The following account status notification types are available.

  • account-temporarily-locked -- A user's account has been temporarily locked due to too many failed authentication attempts. The account will remain locked until a configured length of time elapses, or until the password is reset by an administrator.
  • account-permanently-locked -- A user's account has been permanently locked due to too many failed authentication attempts. The account will remain locked until the password is reset by an administrator.
  • account-idle-locked -- An authentication attempt failed because it has been too long (longer than the idle-lockout-interval configured in the associated password policy) since the user last successfully authenticated to the server. The account will remain locked until the password is reset by an administrator.
  • account-reset-locked -- An authentication attempt failed because the user's account was in a "must change password" state following an administrative password reset, but the user did not choose a new password in a timely manner (within the max-password-reset-age duration configured in the associated password policy). The account will remain locked until the password is reset again by an administrator.
  • account-unlocked -- A locked user account has been unlocked (for example, by an administrative password reset).
  • account-disabled -- A user's account has been administratively disabled (by setting the ds-pwp-account-disabled operational attribute to true in the user entry). The user will not be allowed to authenticate until this attribute is removed or its value is set to false.
  • account-enabled -- A user's account has been administratively enabled (by setting the ds-pwp-account-disabled operational attribute to false in the user entry, or by removing this attribute from the entry).
  • account-not-yet-active -- An authentication attempt failed because the user account is configured with an activation time (via the ds-pwp-account-activation-time operational attribute in the user's entry) that is in the future. The user will not be allowed to authenticate until this time arrives, until the activation time is removed, or until the activation time is set to a time in the past.
  • account-expired -- An authentication attempt failed because the user account is configured with an expiration time (via the ds-pwp-account-expiration-time operational attribute in the user's entry) that is in the past. The user will not be allowed to authenticate until the expiration time is removed or set to a time in the future.
  • password-expired -- An authentication attempt failed because the user's password has expired. The user will not be allowed to authenticate until their password is reset by an administrator (or until they change their own password if allow-expired-password-changes is set to true in the associated password policy).
  • password-expiring -- The user successfully authenticated, but their password will expire in the near future (as determined by the password-expiration-warning-interval setting in the associated password policy). This notification type will only be generated the first time that a user authenticated within a given warning interval.
  • password-reset -- A user's password has been reset by an administrator.
  • password-changed -- A user changed their own password.
  • account-created -- A new account was created in an add request that matches the criteria specified in the account-creation-notification-request-criteria property of the account status notification handler configuration.
  • account-updated -- An existing account was updated in a modify or modify DN request that matches the criteria specified in the account-update-notification-request-criteria property of the account status notification handler configuration.