docbkx/admin-guide/chap-account-lockout.xml

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<?xml version="1.0" encoding="UTF-8"?>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<!--
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !      Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! CCPL HEADER END
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
57d6342a74476c0bf2200992e778229d62ab1fa6mark  !      Copyright 2011-2015 ForgeRock AS.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-->
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<chapter xml:id='chap-account-lockout'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
08248b5c5b494aff8d1922e8e0b5777796d7450dmark xsi:schemaLocation='http://docbook.org/ns/docbook
08248b5c5b494aff8d1922e8e0b5777796d7450dmark                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
08248b5c5b494aff8d1922e8e0b5777796d7450dmark xmlns:xlink='http://www.w3.org/1999/xlink'>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Implementing Account Lockout &amp; Notification</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ directory server supports automatic account lockout.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The aim of account lockout is not to punish users who mistype their
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords, but instead to protect the directory against attacks
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in which the attacker attempts to guess a user password, repeatedly
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attempting to bind until success is achieved.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Account lockout disables a user account after a specified
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark number of successive authentication failures. When you implement account
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lockout, you can opt to have OpenDJ directory server unlock the account
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark again after a specified interval, or you can leave the account locked
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark until the password is reset.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <note>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>When you configure account lockout as part of password policy, OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  locks an account after the specified number of consecutive authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  failures. Account lockout is not transactional across a replication topology,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  however. Under normal circumstances, replication nevertheless propagates
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  lockout quickly. If ever replication is delayed, an attacker with direct
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  access to multiple replicas could try to authenticate up to the specified
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  number of times on each replica before being locked out on all replicas.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </note>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
ec40cc0dc62425cea5d63fd9d984f8614479de25mark <para>
ec40cc0dc62425cea5d63fd9d984f8614479de25mark  This chapter shows you how to set up account lockout policies by using the
ec40cc0dc62425cea5d63fd9d984f8614479de25mark  <link
ec40cc0dc62425cea5d63fd9d984f8614479de25mark   xlink:show="new"
57d6342a74476c0bf2200992e778229d62ab1fa6mark   xlink:href="reference#dsconfig-1"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark   xlink:role="http://docbook.org/xlink/role/olink"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark  ><command>dsconfig</command></link> command,
ec40cc0dc62425cea5d63fd9d984f8614479de25mark  and how to intervene manually to lock and unlock accounts by using the
ec40cc0dc62425cea5d63fd9d984f8614479de25mark  <link
ec40cc0dc62425cea5d63fd9d984f8614479de25mark   xlink:show="new"
57d6342a74476c0bf2200992e778229d62ab1fa6mark   xlink:href="reference#manage-account-1"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark   xlink:role="http://docbook.org/xlink/role/olink"
ec40cc0dc62425cea5d63fd9d984f8614479de25mark  ><command>manage-account</command></link> command.
ec40cc0dc62425cea5d63fd9d984f8614479de25mark </para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="configure-account-lockout">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <title>Configuring Account Lockout</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <indexterm><primary>Accounts</primary><secondary>Lockout</secondary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>Account lockout is configured as part of password policy. This section
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  demonstrates configuring account lockout as part of the default password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  policy. Users are allowed three consecutive failures before being locked out
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  for five minutes. Failures themselves also expire after five minutes.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>Change the default password policy to activate lockout using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <command>dsconfig</command> command. As the password policy is part of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  the server configuration, you must manually apply the changes to each
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  replica in a replication topology.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-password-policy-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Default Password Policy" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set lockout-failure-count:3 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set lockout-duration:5m \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set lockout-failure-expiration-interval:5m \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>Users having the default password policy are then locked out after
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  three failed attempts in succession.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword hifalutin \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=bjensen \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark mail</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkmail: bjensen@example.com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword fatfngrs \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=bjensen \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark mail</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>The simple bind attempt failed
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkResult Code:  49 (Invalid Credentials)</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword fatfngrs \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=bjensen \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark mail</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>The simple bind attempt failed
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkResult Code:  49 (Invalid Credentials)</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword fatfngrs \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=bjensen \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark mail</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>The simple bind attempt failed
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkResult Code:  49 (Invalid Credentials)</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword hifalutin \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=bjensen \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark mail</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>The simple bind attempt failed
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkResult Code:  49 (Invalid Credentials)</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="manage-accounts">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <title>Managing Accounts Manually</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>This section covers disabling and enabling accounts by using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <command>manage-account</command> command. Password reset is covered in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  the chapter on performing LDAP operations.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>For the following examples, the directory admin user, Kirsten Vaughan,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  has <literal>ds-privilege-name: password-reset</literal>, and the following
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ACI on <literal>ou=People,dc=example,dc=com</literal>.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  <programlisting language="aci">
08248b5c5b494aff8d1922e8e0b5777796d7450dmark(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(
08248b5c5b494aff8d1922e8e0b5777796d7450dmark version 3.0;acl "Admins can run amok"; allow(all) groupdn =
