How to unlock user on ApacheDS

Question

I setup an ApacheDS with default password-policy enabled. For testing proposes I locked a simple User (objectClass=Person extended with some custom User-objectClass) by entering the wrong credentials a number of times. As I expected the user was locked (error msg: user was permanently locked).

The question now is: How to unlock the user again? Is there a better way then just deleting and adding again?

I tried the same with an extended user (objectClass=pwdPolicy) but no pwd* attributes were added when the user was locked.

Answer 1

More recently, I encountered the same problem at work. But, it seems that there is no answer on Internet. Finally,I found the answer by viewing this document:

Password Policy for LDAP Directories draft-behera-ldap-password-policy

• At section 5.3.3: pwdAccountLockedTime

This attribute holds the time that the user's account was locked. A
locked account means that the password may no longer be used to
authenticate. A 000001010000Z value means that the account has been
locked permanently, and that only a password administrator can unlock the account.

• At section 5.2.12: pwdLockoutDuration

This attribute holds the number of seconds that the password cannot
be used to authenticate due to too many failed bind attempts. If
this attribute is not present, or if the value is 0 the password
cannot be used to authenticate until reset by a password
administrator.

Through above two section, we can assume that we should connect to ApacheDS server with administrator(by default: uid=admin,ou=system, password=secret ), and delete the user's userPassword attribute. By this way,the permanently locked user can be unlock.

I practiced this sulotion and it works well.

I suggest you should set value for pwdLockoutDuration attribute, in this case the user can not been permanently locked.

For more infomation:

ApacheDS password Policy

Answer 2

Use ApacheDS Studio and log in as admin, find the user, right-click and choose "Fetch->Fetch operational attributes". Now pwdAccountLockedTime is visible and you can delete it to unlocks the user

Answer 3

The answer by Mister's is perfect to unlock an account and if you want to set the pwdLockoutDuration for a single user (assuming the user has implemnted the objectClass pwdPolicy.

There is also a global config file found in:

ou=config
  *  ads-directoryServiceId=<default>
    * ou=interceptors
       * ads-interceptorId=authenticationInterceptor
          * ou=passwordPolicies

Here we can set the default password policy:

As mine is just a test-server, I have completely disabled lockout via setting the ads-pwdlockout to FALSE. For more on configuring password policy read the official docs.