001/*
002 * The contents of this file are subject to the terms of the Common Development and
003 * Distribution License (the License). You may not use this file except in compliance with the
004 * License.
005 *
006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
007 * specific language governing permission and limitations under the License.
008 *
009 * When distributing Covered Software, include this CDDL Header Notice in each file and include
010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
011 * Header, with the fields enclosed by brackets [] replaced by your own identifying
012 * information: "Portions Copyright [year] [name of copyright owner]".
013 *
014 * Copyright 2008 Sun Microsystems, Inc.
015 */
016package org.forgerock.opendj.server.config.client;
017
018
019
020import java.util.Collection;
021import java.util.SortedSet;
022import org.forgerock.opendj.config.ManagedObjectDefinition;
023import org.forgerock.opendj.config.PropertyException;
024import org.forgerock.opendj.ldap.schema.AttributeType;
025import org.forgerock.opendj.server.config.meta.PasswordPolicyCfgDefn.StateUpdateFailurePolicy;
026import org.forgerock.opendj.server.config.server.PasswordPolicyCfg;
027
028
029
030/**
031 * A client-side interface for reading and modifying Password Policy
032 * settings.
033 * <p>
034 * Password Policies define a number of password management rules, as
035 * well as requirements for authentication processing.
036 */
037public interface PasswordPolicyCfgClient extends AuthenticationPolicyCfgClient {
038
039  /**
040   * Get the configuration definition associated with this Password Policy.
041   *
042   * @return Returns the configuration definition associated with this Password Policy.
043   */
044  ManagedObjectDefinition<? extends PasswordPolicyCfgClient, ? extends PasswordPolicyCfg> definition();
045
046
047
048  /**
049   * Gets the "account-status-notification-handler" property.
050   * <p>
051   * Specifies the names of the account status notification handlers
052   * that are used with the associated password storage scheme.
053   *
054   * @return Returns the values of the "account-status-notification-handler" property.
055   */
056  SortedSet<String> getAccountStatusNotificationHandler();
057
058
059
060  /**
061   * Sets the "account-status-notification-handler" property.
062   * <p>
063   * Specifies the names of the account status notification handlers
064   * that are used with the associated password storage scheme.
065   *
066   * @param values The values of the "account-status-notification-handler" property.
067   * @throws PropertyException
068   *           If one or more of the new values are invalid.
069   */
070  void setAccountStatusNotificationHandler(Collection<String> values) throws PropertyException;
071
072
073
074  /**
075   * Gets the "allow-expired-password-changes" property.
076   * <p>
077   * Indicates whether a user whose password is expired is still
078   * allowed to change that password using the password modify extended
079   * operation.
080   *
081   * @return Returns the value of the "allow-expired-password-changes" property.
082   */
083  boolean isAllowExpiredPasswordChanges();
084
085
086
087  /**
088   * Sets the "allow-expired-password-changes" property.
089   * <p>
090   * Indicates whether a user whose password is expired is still
091   * allowed to change that password using the password modify extended
092   * operation.
093   *
094   * @param value The value of the "allow-expired-password-changes" property.
095   * @throws PropertyException
096   *           If the new value is invalid.
097   */
098  void setAllowExpiredPasswordChanges(Boolean value) throws PropertyException;
099
100
101
102  /**
103   * Gets the "allow-multiple-password-values" property.
104   * <p>
105   * Indicates whether user entries can have multiple distinct values
106   * for the password attribute.
107   * <p>
108   * This is potentially dangerous because many mechanisms used to
109   * change the password do not work well with such a configuration. If
110   * multiple password values are allowed, then any of them can be used
111   * to authenticate, and they are all subject to the same policy
112   * constraints.
113   *
114   * @return Returns the value of the "allow-multiple-password-values" property.
115   */
116  boolean isAllowMultiplePasswordValues();
117
118
119
120  /**
121   * Sets the "allow-multiple-password-values" property.
122   * <p>
123   * Indicates whether user entries can have multiple distinct values
124   * for the password attribute.
125   * <p>
126   * This is potentially dangerous because many mechanisms used to
127   * change the password do not work well with such a configuration. If
128   * multiple password values are allowed, then any of them can be used
129   * to authenticate, and they are all subject to the same policy
130   * constraints.
