248Z'.

    manage-account set-account-expiration-time set-account-expiration-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --accountExpirationTime 20240618150744.248Z

Usage For Subcommand clear-account-expiration-time

Clear the account expiration time for a user. If the account previously had an expiration time in the past, this will make it immediately eligible for use. This can also be accomplished with a standard LDAP modify operation by removing the ds-pwp-account-expiration-time attribute from the user's entry.

Examples

• Clear the account expiration time for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-account-expiration-time \
         clear-account-expiration-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-seconds-until-account-expiration

Retrieve the length of time in seconds until a user's account expires.

Examples

• Retrieve the length of time in seconds until user account 'uid=jdoe,ou=People,dc=example,dc=com' expires.

    manage-account get-seconds-until-account-expiration \
         get-seconds-until-account-expiration --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-is-expired

Determine whether a user account has an expiration time in the past and therefore cannot authenticate or be used as an alternate authorization identity.

Examples

• Determine whether user 'uid=jdoe,ou=People,dc=example,dc=com' has an account expiration time in the past.

    manage-account get-account-is-expired get-account-is-expired \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-password-expiration-warned-time

Retrieve the time that a user received the first warning about an upcoming password expiration. This will only be available if password expiration is enabled in the user's password policy.

Examples

• Retrieve the time that user 'uid=jdoe,ou=People,dc=example,dc=com' received the first warning about an upcoming password expiration.

    manage-account get-password-expiration-warned-time \
         get-password-expiration-warned-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-password-expiration-warned-time

Specify the time that a user received the first warning about an upcoming password expiration. Note that this will not in itself trigger a password expiration warning nor cause any account status notification handlers to be invoked. This will have no effect if password expiration is not enabled in the user's password policy.

Arguments

• -O {timestamp} / --passwordExpirationWarnedTime {timestamp} — The new value for the password expiration warned time. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the password expiration warned time will be set to the current time.
  A provided value must be able to be parsed as a valid generalized time (as described in RFC 4517 section 3.1.13) or as a timestamp in the local time zone using any of the formats 'YYYYMMDDhhmmss.uuu', 'YYYYMMDDhhmmss', or 'YYYYMMDDhhmm'.
  
  

Examples

• Set the password expiration warned time for user 'uid=jdoe,ou=People,dc=example,dc=com' to '20240618150744.248Z'.

    manage-account set-password-expiration-warned-time \
         set-password-expiration-warned-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --passwordExpirationWarnedTime 20240618150744.248Z

Usage For Subcommand clear-password-expiration-warned-time

Clear a record of any password expiration warning from a user's entry.

Examples

• Clear the password expiration warned time for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-password-expiration-warned-time \
         clear-password-expiration-warned-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-seconds-until-password-expiration-warning

Retrieve the length of time in seconds until a user will be eligible to start receiving warnings about an upcoming password expiration. This will only be available if password expiration is enabled in the user's password policy.

Examples

• Retrieve the length of time in seconds until user 'uid=jdoe,ou=People,dc=example,dc=com' will be eligible to start receiving password expiration warnings.

    manage-account get-seconds-until-password-expiration-warning \
         get-seconds-until-password-expiration-warning \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-password-expiration-time

Retrieves the time that a user's password will expire. This will only be available if password expiration is enabled in the user's password policy.

Examples

• Retrieves the time that the password for user 'uid=jdoe,ou=People,dc=example,dc=com' will expire.

    manage-account get-password-expiration-time get-password-expiration-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-seconds-until-password-expiration

Retrieves the length of time in seconds until a user's password will expire. This will only be available if password expiration is available in the user's password policy.

Examples

• Retrieves the length of time in seconds until the password for user 'uid=jdoe,ou=People,dc=example,dc=com' expires.

    manage-account get-seconds-until-password-expiration \
         get-seconds-until-password-expiration --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-password-is-expired

Determine whether a user account has an expired password and therefore cannot authenticate or be used as an alternate authorization identity.

