The following account status notification types are available.
- account-temporarily-locked -- A user's account has been temporarily locked due to too many failed authentication attempts. The account will remain locked until a configured length of time elapses, or until the password is reset by an administrator.
- account-permanently-locked -- A user's account has been permanently locked due to too many failed authentication attempts. The account will remain locked until the password is reset by an administrator.
- account-idle-locked -- An authentication attempt failed
because it has been too long (longer than the
idle-lockout-interval
configured in the associated password policy) since the user last successfully authenticated to the server. The account will remain locked until the password is reset by an administrator. - account-reset-locked -- An authentication attempt failed
because the user's account was in a "must change password" state following an
administrative password reset, but the user did not choose a new password in a
timely manner (within the
max-password-reset-age
duration configured in the associated password policy). The account will remain locked until the password is reset again by an administrator. - account-unlocked -- A locked user account has been unlocked (for example, by an administrative password reset).
- account-disabled -- A user's account has been
administratively disabled (by setting the
ds-pwp-account-disabled
operational attribute totrue
in the user entry). The user will not be allowed to authenticate until this attribute is removed or its value is set tofalse
. - account-enabled -- A user's account has been
administratively enabled (by setting the
ds-pwp-account-disabled
operational attribute tofalse
in the user entry, or by removing this attribute from the entry). - account-not-yet-active -- An authentication attempt failed
because the user account is configured with an activation time (via the
ds-pwp-account-activation-time
operational attribute in the user's entry) that is in the future. The user will not be allowed to authenticate until this time arrives, until the activation time is removed, or until the activation time is set to a time in the past. - account-expired -- An authentication attempt failed because
the user account is configured with an expiration time (via the
ds-pwp-account-expiration-time
operational attribute in the user's entry) that is in the past. The user will not be allowed to authenticate until the expiration time is removed or set to a time in the future. - password-expired -- An authentication attempt failed
because the user's password has expired. The user will not be allowed to
authenticate until their password is reset by an administrator (or until they
change their own password if
allow-expired-password-changes
is set totrue
in the associated password policy). - password-expiring -- The user successfully authenticated,
but their password will expire in the near future (as determined by the
password-expiration-warning-interval
setting in the associated password policy). This notification type will only be generated the first time that a user authenticated within a given warning interval. - password-reset -- A user's password has been reset by an administrator.
- password-changed -- A user changed their own password.
- account-created -- A new account was created in an add
request that matches the criteria specified in the
account-creation-notification-request-criteria
property of the account status notification handler configuration. - account-updated -- An existing account was updated in a
modify or modify DN request that matches the criteria specified in the
account-update-notification-request-criteria
property of the account status notification handler configuration.