Chapter 18. Re-enabling accounts that reached the inactivity limit

If Directory Server inactivated an account because it reached the inactivity limit, an administrator can re-enable the account.

18.1. Re-enabling accounts inactivated by the Account Policy plug-in

You can re-enable accounts using the dsconf account unlock command or by manually updating the lastLoginTime attribute of the inactivated user.

Prerequisites

  • An inactivated user account.

Procedure

  • Reactivate the account using one of the following methods:

    • Using the dsconf account unlock command: 

      # dsidm -D "cn=Directory manager" ldap://server.example.com -b "dc=example,dc=com" account unlock "uid=example,ou=People,dc=example,dc=com"

    • By setting the lastLoginTime attribute of the user to a recent time stamp: 

      # ldapmodify -H ldap://server.example.com -x -D "cn=Directory Manager" -W

dn: uid=example,ou=People,dc=example,dc=com
changetype: modify
replace: lastLoginTime
lastLoginTime: 20210901000000Z

Verification

  • Authenticate as the user that you have reactivated. For example, perform a search: 

    # ldapsearch -H ldap://server.example.com -x -D "uid=example,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com -s base"

    If the user can successfully authenticate, the account was reactivated.