Examples

• Determine whether user 'uid=jdoe,ou=People,dc=example,dc=com' has an expired password.

    manage-account get-password-is-expired get-password-is-expired \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-is-failure-locked

Determines whether a user's account is locked as a result of too many failed authentication attempts. This will only be available if failure lockout is enabled in the user's password policy.

Examples

• Determines whether the account for user 'uid=jdoe,ou=People,dc=example,dc=com' is locked as a result of too many failed authentication attempts.

    manage-account get-account-is-failure-locked \
         get-account-is-failure-locked --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-account-is-failure-locked

Specifies whether a user's account should be locked as a result of too many failed authentication attempts. This will have no effect if failure lockout is not enabled in the user's password policy.

Arguments

• -O {true|false} / --accountIsFailureLocked {true|false} — Indicates whether the user's account should be locked as a result of too many failed authentication attempts. The value must be either 'true' (in which case the server will update the user's entry to include the necessary number of failed authentication attempts) or 'false' (in which case the server will clear information about any authentication failures from a user's entry).
  A provided value should be either 'true' or 'false'.
  
  

Examples

• Forces the account for user 'uid=jdoe,ou=People,dc=example,dc=com' to be locked as a result of too many failed authentication attempts.

    manage-account set-account-is-failure-locked \
         set-account-is-failure-locked --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --accountIsFailureLocked true

Usage For Subcommand get-failure-lockout-time

Retrieves the time that a user's account was locked as a result of too many failed authentication attempts. This will only be available if failure lockout is enabled in the user's password policy.

Examples

• Retrieves the time that the account for user 'uid=jdoe,ou=People,dc=example,dc=com' was locked as a result of too many failed authentication attempts.

    manage-account get-failure-lockout-time get-failure-lockout-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-seconds-until-authentication-failure-unlock

Retrieves the length of time in seconds until a user's temporary failure lockout expires. This will only be available if failure lockout is enabled in the user's password policy.

Examples

• Retrieves the length of time in seconds until the temporary failure lockout for user 'uid=jdoe,ou=People,dc=example,dc=com' expires.

    manage-account get-seconds-until-authentication-failure-unlock \
         get-seconds-until-authentication-failure-unlock \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-authentication-failure-times

Retrieves the timestamps for any failed authentication attempts for a user since the user's last successful authentication. This will only be available if failure lockout is enabled in the user's password policy.

Examples

• Retrieves the timestamps for any failed authentication attempts for user 'uid=jdoe,ou=People,dc=example,dc=com' since that user's last successful authentication.

    manage-account get-authentication-failure-times \
         get-authentication-failure-times --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand add-authentication-failure-time

Adds one or more new values to the set of authentication failure times for a user. If the resulting set of authentication failure times has reached the configured lockout failure count, the user's account will be locked. This will have no effect if failure lockout is not enabled in the user's password policy.

Arguments

• -O {timestamp} / --authenticationFailureTime {timestamp} — A timestamp for an authentication failure time to add to the user's entry. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. This argument may be provided multiple times to specify multiple authentication failure times. If this argument is not provided, the current time will be added to the set of authentication failure times.
  A provided value must be able to be parsed as a valid generalized time (as described in RFC 4517 section 3.1.13) or as a timestamp in the local time zone using any of the formats 'YYYYMMDDhhmmss.uuu', 'YYYYMMDDhhmmss', or 'YYYYMMDDhhmm'.
  
  

Examples

• Adds the current time to the set of authentication failure times for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account add-authentication-failure-time \
         add-authentication-failure-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-authentication-failure-times

Sets the timestamps for failed authentication attempts for a user. If the number of authentication failure times provided is greater than or equal to the lockout failure count for the user's password policy, the user's account will be locked. This will have no effect if failure lockout is not enabled in the user's password policy.

