chap-account-lockout.xml revision 51607ea01068c9047391e4c8b46bc9dbd0edb7fd
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER END
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Copyright 2011-2013 ForgeRock AS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Implementing Account Lockout & Notification</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ directory server supports automatic account lockout.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The aim of account lockout is not to punish users who mistype their
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passwords, but instead to protect the directory against attacks
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in which the attacker attempts to guess a user password, repeatedly
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attempting to bind until success is achieved.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Account lockout disables a user account after a specified
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark number of successive authentication failures. When you implement account
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lockout, you can opt to have OpenDJ directory server unlock the account
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark again after a specified interval, or you can leave the account locked
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark until the password is reset.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When you configure account lockout as part of password policy, OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark locks an account after the specified number of consecutive authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark failures. Account lockout is not transactional across a replication topology,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark however. Under normal circumstances, replication nevertheless propagates
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark lockout quickly. If ever replication is delayed, an attacker with direct
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark access to multiple replicas could try to authenticate up to the specified
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark number of times on each replica before being locked out on all replicas.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter shows you how to set up account lockout policies,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and how to intervene manually to lock and unlock accounts.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Accounts</primary><secondary>Lockout</secondary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Account lockout is configured as part of password policy. This section
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark demonstrates configuring account lockout as part of the default password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy. Users are allowed three consecutive failures before being locked out
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark for five minutes. Failures themselves also expire after five minutes.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Change the default password policy to activate lockout using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>dsconfig</command> command. As the password policy is part of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the server configuration, you must manually apply the changes to each
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark replica in a replication topology.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname `hostname`
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set lockout-failure-count:3
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set lockout-duration:5m
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set lockout-failure-expiration-interval:5m
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Users having the default password policy are then locked out after
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark three failed attempts in succession.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword hifalutin
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=bjensen
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmail: bjensen@example.com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword fatfngrs
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=bjensen
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkThe simple bind attempt failed
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkResult Code: 49 (Invalid Credentials)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword fatfngrs
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=bjensen
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkThe simple bind attempt failed
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkResult Code: 49 (Invalid Credentials)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword fatfngrs
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=bjensen
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkThe simple bind attempt failed
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkResult Code: 49 (Invalid Credentials)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark$ ldapsearch
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 1389
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword hifalutin
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --baseDN dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid=bjensen
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkThe simple bind attempt failed
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkResult Code: 49 (Invalid Credentials)</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This section covers disabling and enabling accounts by using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>manage-account</command> command. Password reset is covered in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the chapter on performing LDAP operations.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For the following examples, the directory admin user, Kirsten Vaughan,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark has <literal>ds-privilege-name: password-reset</literal>, and the following
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ACI on <literal>ou=People,dc=example,dc=com</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literallayout class="monospaced">(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkversion 3.0;acl "Admins can run amok"; allow(all) groupdn =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark"ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)</literallayout>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Accounts</primary><secondary>Disabling</secondary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Set the account status to disabled with the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ manage-account
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-account-is-disabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword bribery
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --operationValue true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --targetDN uid=bjensen,ou=people,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAccount Is Disabled: true</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Accounts</primary><secondary>Activating</secondary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Clear the disabled status using the <command>manage-account</command>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark command.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ manage-account
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark clear-account-is-disabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword bribery
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --targetDN uid=bjensen,ou=people,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAccount Is Disabled: false</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ can send mail about account status changes. OpenDJ needs an
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark SMTP server to send messages, and needs templates for the mail it sends.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark By default, message templates are in English, under
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <filename>/path/to/opendj/config/messages/</filename>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ generates notifications only when OpenDJ writes to an entry or
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark evaluates a user entry for authentication. OpenDJ generates account enabled
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and account disabled notifications when the user account is enabled or
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark disabled with the <command>manage-account</command> command, which writes
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to the entry. OpenDJ generates password expiration notifications when a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user tries to bind.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>For example, if you set up OpenDJ to send a notification about password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark expiration, that notification gets triggered when the user authenticates
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark during the password expiration warning interval. OpenDJ does not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark automatically scan entries to send password expiry notifications. OpenDJ does
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark implement controls that you can pass in an LDAP search to determine whether a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user's password is about to expire. See the appendix on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>LDAP
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Controls</citetitle></link> for a list. You can send notifications then
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark based on the results of your search.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The following steps demonstrate how to set up notifications. Whether
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ sends notifications depends on the settings in the password policy,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and on account activity as described above.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Identify the SMTP server to which OpenDJ sends messages.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-global-configuration-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname `hostname`
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set smtp-server:smtp.example.com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Set up OpenDJ to be able to mail users about account status.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-account-status-notification-handler-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname `hostname`
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --handler-name "SMTP Handler"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set enabled:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set email-address-attribute-type:mail
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that OpenDJ finds the user's mail address on the attribute
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark on the user's entry, specified by
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>email-address-attribute-type</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can also configure the <literal>message-subject</literal> and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>message-template-file</literal> properties. Try interactive
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark mode if you plan to do so.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You find templates for messages by default under the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <filename>config/messages</filename> directory. You can edit the templates
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to suit your purposes.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Adjust applicable password policies to use the account status
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark notification handler you configured.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <screen>$ dsconfig
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark set-password-policy-prop
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --port 4444
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --hostname `hostname`
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindDN "cn=Directory Manager"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --policy-name "Default Password Policy"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --set account-status-notification-handler:"SMTP Handler"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --trustAll
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --no-prompt</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <secondary>Customizing notification messages</secondary>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When editing the <filename>config/messages</filename> templates
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to suit your purposes, you can use the following tokens to have OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark update the message text dynamically.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This token is replaced with the name of the account status
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark notification type for the notification.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>%%notification-message%%</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This token is replaced with the message for the account status
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark notification.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>%%notification-user-dn%%</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This token is replaced with the string representation of the DN for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the user that is the target of the account status notification.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>%%notification-user-attr:<replaceable>attrname</replaceable>%%</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This token is replaced with the value of the attribute specified by
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <replaceable>attrname</replaceable> from the user's entry. If the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark specified attribute has multiple values, then OpenDJ uses the first value
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark encountered. If the specified attribute does not have any values, then
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ replaces it with an emtpy string.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <term><literal>%%notification-property:<replaceable>propname</replaceable>%%</literal></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This token is replaced with the value of the specified notification
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark property from the account status notification. If the specified property
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark has multiple values, then OpenDJ uses the first value encountered. If the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark specified property does not have any values, then OpenDJ replaces it with
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark an emtpy string. Valid <replaceable>propname</replaceable> values include
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the following.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>account-unlock-time</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>new-password</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>old-password</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>password-expiration-time</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>password-policy-dn</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>seconds-until-expiration</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>seconds-until-unlock</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>time-until-expiration</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem><para><literal>time-until-unlock</literal></para></listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>