How to unlock user on ApacheDS

More recently, I encountered the same problem at work. But, it seems that there is no answer on Internet. Finally,I found the answer by viewing this document:

Password Policy for LDAP Directories draft-behera-ldap-password-policy

  • At section 5.3.3: pwdAccountLockedTime

This attribute holds the time that the user's account was locked. A
locked account means that the password may no longer be used to
authenticate. A 000001010000Z value means that the account has been
locked permanently, and that only a password administrator can unlock the account.

  • At section 5.2.12: pwdLockoutDuration

This attribute holds the number of seconds that the password cannot
be used to authenticate due to too many failed bind attempts. If
this attribute is not present, or if the value is 0 the password
cannot be used to authenticate until reset by a password
administrator.

Through above two section, we can assume that we should connect to ApacheDS server with administrator(by default: uid=admin,ou=system, password=secret ), and delete the user's userPassword attribute. By this way,the permanently locked user can be unlock.

I practiced this sulotion and it works well.

I suggest you should set value for pwdLockoutDuration attribute, in this case the user can not been permanently locked.

For more infomation:

ApacheDS password Policy


Use ApacheDS Studio and log in as admin, find the user, right-click and choose "Fetch->Fetch operational attributes". Now pwdAccountLockedTime is visible and you can delete it to unlocks the user


The answer by Mister's is perfect to unlock an account and if you want to set the pwdLockoutDuration for a single user (assuming the user has implemnted the objectClass pwdPolicy.

There is also a global config file found in: 

ou=config
  *  ads-directoryServiceId=<default>
    * ou=interceptors
       * ads-interceptorId=authenticationInterceptor
          * ou=passwordPolicies

Here we can set the default password policy:

enter image description here

As mine is just a test-server, I have completely disabled lockout via setting the ads-pwdlockout to FALSE. For more on configuring password policy read the official docs.

Tags:

Ldap

Apacheds

Password Policy

Recent Posts