Arguments

• -O {timestamp} / --authenticationFailureTime {timestamp} — A timestamp for an authentication failure time to set in the user's entry. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. This argument may be provided multiple times to specify multiple authentication failure times. If this argument is not provided, the set of authentication failure times will be updated to include only the current time.
  A provided value must be able to be parsed as a valid generalized time (as described in RFC 4517 section 3.1.13) or as a timestamp in the local time zone using any of the formats 'YYYYMMDDhhmmss.uuu', 'YYYYMMDDhhmmss', or 'YYYYMMDDhhmm'.
  
  

Examples

• Sets the authentication failure times for user 'uid=jdoe,ou=People,dc=example,dc=com' to include values of '20240618150731.903Z' and '20240618150744.248Z'.

    manage-account set-authentication-failure-times \
         set-authentication-failure-times --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --authenticationFailureTime 20240618150731.903Z \
         --authenticationFailureTime 20240618150744.248Z

Usage For Subcommand clear-authentication-failure-times

Clears the set of authentication failure times for a user. If the user's account had been locked be of too many failed authentication attempts, this will also clear that lockout.

Examples

• Clears the authentication failure times for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-authentication-failure-times \
         clear-authentication-failure-times --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-remaining-authentication-failure-count

Retrieves the number of additional failed authentication attempts that will be required to lock a user's account. This will only be available if failure lockout is enabled in the user's password policy.

Examples

• Retrieves the remaining number of failed authentication attempts that will be required to lock the account for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-remaining-authentication-failure-count \
         get-remaining-authentication-failure-count \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-is-idle-locked

Determines whether a user's account is locked because it has been too long since the user last authenticated. This will only be available if idle lockout is enabled in the user's password policy.

Examples

• Determines whether the account for user 'uid=jdoe,ou=People,dc=example,dc=com' is locked because it has been too long since the user last authenticated.

    manage-account get-account-is-idle-locked get-account-is-idle-locked \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-seconds-until-idle-lockout

Retrieves the length of time in seconds until the user's account will be locked because it has been too long since the user last authenticated. This will only be available if idle lockout is enabled in the user's password policy.

Examples

• Retrieves the length of time until the account for user 'uid=jdoe,ou=People,dc=example,dc=com' will be locked because it has been too long since the user last authenticated.

    manage-account get-seconds-until-idle-lockout \
         get-seconds-until-idle-lockout --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-idle-lockout-time

Retrieves the time at which the user's account was locked because it had been too long since the user last authenticated, or the time it will be locked unless the user authenticates before that time. This will only be available if idle lockout is enabled in the user's password policy

Examples

• Retrieves the time at which the account for user 'uid=jdoe,ou=People,dc=example,dc=com' was locked because it had been too long since the user had last authenticated.

    manage-account get-idle-lockout-time get-idle-lockout-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-must-change-password

Determines whether a user's password has been reset by an administrator and the user must choose a new password before they will be allowed to perform any other operations.

Examples

• Determines whether the password for user 'uid=jdoe,ou=People,dc=example,dc=com' has been reset and must be changed before any other operations will be allowed.

    manage-account get-must-change-password get-must-change-password \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-must-change-password

Specifies whether a user's password has been reset by an administrator and the user must choose a new password before they will be allowed to perform any other operations.

Arguments

• -O {true|false} / --mustChangePassword {true|false} — Indicates whether the user should be forced to choose a new password before being permitted to perform any other operations. The value must be either 'true' or 'false'.
  A provided value should be either 'true' or 'false'.
  
  

Examples

• Specifies that the password for user 'uid=jdoe,ou=People,dc=example,dc=com' has been reset by an administrator and must be changed before they will be allowed to perform any other operations.

    manage-account set-must-change-password set-must-change-password \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --mustChangePassword true

Usage For Subcommand clear-must-change-password

Clears the password reset state information from a user's account. If the account had previously been locked because the user failed to choose a new password in a timely manner after an administrative reset, that lockout will be lifted.

