Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
Admin Alert Account Status Notification Handlers provide a way to raise administrative alerts in response to a desired set of account status notification events.
These administrative alerts can be used to identify noteworthy events that user accounts, and especially accounts for users that are high-value targets, like server administrators. For example, this handler can be used to notify administrators whenever a root user's password is updated or if their account is locked (or an alternative lockout action is taken) as a result of too many failed attempts.
This account status notification handler will only have any effect if it is added to one or more password policies. If it is added to a password policy, then administrative alerts will be generated any time a relevant event occurs for any account subject to that password policy.
The Admin Alert Account Status Notification Handler component inherits from the Account Status Notification Handler
The properties supported by this managed object are as follows:
| Description | A description for this Account Status Notification Handler |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the server should attempt to invoke this Account Status Notification Handler in a background thread so that any potentially-expensive processing (e.g., performing network communication to deliver a message) will not delay processing for the operation that triggered the notification. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
account-authentication-notification-result-criteria
| Description | A result criteria object that identifies which successful bind operations should result in account authentication notifications for this handler. If this is not defined, then account authentication notifications will not be processed by this account status notification handler. If it is defined, then account authentication notifications will only be handled for successful bind operations that match the provided criteria. |
| Default Value | Account authentication notifications will not be processed by this account status notification handler. |
| Allowed Values | The DN of any Result Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
account-creation-notification-request-criteria
| Description | A request criteria object that identifies which add requests should result in account creation notifications for this handler. If this is not defined, then account creation notifications will not be processed by this account status notification handler. If it is defined, then account creation notifications will only be handled for add requests that match the provided criteria. |
| Default Value | Account creation notifications will not be processed by this account status notification handler. |
| Allowed Values | The DN of any Request Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
account-deletion-notification-request-criteria
| Description | A request criteria object that identifies which delete requests should result in account deletion notifications for this handler. If this is not defined, then account deletion notifications will not be processed by this account status notification handler. If it is defined, then account deletion notifications will only be handled for delete requests that match the provided criteria. |
| Default Value | Account deletion notifications will not be processed by this account status notification handler. |
| Allowed Values | The DN of any Request Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
account-update-notification-request-criteria
| Description | A request criteria object that identifies which modify and modify DN requests should result in account update notifications for this handler. If this is not defined, then account update notifications will not be processed by this account status notification handler. If it is defined, then account update notifications will only be handled for modify and modify DN requests that match the provided criteria. |
| Default Value | Account update notifications will not be processed by this account status notification handler. |
| Allowed Values | The DN of any Request Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
account-status-notification-type
| Description | The types of account status notifications that should result in administrative alerts. |
| Default Value | None |
| Allowed Values | account-temporarily-locked - Generate an administrative alert whenever a user's account is temporarily locked (or an alternative lockout action is taken ) as a result of too many failed authentication attempts. account-permanently-locked - Generate an administrative alert whenever a user's account is permanently locked (or an alternative lockout action is taken) as a result of too many failed authentication attempts. account-unlocked - Generate an administrative alert whenever a locked account has been unlocked by an administrator. account-idle-locked - Generate an administrative alert whenever a user fails to authenticate because too much time had elapsed since they last successfully authenticated. account-reset-locked - Generate an administrative alert whenever a user fails to authenticate because they were required to choose a new password after an administrative reset but did not do so within the required interval. account-disabled - Generate an administrative alert whenever an account is disabled by an administrator. account-enabled - Generate an administrative alert whenever an account is enabled by an administrator. account-not-yet-active - Generate an administrative alert whenever a user fails to authenticate because their account has an activation time that is in the future. account-expired - Generate an administrative alert whenever a user fails to authenticate because their account has an expiration time that is in the past. password-expired - Generate an administrative alert whenever a user fails to authenticate because their password is expired. password-expiring - Generate an administrative alert whenever a user is first notified of an upcoming password expiration. password-reset - Generate an administrative alert whenever a user's password is reset by an administrator. password-changed - Generate an administrative alert whenever a user changes their own password. account-authenticated - Generate a notification whenever an account successfully authenticates with a bind operation that matches a specified set of criteria. account-created - Generate a notification whenever new account is created in an add operation that matches a specified set of criteria. account-deleted - Generate a notification whenever an account is removed in a delete operation that matches a specified set of criteria. account-updated - Generate a notification whenever an account is updated in a modify or modify DN operation that matches a specified set of criteria. bind-password-failed-validation - Generate an administrative alert whenever a user fails to authenticate because their password did not satisfy all of the configured password validators. must-change-password - Generate an administrative alert whenever a user successfully authenticates to the server but will be required to choose a new password before they will be allowed to perform any other operations. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
To list the configured Account Status Notification Handlers:
dsconfig list-account-status-notification-handlers
[--property {propertyName}] ...
To view the configuration for an existing Account Status Notification Handler:
dsconfig get-account-status-notification-handler-prop
--handler-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Account Status Notification Handler:
dsconfig set-account-status-notification-handler-prop
--handler-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Admin Alert Account Status Notification Handler:
dsconfig create-account-status-notification-handler
--handler-name {name}
--type admin-alert
--set enabled:{propertyValue}
--set account-status-notification-type:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Account Status Notification Handler:
dsconfig delete-account-status-notification-handler
--handler-name {name}