pwdAccountLockedTime and unlocking a user
807573Aug 21 2009 — edited Apr 8 2010So we are migrating from Directory Server 5.2 to DS6 and have come across the same stumbling block others have had about unlocking accounts in DS6.
We are using Identity Manager to handle our accounts and unlocking of users is done via Identity Manager to the LDAP server.
Back in DS5.2 that basically meant removing the "nsaccountlock" attribute.
Now in DS6 when users lock their accounts from incorrect password guesses, "pwdAccountLockedTime" with a value of "000001010000Z" gets added to the user.
The DS6 man page references for "pwdAccountLockedTime" states "that only a password administrator can unlock the account."
[http://docs.sun.com/app/docs/doc/819-0986/6n3chgmg5?a=view|http://docs.sun.com/app/docs/doc/819-0986/6n3chgmg5?a=view]
So what constitutes a password administrator ? Our account that Identity Manager uses is in the "ou=Directory Administrators" branch and has an ACI to allow reads/write/deletes,etc to the entire DN.
We tried having this user remove the "pwdAccountLockedTime" to unlock the user, but get constraint violations.
Reading in the forums the only way I've seen people do it is to edit 00ds6pwp.ldif schema file and remove the NO-USER-MODIFICATION flag.
We don't want to do any unsupported hacks.
Is there a way to have our Identity Manager Admin be able to unlock peoples accounts ?
P.S. I've also read it can be done by changing the users password. We don't want that either.
Thanks
Steve