Examples

• Clears the password reset state information from the account for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-must-change-password clear-must-change-password \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-is-password-reset-locked

Determines whether the user's account is locked because the user failed to choose a new password in a timely manner after an administrative reset. This will only be available if a maximum password reset age is defined in the user's password policy.

Examples

• Determines whether the account for user 'uid=jdoe,ou=People,dc=example,dc=com' is locked because the user failed to choose a new password in a timely manner after an administrative reset.

    manage-account get-account-is-password-reset-locked \
         get-account-is-password-reset-locked --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-seconds-until-password-reset-lockout

Determines the length of time in seconds until the user's account will be locked unless they choose a new password after an administrative password reset. This will only be available if a maximum password reset age is defined in the user's password policy.

Examples

• Determines the length of time in seconds until the account for user 'uid=jdoe,ou=People,dc=example,dc=com' will be locked unless they choose a new password.

    manage-account get-seconds-until-password-reset-lockout \
         get-seconds-until-password-reset-lockout \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-password-reset-lockout-time

Retrieves the time that a user's account was or will be locked for failing to choose a new password in a timely manner after an administrative reset. This will only be available if a maximum password reset age is defined in the user's password policy.

Examples

• Retrieves the time that the account for user 'uid=jdoe,ou=People,dc=example,dc=com' was or will be locked for failing to choose a new password in a timely manner after an administrative reset.

    manage-account get-password-reset-lockout-time \
         get-password-reset-lockout-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-last-login-time

Retrieves the time that a user last authenticated. This will only be available if last login time tracking is enabled in the user's password policy.

Examples

• Retrieves the time that user 'uid=jdoe,ou=People,dc=example,dc=com' last authenticated.

    manage-account get-last-login-time get-last-login-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-last-login-time

Specifies the time that a user last authenticated. This will have no effect if last login time tracking is not enabled in the user's password policy.

Arguments

• -O {timestamp} / --lastLoginTime {timestamp} — The timestamp to use for the last login time value. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the last login time will be set to the current time.
  A provided value must be able to be parsed as a valid generalized time (as described in RFC 4517 section 3.1.13) or as a timestamp in the local time zone using any of the formats 'YYYYMMDDhhmmss.uuu', 'YYYYMMDDhhmmss', or 'YYYYMMDDhhmm'.
  
  

Examples

• Sets the last login time for user 'uid=jdoe,ou=People,dc=example,dc=com' to '20240618150744.248Z'.

    manage-account set-last-login-time set-last-login-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --lastLoginTime 20240618150744.248Z

Usage For Subcommand clear-last-login-time

Clears the last login time from a user's entry. This will have no effect if last login time tracking is not enabled in the user's password policy.

Examples

• Clears the last login time for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-last-login-time clear-last-login-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-last-login-ip-address

Retrieves the IP address of the client from which a user last authenticated. This will only be available if last login IP address tracking is enabled in the user's password policy.

Examples

• Retrieves the IP address of the client from which user 'uid=jdoe,ou=People,dc=example,dc=com' last authenticated.

    manage-account get-last-login-ip-address get-last-login-ip-address \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-last-login-ip-address

Specifies the IP address of the client from which a user last authenticated. This will have no effect if last login IP address tracking is not enabled in the user's password policy.

Arguments

• -O {value} / --lastLoginIPAddress {value} — The last login IP address value to use. It may be an IPv4 or IPv6 address.
  
  

Examples

• Sets the last login IP address for user 'uid=jdoe,ou=People,dc=example,dc=com' to '1.2.3.4'.

    manage-account set-last-login-ip-address set-last-login-ip-address \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --lastLoginIPAddress 1.2.3.4

Usage For Subcommand clear-last-login-ip-address

Clears the last login IP address from a user's entry. This will have no effect if last login IP address tracking is not enabled in the user's password policy.

