APSForcePWChg - Set Force Password Change Flag

Advanced Password Services (APS) Guide › Utilities › APSForcePWChg - Set Force Password Change Flag

APSForcePWChg - Set Force Password Change Flag

The APSForcePWChg utility allows the setting of the smapsImmediateChange attribute in an LDAP directory for specified users.

This program accepts one or more LDAP Distinguished Names (DN's) and sets the flag for each supplied DN. The program was designed to accept either one DN per line or a standard LDIF file.

Technically, this utility is no longer needed, since the APS Blob no longer exists. However, it is useful for bulk loaders and many sites have tied in user maintenance utilities to set the flag. It is, then, provided for backwards compatibility.

The command line arguments for this utility are as follows. Command line switches are case-sensitive. The space between the command line switch and its argument is optional.

-v	Verbose mode. Additional messages will be output to the console (and can be captured using output redirection).
-n	Produce the report, but don't actually perform any updates.
-a <attr>	Blob attribute for APS ("audio" assumed). No longer used.
-h <host>	The LDAP server name or IP address. The default is 127.0.0.1, which indicates the current machine.
-p CA Portal	The LDAP server TCP port number. The default is 389, the default LDAP port.
-D <binddn>	The Administrator DN to use to log into the LDAP directory. It defaults to cn=Directory Manager.
-w <password>	The password associated with the binddn. There is no default. This value can be supplied in encrypted form, as supplied by APSEncrypt.
-H	Display usage information (help text)
-c	Continuous mode (do not stop on errors)
-f <file>	Read modifications from the specified file instead of standard input
-e <rejectfile>	Save rejected entries in rejectfile

Note the following:

Continuation lines in the input file (by starting a line with spaces) are not supported, even though they are allowed in LDIF files.
Leading and trailing spaces are not significant.
Only one DN per input line is supported.
If a colon (:) precedes the first equal sign (=) on any given line, an LDIF-style input line is assumed. If this is the case, the line is ignored unless the attribute name (before the colon) is dn (case-insensitive). This allows LDIF files to be used for input or just lists of DNs.
If an LDIF-style input file is used, only those DN's that start with uid= will be processed. This is so that a full LDIF can be used, even those containing definitions for objects other than users (only users will be processed). If your directory uses an attribute other than uid for users, then LDIF-style input cannot be used.
This program only supports LDAP directories.
This utility was originally designed to be used to set the flag for users after a Directory load. That is, when a site bulk loads users into its LDAP directory, the same LDIF file used for the bulk loading can be fed to this utility so that the Force Change password flag can be set.

At version 2.1 of APS, this utility has been modified so that the bindDN and password passed on the command line are set up for rebinding. This is a special feature of LDAP that allow this utility to support two features:
- LDAP Referrals
- LDAP communications breakdowns since the utility was started
At Version 3.0 of APS, this utility has been modified to allow user DNs to be passed on the command line itself (this is obviously a low-volume solution). If so, APSForcePWChg will not go into an input loop. This is useful when the utility is to be invoked as a subprocess to another program.