How to unlock user on ApacheDS

Question

I setup an ApacheDS with default password-policy enabled. For testing proposes I locked a simple User (objectClass=Person extended with some custom User-objectClass) by entering the wrong credentials a number of times. As I expected the user was locked (error msg: user was permanently locked).

The question now is: How to unlock the user again? Is there a better way then just deleting and adding again?

I tried the same with an extended user (objectClass=pwdPolicy) but no pwd* attributes were added when the user was locked.

score 11 · Accepted Answer · edited Oct 07 '21 at 07:24

More recently, I encountered the same problem at work. But, it seems that there is no answer on Internet. Finally,I found the answer by viewing this document:

Password Policy for LDAP Directories draft-behera-ldap-password-policy

At section 5.3.3: pwdAccountLockedTime

This attribute holds the time that the user's account was locked. A
locked account means that the password may no longer be used to
authenticate. A 000001010000Z value means that the account has been
locked permanently, and that only a password administrator can unlock the account.

At section 5.2.12: pwdLockoutDuration

This attribute holds the number of seconds that the password cannot
be used to authenticate due to too many failed bind attempts. If
this attribute is not present, or if the value is 0 the password
cannot be used to authenticate until reset by a password
administrator.

Through above two section, we can assume that we should connect to ApacheDS server with administrator(by default: uid=admin,ou=system, password=secret ), and delete the user's userPassword attribute. By this way,the permanently locked user can be unlock.

I practiced this sulotion and it works well.

I suggest you should set value for pwdLockoutDuration attribute, in this case the user can not been permanently locked.

For more infomation:

ApacheDS password Policy

Thanks a lot! I'll try that. Locking the account for several minutes/hours should be enough to block brute force attack. Otherwise the user can reset the password (deleting the old one and creating a new one). — Inceddy, Dec 11 '15 at 10:32
You are right, user can reset their password. But when user under permanently locked, it can not unlock the use by reset their password with non-administrator privileges. Only through administrator. — Mister, Dec 31 '15 at 06:29
Log in as admin, find the user, right-clik and choose "Fetch->Fetch operational attributes". Now pwdAccountLockedTime is visible and you can delete it to unlocks the user. — Jan Sindberg, Jan 10 '17 at 15:35

score 8 · Answer 2 · edited Jul 01 '19 at 23:05

8

Use ApacheDS Studio and log in as admin, find the user, right-click and choose "Fetch->Fetch operational attributes". Now pwdAccountLockedTime is visible and you can delete it to unlocks the user

edited Jul 01 '19 at 23:05

TheFiddlerWins

860
5
19

answered Jan 10 '17 at 20:47

Jan Sindberg

479
6
9

score 3 · Answer 3 · answered Oct 28 '16 at 08:04

The answer by Mister's is perfect to unlock an account and if you want to set the pwdLockoutDuration for a single user (assuming the user has implemnted the objectClass pwdPolicy.

There is also a global config file found in:

ou=config
  *  ads-directoryServiceId=<default>
    * ou=interceptors
       * ads-interceptorId=authenticationInterceptor
          * ou=passwordPolicies

Here we can set the default password policy:

As mine is just a test-server, I have completely disabled lockout via setting the ads-pwdlockout to FALSE. For more on configuring password policy read the official docs.

score 0 · Answer 4 · answered Nov 24 '20 at 02:04

For reference, this is how you enable this on the server via java:

AuthenticationInterceptor authenticationInterceptor = new AuthenticationInterceptor();      
PasswordPolicyConfiguration config = new PasswordPolicyConfiguration();
config.setPwdLockout(true);
authenticationInterceptor.setPwdPolicies(config);

Client methods can then be written, to enable/disable specific accounts, similar to:

 public void disableUser(String dn) throws LdapException, UnsupportedEncodingException 
 {
   Modification disablePassword = new DefaultModification( 
   ModificationOperation.REPLACE_ATTRIBUTE, "pwdAccountLockedTime","000001010000Z" );
   connection.modify(dn,disablePassword);
 }   

 public void enableUser(String dn) throws LdapException, UnsupportedEncodingException 
 {    
   Modification disablePassword = new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, "pwdAccountLockedTime");
   connection.modify(dn,disablePassword);
 }

How to unlock user on ApacheDS

4 Answers4

Linked