Examples

• Clears the last login IP address for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-last-login-ip-address clear-last-login-ip-address \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-grace-login-use-times

Retrieves the times that a user has authenticated with grace logins after their password had expired. This will only be available if both password expiration and grace login supports are configured in the user's password policy.

Examples

• Retrieves the grace login times for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-grace-login-use-times get-grace-login-use-times \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand add-grace-login-use-time

Adds one or more new values to the set of grace login use times for a user. This will have no effect unless both password expiration and grace login support are configured in the user's password policy.

Arguments

• -O {timestamp} / --graceLoginUseTime {timestamp} — A timestamp for a grace login use time to add to the user's entry. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. This argument may be provided multiple times to specify multiple grace login use times. If this argument is not provided, the current time will be used.
  A provided value must be able to be parsed as a valid generalized time (as described in RFC 4517 section 3.1.13) or as a timestamp in the local time zone using any of the formats 'YYYYMMDDhhmmss.uuu', 'YYYYMMDDhhmmss', or 'YYYYMMDDhhmm'.
  
  

Examples

• Adds the current time to the set of grace login use times for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account add-grace-login-use-time add-grace-login-use-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-grace-login-use-times

Replaces the set of grace login use times for a user. This will have no effect unless both password expiration and grace login support are configured in the user's password policy.

Arguments

• -O {timestamp} / --graceLoginUseTime {timestamp} — A timestamp for a grace login use time to set in the user's entry. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. This argument may be provided multiple times to specify multiple grace login use times. If this argument is not provided, the set of grace login use times will be updated to contain only the current time.
  A provided value must be able to be parsed as a valid generalized time (as described in RFC 4517 section 3.1.13) or as a timestamp in the local time zone using any of the formats 'YYYYMMDDhhmmss.uuu', 'YYYYMMDDhhmmss', or 'YYYYMMDDhhmm'.
  
  

Examples

• Sets the grace login use times for user 'uid=jdoe,ou=People,dc=example,dc=com' to be '20240618150731.903Z' and '20240618150744.248Z'.

    manage-account set-grace-login-use-times set-grace-login-use-times \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --graceLoginUseTime 20240618150731.903Z \
         --graceLoginUseTime 20240618150744.248Z

Usage For Subcommand clear-grace-login-use-times

Clears the set of grace login use times for a user. This will have no effect unless both password expiration and grace login support are configured in the user's password policy.

Examples

• Clears the set of grace login use times for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-grace-login-use-times clear-grace-login-use-times \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-remaining-grace-login-count

Retrieves the number of additional grace logins that will be available to a user before they will be unable to authenticate with an expired password. This will only be available if both password expiration and grace login support are enabled in the user's password policy.

Examples

• Retrieves the remaining number of grace logins that for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-remaining-grace-login-count \
         get-remaining-grace-login-count --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-password-changed-by-required-time

Retrieves the most recent required change time with which a user has complied. This will only be available if a required change time is configured in the user's password policy.

Examples

• Retrieves the most recent required change time with which user 'uid=jdoe,ou=People,dc=example,dc=com' has complied.

    manage-account get-password-changed-by-required-time \
         get-password-changed-by-required-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-password-changed-by-required-time

Specifies the most recent required change time with which a user has complied. This will not have any effect unless a required change time is configured in the user's password policy.

Arguments

• -O {timestamp} / --passwordChangedByRequiredTime {timestamp} — The most recent required change time with which the user has complied. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the most recent required change time will be used.
  A provided value must be able to be parsed as a valid generalized time (as described in RFC 4517 section 3.1.13) or as a timestamp in the local time zone using any of the formats 'YYYYMMDDhhmmss.uuu', 'YYYYMMDDhhmmss', or 'YYYYMMDDhhmm'.
  
  

Examples

• Specifies that user 'uid=jdoe,ou=People,dc=example,dc=com' has most recently complied with the most recent required change time.

    manage-account set-password-changed-by-required-time \
         set-password-changed-by-required-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand clear-password-changed-by-required-time

Clears the record of the most recent required change time with which a user has complied. This will not have any effect unless a required change time is configured in the user's password policy.

