The is an account status notification handler that listens to two kind of changes: password change and password reset. The changes are either immediately sent to OpenIDM or first stored locally and sent later to OpenIDM at the provided interval. The communication with OpenIDM is done through HTTP or HTTPS, with optional SSL client authentication. ds-cfg-openidm-account-status-notification-handler ds-cfg-account-status-notification-handler org.forgerock.openidm.accountchange.OpenidmAccountStatusNotificationHandler Specifies the interval when passwords update notifications are sent. If this value is 0, then updates are sent synchronously. If this value is strictly superior to zero, then updates are first stored locally, then sent asynchronously by a background thread. 0 seconds ds-cfg-update-interval Specifies the log file location where the changed passwords are written when the plug-in cannot contact OpenIDM. The default location is the logs directory of the server instance, using the file name "pwsync". Passwords in this file will be encrypted. logs/pwsync .* FILE A path to an existing directory that is readable and writable by the server. ds-cfg-log-file Specifies the attribute type used to hold user passwords in JSON returned to OpenIDM. This attribute type must be defined in the managed object schema in OpenIDM, and it must have either the user password or auth password syntax. password .* STRING OpenIDM managed object attribute name. ds-cfg-attribute Specifies the query-id for the patch-by-query request. This must match the query ID defined in the managed object service in OpenIDM. for-userName .* STRING OpenIDM managed object query ID. ds-cfg-query-id Specifies the attribute types that this plug-in will send along with the password change. Zero or more attribute types can be specified. If no attribute types are specified, only the DN and the new password of the user will be synchronized to OpenIDM. ds-cfg-attribute-type Specifies the URL to OpenIDM endpoint. The URL can be either HTTP or HTTPS. .* URL OpenIDM sync service URL. ds-cfg-openidm-url Specifies OpenIDM Compatibility Mode. V3 Use version 3 OpenIDM Compatibility Mode. Use version 2 OpenIDM Compatibility Mode. ds-cfg-openidm-compat-mode Specifies the SSL certificate nickname, which is the alias under which is stored the client certificate in the keystore. It must be provided to activate SSL client authentication when requesting OpenIDM. The SSL certificate nickname is necessary to ensure that the appropriate client certificate is retrieved from the keystore when SSL client authentication is required and multiples certificates are present in the keystore. ds-cfg-ssl-cert-nickname Specifies the username to use for HTTP Basic Authentication. The username must be provided when client certification is not activated, i.e. when no ssl-cert-nickname is provided. ds-cfg-openidm-username Specifies the password to use for HTTP Basic Authentication. The password must be provided when client certification is not activated, i.e. when no ssl-cert-nickname is provided. ds-cfg-openidm-password Specifies the alias of the private key that should be used by OpenIDM to decrypt the encrypted JSON content of the requests. The encryption of the JSON content sent to OpenIDM requires this alias. openidm-localhost ds-cfg-private-key-alias Specifies the subject DN of the certificate used by OpenIDM. The subject DN is used to retrieve the OpenIDM certificate in the truststore. This certificate's public key is necessary to encrypt the JSON content sent to OpenIDM. ds-cfg-certificate-subject-dn Specifies the name of the key manager that should be used with this . It must be provided when ssl-cert-nickname is provided, and must contain a certificate corresponding to the nickname. Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections. The referenced key manager provider must be enabled. ds-cfg-key-manager-provider Specifies the name of the trust manager that should be used with the . It must contain the OpenIDM certificate with the subject DN equals to the certificate-subject-dn property. Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections. The referenced trust manager provider must be enabled. ds-cfg-trust-manager-provider