Chapter 6. Re-enabling accounts that reached the inactivity limit

If Directory Server inactivated an account because it reached the inactivity limit, an administrator can re-enable the account.

6.1. Re-enabling accounts inactivated by the Account Policy plug-in

You can re-enable accounts using the dsconf account unlock command or by manually updating the lastLoginTime attribute of the inactivated user.


  • An inactivated user account.


  • Reactivate the account using one of the following methods:

    • Using the dsconf account unlock command:

      # dsidm -D "cn=Directory manager" ldap:// -b "dc=example,dc=com" account unlock "uid=example,ou=People,dc=example,dc=com"
    • By setting the lastLoginTime attribute of the user to a recent time stamp:

      # ldapmodify -H ldap:// -x -D "cn=Directory Manager" -W
      dn: uid=example,ou=People,dc=example,dc=com
      changetype: modify
      replace: lastLoginTime
      lastLoginTime: 20210901000000Z


  • Authenticate as the user that you have reactivated. For example, perform a search:

    # ldapsearch -H ldap:// -x -D "uid=example,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com -s base"

    If the user can successfully authenticate, the account was reactivated.