Examples

• Clears the record of the most recent required change time with which user 'uid=jdoe,ou=People,dc=example,dc=com' complied.

    manage-account clear-password-changed-by-required-time \
         clear-password-changed-by-required-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-seconds-until-required-password-change-time

Retrieves the length of time in seconds until the user account is locked for failure to comply with a required change time. This will only be available if a required change time is configured in the user's password policy.

Examples

• Retrieves the length of time in seconds until the account for user 'uid=jdoe,ou=People,dc=example,dc=com' is locked for failure to comply with a required change time.

    manage-account get-seconds-until-required-password-change-time \
         get-seconds-until-required-password-change-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-password-history-count

Retrieves the number of passwords in a user's password history. This will only be available if the password history is enabled in the user's password policy.

Examples

• Retrieves the number of passwords in the password history for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-password-history-count get-password-history-count \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand clear-password-history

Clears the password history for a user. This will have no effect if the password history is not enabled in the user's password policy.

Examples

• Clears the password history for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-password-history clear-password-history \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-has-retired-password

Determines whether a user has an active retired password.

Examples

• Determines whether user 'uid=jdoe,ou=People,dc=example,dc=com' has a retired password.

    manage-account get-has-retired-password get-has-retired-password \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-password-retired-time

Retrieves the time that a user's former password was retired.

Examples

• Retrieves the time the former password for user 'uid=jdoe,ou=People,dc=example,dc=com' was retired.

    manage-account get-password-retired-time get-password-retired-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-retired-password-expiration-time

Retrieves the time that a user's retired password will expire.

Examples

• Retrieves the time that the retired password for user 'uid=jdoe,ou=People,dc=example,dc=com' will expire.

    manage-account get-retired-password-expiration-time \
         get-retired-password-expiration-time --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand clear-retired-password

Purges a retired password from a user's entry so that it may no longer be used to authenticate.

Examples

• Purges a retired password for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-retired-password clear-retired-password \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-available-sasl-mechanisms

Retrieves a list of the SASL mechanisms that are available for a user. This will take into account the server configuration, the types of credentials the user has, and the authentication constraints defined for the user.

Examples

• Retrieves a list of the SASL mechanisms that are available for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-available-sasl-mechanisms \
         get-available-sasl-mechanisms --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-available-otp-delivery-mechanisms

Retrieves a list of the one-time password delivery mechanisms that are available for a user. If the user's entry includes information about which OTP delivery mechanisms are preferred, then the values will be returned in order of most preferred to least preferred.

Examples

• Retrieves a list of the one-time password delivery mechanisms that are available for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-available-otp-delivery-mechanisms \
         get-available-otp-delivery-mechanisms --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-has-totp-shared-secret

Determines whether a user has at least one TOTP shared secret that may be used in conjunction with the UNBOUNDID-TOTP SASL mechanism or the Verify TOTP extended operation.

Examples

• Determines whether user 'uid=jdoe,ou=People,dc=example,dc=com' has at least one TOTP shared secret.

    manage-account get-has-totp-shared-secret get-has-totp-shared-secret \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand add-totp-shared-secret

Adds a value to the set of TOTP shared secrets for a user.

Arguments

• -O {value} / --totpSharedSecret {value} — The public ID for a YubiKey OTP device to register for a user. This argument must be provided at least once, but may be provided multiple times to specify multiple public IDs to register.
  
  

Examples

• Adds value 'abcdefghijklmnop' to the set of TOTP shared secrets for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account add-totp-shared-secret add-totp-shared-secret \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --totpSharedSecret abcdefghijklmnop

Usage For Subcommand remove-totp-shared-secret

Removes a value from the set of TOTP shared secrets for a user.