131   *
132   * @param value The value of the "allow-multiple-password-values" property.
133   * @throws PropertyException
134   *           If the new value is invalid.
135   */
136  void setAllowMultiplePasswordValues(Boolean value) throws PropertyException;
137
138
139
140  /**
141   * Gets the "allow-pre-encoded-passwords" property.
142   * <p>
143   * Indicates whether users can change their passwords by providing a
144   * pre-encoded value.
145   * <p>
146   * This can cause a security risk because the clear-text version of
147   * the password is not known and therefore validation checks cannot
148   * be applied to it.
149   *
150   * @return Returns the value of the "allow-pre-encoded-passwords" property.
151   */
152  boolean isAllowPreEncodedPasswords();
153
154
155
156  /**
157   * Sets the "allow-pre-encoded-passwords" property.
158   * <p>
159   * Indicates whether users can change their passwords by providing a
160   * pre-encoded value.
161   * <p>
162   * This can cause a security risk because the clear-text version of
163   * the password is not known and therefore validation checks cannot
164   * be applied to it.
165   *
166   * @param value The value of the "allow-pre-encoded-passwords" property.
167   * @throws PropertyException
168   *           If the new value is invalid.
169   */
170  void setAllowPreEncodedPasswords(Boolean value) throws PropertyException;
171
172
173
174  /**
175   * Gets the "allow-user-password-changes" property.
176   * <p>
177   * Indicates whether users can change their own passwords.
178   * <p>
179   * This check is made in addition to access control evaluation. Both
180   * must allow the password change for it to occur.
181   *
182   * @return Returns the value of the "allow-user-password-changes" property.
183   */
184  boolean isAllowUserPasswordChanges();
185
186
187
188  /**
189   * Sets the "allow-user-password-changes" property.
190   * <p>
191   * Indicates whether users can change their own passwords.
192   * <p>
193   * This check is made in addition to access control evaluation. Both
194   * must allow the password change for it to occur.
195   *
196   * @param value The value of the "allow-user-password-changes" property.
197   * @throws PropertyException
198   *           If the new value is invalid.
199   */
200  void setAllowUserPasswordChanges(Boolean value) throws PropertyException;
201
202
203
204  /**
205   * Gets the "default-password-storage-scheme" property.
206   * <p>
207   * Specifies the names of the password storage schemes that are used
208   * to encode clear-text passwords for this password policy.
209   *
210   * @return Returns the values of the "default-password-storage-scheme" property.
211   */
212  SortedSet<String> getDefaultPasswordStorageScheme();
213
214
215
216  /**
217   * Sets the "default-password-storage-scheme" property.
218   * <p>
219   * Specifies the names of the password storage schemes that are used
220   * to encode clear-text passwords for this password policy.
221   *
222   * @param values The values of the "default-password-storage-scheme" property.
223   * @throws PropertyException
224   *           If one or more of the new values are invalid.
225   */
226  void setDefaultPasswordStorageScheme(Collection<String> values) throws PropertyException;
227
228
229
230  /**
231   * Gets the "deprecated-password-storage-scheme" property.
232   * <p>
233   * Specifies the names of the password storage schemes that are
234   * considered deprecated for this password policy.
235   * <p>
236   * If a user with this password policy authenticates to the server
237   * and his/her password is encoded with a deprecated scheme, those
238   * values are removed and replaced with values encoded using the
239   * default password storage scheme(s).
240   *
241   * @return Returns the values of the "deprecated-password-storage-scheme" property.
242   */
243  SortedSet<String> getDeprecatedPasswordStorageScheme();
244
245
246
247  /**
248   * Sets the "deprecated-password-storage-scheme" property.
249   * <p>
250   * Specifies the names of the password storage schemes that are
251   * considered deprecated for this password policy.
252   * <p>
253   * If a user with this password policy authenticates to the server
254   * and his/her password is encoded with a deprecated scheme, those
255   * values are removed and replaced with values encoded using the
256   * default password storage scheme(s).
257   *
258   * @param values The values of the "deprecated-password-storage-scheme" property.
259   * @throws PropertyException
260   *           If one or more of the new values are invalid.
