How to lock every account in a LDAP subtree with OUD

Guest Author
Let's assume a customer would like to lock every LDAP account in a given LDAP subtree stored in Oracle Unified Directory.

An account can be locked by setting the ds-pwp-account-disabled operational to true in the accounts to lock. More about account lockout and password mpolicy is available at Managing password policies

It is possible to assign the ds-pwp-account-disabled attribute to a set of accounts using virtual attributes.Virtual attributes are attribues whose values do not exist in persistent storage but are dynamically generated in some way.

OUD Collective attribute is a mean to manage virtual attributes. More about collective attributes at using-collective-attributes '

To lock every account in the oud=people,dc=example,dc=com subtree, create the following collective attribute:

dn: cn=myattr,dc=example,dc=com

objectclass: top

objectClass: subentry

objectClass: collectiveAttributeSubentry

objectClass: extensibleObject

ds-pwp-account-disabled;collective: true

subtreespecification: {base "ou=people", minimum 1}

collectiveConflictBehavior: virtual-overrides-real

Join the discussion

Comments ( 2 )
  • guest Thursday, May 7, 2015

    Is there a way to modify user accounts to force Password reset now ?

  • Sylvain Duloutre Wednesday, May 13, 2015


    A modify oraclaccountstatusevent=3 on the user entry sets the pwdReset attribute to true, meaning that the user must change his password on next logon.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.