Arguments

• -O {value} / --totpSharedSecret {value} — The public ID for a YubiKey OTP device to deregister for a user. This argument must be provided at least once, but may be provided multiple times to specify multiple public IDs to deregister.
  
  

Examples

• Removes value 'abcdefghijklmnop' from the set of TOTP shared secrets for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account remove-totp-shared-secret remove-totp-shared-secret \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --totpSharedSecret abcdefghijklmnop

Usage For Subcommand set-totp-shared-secrets

Replaces the set of TOTP shared secrets registered for a user.

Arguments

• -O {value} / --totpSharedSecret {value} — The TOTP shared secret to register for a user. This argument must be provided at least once, but may be provided multiple times to specify multiple TOTP shared secrets to register.
  
  

Examples

• Replaces the set of TOTP shared secrets for user 'uid=jdoe,ou=People,dc=example,dc=com' with a single value of 'abcdefghijklmnop'.

    manage-account set-totp-shared-secrets set-totp-shared-secrets \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --totpSharedSecret abcdefghijklmnop

Usage For Subcommand clear-totp-shared-secrets

Clears the set of TOTP shared secrets registered for a user.

Examples

• Clears the set of TOTP shared secrets registered for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-totp-shared-secrets clear-totp-shared-secrets \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-has-registered-yubikey-public-id

Determines whether a user has at least one registered YubiKey OTP device public ID.

Examples

• Determines whether user 'uid=jdoe,ou=People,dc=example,dc=com' has at least one registered YubiKey OTP device public ID.

    manage-account get-has-registered-yubikey-public-id \
         get-has-registered-yubikey-public-id --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-registered-yubikey-public-ids

Retrieves a list of the public IDs of the YubiKey OTP devices registered for a user.

Examples

• Retrieves a list of the public IDs of the YubiKey OTP devices registered for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-registered-yubikey-public-ids \
         get-registered-yubikey-public-ids --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand add-registered-yubikey-public-id

Adds a value to the set of registered YubiKey OTP public IDs for a user.

Arguments

• -O {value} / --publicID {value} — The public ID for a YubiKey OTP device to register for a user. This argument must be provided at least once, but may be provided multiple times to specify multiple public IDs to register.
  
  

Examples

• Adds value 'abcdefghijkl' to the set of registered YubiKey OTP public IDs for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account add-registered-yubikey-public-id \
         add-registered-yubikey-public-id --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --publicID abcdefghijkl

Usage For Subcommand remove-registered-yubikey-public-id

Removes a value from the set of registered YubiKey OTP public IDs for a user.

Arguments

• -O {value} / --publicID {value} — The public ID for a YubiKey OTP device to deregister for a user. This argument must be provided at least once, but may be provided multiple times to specify multiple public IDs to deregister.
  
  

Examples

• Removes value 'abcdefghijkl' from the set of registered YubiKey OTP public IDs for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account remove-registered-yubikey-public-id \
         remove-registered-yubikey-public-id --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --publicID abcdefghijkl

Usage For Subcommand set-registered-yubikey-public-ids

Replaces the list of the public IDs of the YubiKey OTP devices registered for a user.

Arguments

• -O {value} / --publicID {value} — The public ID for a YubiKey OTP device to register for a user. This argument must be provided at least once, but may be provided multiple times to specify multiple public IDs to register.
  
  

Examples

• Replaces the list of the public IDs of the YubiKey OTP devices registered for user 'uid=jdoe,ou=People,dc=example,dc=com' with a single public ID of 'abcdefghijkl'.

    manage-account set-registered-yubikey-public-ids \
         set-registered-yubikey-public-ids --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --publicID abcdefghijkl

Usage For Subcommand clear-registered-yubikey-public-ids

Clears the list of the public IDs of the YubiKey OTP devices registered for a user.

Examples

• Clears the list of the public IDs of the YubiKey OTP devices registered for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-registered-yubikey-public-ids \
         clear-registered-yubikey-public-ids --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-has-static-password

Determines whether a user has one static password.

