3.5 Configuring the Password Expiration Notification Job

The Password Expiration Notification job searches an LDAP directory for objects whose passwords expire in a specified number of days. When an object that meets the criteria is discovered, the job sends an e-mail to the address contained in the object’s mail LDAP attribute.

  1. Make sure you’ve already added the job to the driver set. If you haven’t, see Section 2.0, Adding a Predefined Job.

  2. On the General page, configure the following options:

    Enable Job: Leave this option selected unless you don’t want the job to run.

    Delete the Job After it Runs Once: Select this option if you want the job to run one time only and then be deleted.

    Servers: Select the servers where you want the job to run. Multiple servers are available only if the driver is running on multiple servers.

    Email Server: To monitor the job, you (or others) can receive e-mail notifications whenever certain results occur for the job. You configure e-mail notification on the Results page. However, to enable this e-mail notification to work, you must first specify the e-mail server that will be used to send the notifications. Click the button to locate and select the Default Notification Collection object or any other notfTemplateCollection object that defines an SMTP mail server.

    Display Name: Displays the name assigned to the job.

    Description: Displays the description assigned to the job.

  3. On the Schedule page, specify when you want the job to run:

    Run on a Schedule: Runs the job on a daily, weekly, monthly, or yearly schedule. You can also specify a custom schedule; use the crontab standard when specifying a custom schedule. The default schedule checks every minute to see if the job is running. If the job is not running, it is started.

    Run Manually: Runs the job only when you initiate it through the Run Now option (see Section 5.0, Starting a Job).

  4. Ignore the Scope page, it does not apply to this job.

  5. On the Parameters page, fill in the following fields:

    LDAP Connection: Use the following fields to specify the information required to connect to the LDAP directory.

    • LDAP Host: Specify the IP address or DNS name of the LDAP server.

    • Use SSL/TLS: Select True if the LDAP connection is secured with SSL/TLS, then set the following options:

      • LDAP Port: Specify the port number that LDAP uses to make a connection. If Use SSL/TLS is set to False, the default value is 389. If Use SSL/TLS is set to True, the default value is 636.

      • SSL/TLS Provider: Specify whether the SSL/TLS provider is Novell Secure Transport Layer (NTLS) or Java Secure Socket Extension (JSSE). If you select NTLS, you must provide the name of a KMO object to create the secure connection. If you select JSSE, you must provide a keystore pair of certificates to create the secure connection.

    • LDAP Authentication Type: Select whether the LDAP connection is an anonymous connection or an authenticated connection. If you select Authenticated, you must provide the username and password of the object that authenticates to the Identity Vault.

    LDAP Search: Use the following fields to specify the information used when sending the expiration notification e-mail to users:

    • Days Until Password expires: Specify the days, prior to when the password expires, when the job sends an e-mail to users informing them that their password is expiring. By default, the job sends an e-mail to the users 30 days, 15 days, 5 days, and 1 day before their passwords expire.

    • Search Base: Specify the DN of the container where the job search occurs. The default value for the Resource Kit is ou=users,o=company,dc=data.

    • Object Class: Specify the LDAP object class to search. The default is inetOrgPerson.

    Notification Email: Use the following fields to specify the information used to create the expiration notification e-mail, receivers of the e-mail, and other e-mail settings.

    • Notification Email Template: Specify the name of the template used to create the expiration notification e-mail. The default is the Password Expiration Notification template in the Default Notification Collection object.

    • User Name Attribute: Specify the LDAP attribute used to add the username into the notification template.

    • From: Specify the e-mail address used to populate the e-mail’s From field.

    • Show Advanced Options: Select True to display the advanced options, or select False to hide the advanced options. The advanced options are:

      • Reply to: Specify the e-mail address that appears in the Reply to field.

      • Admin BCC: Specify an administrator to blind copy on the notification e-mail.

      • Character encoding: Specify the desired character encoding.

      • Custom SMTP headers: Specify a custom SMTP header if desired.

  6. On the Results page, define the actions you want performed based on the results for the job.

    Each time the job runs, it generates Intermediate results and a Final result. The possible results are Success, Warning, Error, and Aborted. Intermediate results are generated at various points throughout the job. The Final result is generated when the job is finished. For each result, you can specify the action you want performed when it occurs: 1) generate an event for Novell Audit or Novell Sentinel and 2) generate an e-mail notification. For example, you might want no action to occur for an Intermediate Success result and an e-mail notification to be sent for an Intermediate Error result.

    To define an action for a result:

    1. Click the No action link next to the result to display the Result Notification dialog box.

    2. Select Audit result if you want to generate an event for Novell Audit or Novell Sentinel.


      Select Send email, then fill in the recipient and e-mail template information.

    3. Click OK to save your changes.

  7. When you have finished configuring the job, click OK to save your changes.

    The job is added to the job list.

  8. Select the job in the list (by selecting the check box next to the job name), then click Get Status.

    The Job Status dialog box displays any configuration errors. Because the job requires rights to the driver object and those rights have not yet been granted, you see an Insufficient rights to driver object error.

  9. Click Grant rights, then click OK to confirm the action.

  10. If other errors are displayed, resolve the errors. Otherwise, click Close to close the Job Status dialog box.