PingDirectory

Setting up email invitations for a new user

About this task

To set up email invitations for a new user:

Steps

  1. Set up PingFederate for local identity profile management.

    For more information, see Configuring user self-service.

    When you complete this task, the PingFederate configuration has a local identity profile.

  2. Configure Delegated Admin profile management by users.

    For more information, see Configuring user self-service.

    When you complete this task, users whom the Delegated Admin creates have the pf-connected-identities auxiliary object class and a pf-connected-identity attribute value, which provide integration with PingFederate’s user self-service.

  3. Instruct users to copy the email template to PingDirectory Server.

  4. Create request criteria to match Delegated Admin user ADD requests.

  5. Edit the provided email template and insert the URL to the PingFederate self-service profile management endpoint.

  6. Create an SMTP external server.

    For more information, see Creating an SMTP external server.

  7. Create a multi-part email account status notification handler for Delegated Admin user ADD requests.

Editing and copying the email template to the PingDirectory server

About this task

An example email template is provided in the Delegated Admin package at the top level in the file delegated-admin-account-created.template. This template provides a multi-part text and HTML email to the user with their user name and initial password along with a self-service link they can use to sign on to PingFederate and change their password and profile information.

Steps

  1. Edit the template:

    1. Uncomment the line that sets the value for profile_management_url.

    2. Change the value of profile_management_url to the externally accessible URL of the profile management endpoint of your PingFederate local identity profile.

  2. Copy the template file to the config/account-status-notification-email-templates folder of each instance of the PingDirectory server.

    By default, the email is sent to the address within the user’s LDAP mail attribute.

    You must provide a mail value for each user. For more information, see common-header-fields.vm in the email templates folder.

Next steps

For more information about the email format and further customization, see the README file in the templates folder.

Creating request criteria to match Delegated Admin user ADD requests

Steps

  • For each user resource type for which new user email invites will be sent, create simple request criteria to match the parent DN and object classes for the resource type.

    The setup script includes a request criteria for the user resource type that it creates.

    Example:

    $ dsconfig create-request-criteria --criteria-name \
    "Delegated Admin User Creation Request Criteria" --type simple \
    --set operation-type:add --set \
    "included-target-entry-dn:ou=people,dc=example,dc=com" \
    --set "any-included-target-entry-filter:(objectClass=inetOrgPerson)" \
    --set "included-application-name:PingDirectory Delegated Admin"

    The included-application-name property ensures that the criteria matches users whom the Delegated Admin created, but not users created through another interface, such as the Directory REST API. This application name value is visible in the LDAP access log for operations that the Delegated Admin HTTP servlet invokes.

Creating an SMTP external server

About this task

To send emails:

Steps

  • Configure a PingDirectory server with an SMTP server in the global configuration.

    Example:

    $ dsconfig create-external-server --server-name \
    "SMTP Server" --type smtp --set server-host-name:smtp.example.com \
    --set user-name:example-smtp-user --set password:example-smtp-password
    $ dsconfig set-global-configuration-prop --set \
    "smtp-server:SMTP Server"

Creating a multi-part Email Account Status notification handler for Delegated Admin user ADD requests

You must set an Email Account Status notification handler in the password policy in force for new users. This handler is typically the default password policy.

About this task

The notification handler references the email template in the config/account-status-notification-email-templates folder.

The setup script creates an example notification handler in a disabled state. This handler cannot be enabled until an SMTP server becomes available in the global configuration.

Steps

  1. Create or enable the handler:

    Choose from:

    • To create the handler from scratch, use the dsconfig create-account-status-notification-handler command.

      $ dsconfig create-account-status-notification-handler \
      --handler-name "Delegated Admin Email Account Status \
      Notification Handler" --type multi-part-email --set \
      enabled:true --set \
      "account-creation-notification-request-criteria:Delegated \
      Admin User Creation Request Criteria" --set \
      account-created-message-template:config/account-status-\
      notification-email-templates/delegated-admin-account-created.template
    • To enable the handler that is provided with the setup script, use the dsconfig set-account-status-notification-handler-prop command.

      $ dsconfig set-account-status-notification-handler-prop \
      --handler-name "Delegated Admin Email Account Status Notification \
      Handler" --set enabled:true
  2. Set the handler in the password policy.

    Example:

    $ dsconfig set-password-policy-prop \
    --policy-name "Default Password Policy" --set \
    "account-status-notification-handler:Delegated Admin Email Account \
    Status Notification Handler"