Examples

• Determines whether user 'uid=jdoe,ou=People,dc=example,dc=com' has a static password.

    manage-account get-has-static-password get-has-static-password \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-last-bind-password-validation-time

Retrieves the time the server last invoked password validators during a bind operation for a user.

Examples

• Retrieves the time the server last invoked password validators during a bind operation for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-last-bind-password-validation-time \
         get-last-bind-password-validation-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-seconds-since-last-bind-password-validation

Retrieves the length of time in seconds since the server last invoked password validators during a bind operation for a user.

Examples

• Retrieves the length of time in seconds since the server last invoked password validators during a bind operation for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-seconds-since-last-bind-password-validation \
         get-seconds-since-last-bind-password-validation \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-last-bind-password-validation-time

Specifies the time the server last invoked password validators during a bind operation for a user.

Arguments

• -O {timestamp} / --validationTime {timestamp} — The new value for the last bind password validation time for the user. It must be a timestamp formatted either in generalized time form or in the local time zone using one of the following formats: YYYYMMDDhhmmss.uuu, YYYYMMDDhhmmss, or YYYYMMDDhhmm. If this argument is not provided, the last bind password validation time will be set to the current time.
  A provided value must be able to be parsed as a valid generalized time (as described in RFC 4517 section 3.1.13) or as a timestamp in the local time zone using any of the formats 'YYYYMMDDhhmmss.uuu', 'YYYYMMDDhhmmss', or 'YYYYMMDDhhmm'.
  
  

Examples

• Updates the password policy state for user 'uid=jdoe,ou=People,dc=example,dc=com' to indicate that the server last invoked password validators during a bind at time '20240618150744.248Z'.

    manage-account set-last-bind-password-validation-time \
         set-last-bind-password-validation-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --validationTime 20240618150744.248Z

Usage For Subcommand clear-last-bind-password-validation-time

Clears the time the server last invoked password validators during a bind operation for a user.

Examples

• Clears the time the server last invoked password validators during a bind operation for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-last-bind-password-validation-time \
         clear-last-bind-password-validation-time \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand get-account-is-validation-locked

Determines whether a user's account is locked because it contains a password that does not satisfy all of the configured password validators.

Examples

• Determines whether the account for user 'uid=jdoe,ou=People,dc=example,dc=com' is locked because it contains a password that does not satisfy all of the configured password validators.

    manage-account get-account-is-validation-locked \
         get-account-is-validation-locked --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand set-account-is-validation-locked

Specifies whether a user's account should be locked because it contains a password that does not satisfy all of the configured password validators.

Arguments

• -O {true|false} / --accountIsValidationLocked {true|false} — Indicates whether the user's account should be locked because it contains a password that does not satisfy all of the configured password validators. The value must be either 'true' or 'false'.
  A provided value should be either 'true' or 'false'.
  
  

Examples

• Forces the account for user 'uid=jdoe,ou=People,dc=example,dc=com' to be locked because it contains a password that does not satisfy all of the configured password validators.

    manage-account set-account-is-validation-locked \
         set-account-is-validation-locked --hostname server.example.com \
         --port 389 --bindDN uid=admin,dc=example,dc=com \
         --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com \
         --accountIsValidationLocked true

Usage For Subcommand get-recent-login-history

Retrieves the user's recent login history.

Examples

• Retrieves the recent login history for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account get-recent-login-history get-recent-login-history \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com

Usage For Subcommand clear-recent-login-history

Clears the user's recent login history.

Examples

• Clears the recent login history for user 'uid=jdoe,ou=People,dc=example,dc=com'.

    manage-account clear-recent-login-history clear-recent-login-history \
         --hostname server.example.com --port 389 \
         --bindDN uid=admin,dc=example,dc=com --promptForBindPassword \
         --targetDN uid=jdoe,ou=People,dc=example,dc=com