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  </programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <procedure xml:id="disable-account">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <title>To Disable an Account</title>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   <indexterm>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <primary>Accounts</primary>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <secondary>Disabling</secondary>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   </indexterm>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Set the account status to disabled with the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <command>manage-account</command> command.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>manage-account \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-account-is-disabled \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword bribery \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --operationValue true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --targetDN uid=bjensen,ou=people,dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Account Is Disabled:  true</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <procedure xml:id="reactivate-account">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <title>To Activate a Disabled Account</title>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   <indexterm>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <primary>Accounts</primary>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <secondary>Activating</secondary>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   </indexterm>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Clear the disabled status using the <command>manage-account</command>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    command.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>manage-account \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark clear-account-is-disabled \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword bribery \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --targetDN uid=bjensen,ou=people,dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Account Is Disabled:  false</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="account-status-notification">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <title>Managing Account Status Notification</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <primary>Accounts</primary>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <secondary>Status notifications</secondary>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </indexterm>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>OpenDJ can send mail about account status changes. OpenDJ needs an
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  SMTP server to send messages, and needs templates for the mail it sends.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  By default, message templates are in English, under
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <filename>/path/to/opendj/config/messages/</filename>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>OpenDJ generates notifications only when OpenDJ writes to an entry or
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  evaluates a user entry for authentication. OpenDJ generates account enabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  and account disabled notifications when the user account is enabled or
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  disabled with the <command>manage-account</command> command, which writes
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  to the entry. OpenDJ generates password expiration notifications when a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  user tries to bind.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>For example, if you set up OpenDJ to send a notification about password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  expiration, that notification gets triggered when the user authenticates
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  during the password expiration warning interval. OpenDJ does not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  automatically scan entries to send password expiry notifications. OpenDJ does
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  implement controls that you can pass in an LDAP search to determine whether a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  user's password is about to expire. See the appendix on
57d6342a74476c0bf2200992e778229d62ab1fa6mark  <link xlink:href="reference#appendix-controls" xlink:show="new"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  xlink:role="http://docbook.org/xlink/role/olink"><citetitle>LDAP
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  Controls</citetitle></link> for a list. You can send notifications then
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  based on the results of your search.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <procedure xml:id="mail-account-status-notifications">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <title>To Mail Users About Account Status</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>The following steps demonstrate how to set up notifications. Whether
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   OpenDJ sends notifications depends on the settings in the password policy,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   and on account activity as described above.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Identify the SMTP server to which OpenDJ sends messages.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-global-configuration-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set smtp-server:smtp.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Set up OpenDJ to be able to mail users about account status.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-account-status-notification-handler-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --handler-name "SMTP Handler" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set email-address-attribute-type:mail \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Notice that OpenDJ finds the user's mail address on the attribute
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    on the user's entry, specified by
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <literal>email-address-attribute-type</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>You can also configure the <literal>message-subject</literal> and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <literal>message-template-file</literal> properties. Try interactive
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    mode if you plan to do so.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>You find templates for messages by default under the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <filename>config/messages</filename> directory. You can edit the templates
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    to suit your purposes.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Adjust applicable password policies to use the account status
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    notification handler you configured.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-password-policy-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "Default Password Policy" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set account-status-notification-handler:"SMTP Handler" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <variablelist xml:id="about-message-templates">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <title>About Notification Message Templates</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <primary>Accounts</primary>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <secondary>Customizing notification messages</secondary>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>When editing the <filename>config/messages</filename> templates
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   to suit your purposes, you can use the following tokens to have OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   update the message text dynamically.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <term><literal>%%notification-type%%</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <para>This token is replaced with the name of the account status
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     notification type for the notification.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <term><literal>%%notification-message%%</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <para>This token is replaced with the message for the account status
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     notification.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <term><literal>%%notification-user-dn%%</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <para>This token is replaced with the string representation of the DN for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     the user that is the target of the account status notification.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <term><literal>%%notification-user-attr:<replaceable>attrname</replaceable>%%</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <para>This token is replaced with the value of the attribute specified by
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <replaceable>attrname</replaceable> from the user's entry. If the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     specified attribute has multiple values, then OpenDJ uses the first value
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     encountered. If the specified attribute does not have any values, then
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     OpenDJ replaces it with an emtpy string.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <term><literal>%%notification-property:<replaceable>propname</replaceable>%%</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <para>This token is replaced with the value of the specified notification
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     property from the account status notification. If the specified property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     has multiple values, then OpenDJ uses the first value encountered. If the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     specified property does not have any values, then OpenDJ replaces it with
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     an emtpy string. Valid <replaceable>propname</replaceable> values include
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     the following.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <listitem><para><literal>account-unlock-time</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <listitem><para><literal>new-password</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <listitem><para><literal>old-password</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <listitem><para><literal>password-expiration-time</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <listitem><para><literal>password-policy-dn</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <listitem><para><literal>seconds-until-expiration</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <listitem><para><literal>seconds-until-unlock</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <listitem><para><literal>time-until-expiration</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <listitem><para><literal>time-until-unlock</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark</chapter>