261   */
262  void setDeprecatedPasswordStorageScheme(Collection<String> values) throws PropertyException;
263
264
265
266  /**
267   * Gets the "expire-passwords-without-warning" property.
268   * <p>
269   * Indicates whether the directory server allows a user's password
270   * to expire even if that user has never seen an expiration warning
271   * notification.
272   * <p>
273   * If this property is true, accounts always expire when the
274   * expiration time arrives. If this property is false or disabled,
275   * the user always receives at least one warning notification, and
276   * the password expiration is set to the warning time plus the
277   * warning interval.
278   *
279   * @return Returns the value of the "expire-passwords-without-warning" property.
280   */
281  boolean isExpirePasswordsWithoutWarning();
282
283
284
285  /**
286   * Sets the "expire-passwords-without-warning" property.
287   * <p>
288   * Indicates whether the directory server allows a user's password
289   * to expire even if that user has never seen an expiration warning
290   * notification.
291   * <p>
292   * If this property is true, accounts always expire when the
293   * expiration time arrives. If this property is false or disabled,
294   * the user always receives at least one warning notification, and
295   * the password expiration is set to the warning time plus the
296   * warning interval.
297   *
298   * @param value The value of the "expire-passwords-without-warning" property.
299   * @throws PropertyException
300   *           If the new value is invalid.
301   */
302  void setExpirePasswordsWithoutWarning(Boolean value) throws PropertyException;
303
304
305
306  /**
307   * Gets the "force-change-on-add" property.
308   * <p>
309   * Indicates whether users are forced to change their passwords upon
310   * first authenticating to the directory server after their account
311   * has been created.
312   *
313   * @return Returns the value of the "force-change-on-add" property.
314   */
315  boolean isForceChangeOnAdd();
316
317
318
319  /**
320   * Sets the "force-change-on-add" property.
321   * <p>
322   * Indicates whether users are forced to change their passwords upon
323   * first authenticating to the directory server after their account
324   * has been created.
325   *
326   * @param value The value of the "force-change-on-add" property.
327   * @throws PropertyException
328   *           If the new value is invalid.
329   */
330  void setForceChangeOnAdd(Boolean value) throws PropertyException;
331
332
333
334  /**
335   * Gets the "force-change-on-reset" property.
336   * <p>
337   * Indicates whether users are forced to change their passwords if
338   * they are reset by an administrator.
339   * <p>
340   * For this purpose, anyone with permission to change a given user's
341   * password other than that user is considered an administrator.
342   *
343   * @return Returns the value of the "force-change-on-reset" property.
344   */
345  boolean isForceChangeOnReset();
346
347
348
349  /**
350   * Sets the "force-change-on-reset" property.
351   * <p>
352   * Indicates whether users are forced to change their passwords if
353   * they are reset by an administrator.
354   * <p>
355   * For this purpose, anyone with permission to change a given user's
356   * password other than that user is considered an administrator.
357   *
358   * @param value The value of the "force-change-on-reset" property.
359   * @throws PropertyException
360   *           If the new value is invalid.
361   */
362  void setForceChangeOnReset(Boolean value) throws PropertyException;
363
364
365
366  /**
367   * Gets the "grace-login-count" property.
368   * <p>
369   * Specifies the number of grace logins that a user is allowed after
370   * the account has expired to allow that user to choose a new
371   * password.
372   * <p>
373   * A value of 0 indicates that no grace logins are allowed.
374   *
375   * @return Returns the value of the "grace-login-count" property.
376   */
377  int getGraceLoginCount();
378
379
380
381  /**
382   * Sets the "grace-login-count" property.
383   * <p>
384   * Specifies the number of grace logins that a user is allowed after
385   * the account has expired to allow that user to choose a new
386   * password.
387   * <p>
388   * A value of 0 indicates that no grace logins are allowed.
389   *
390   * @param value The value of the "grace-login-count" property.
391   * @throws PropertyException
392   *           If the new value is invalid.
393   */
394  void setGraceLoginCount(Integer value) throws PropertyException;
395
396
397
398  /**
399   * Gets the "idle-lockout-interval" property.
400   * <p>
401   * Specifies the maximum length of time that an account may remain
402   * idle (that is, the associated user does not authenticate to the
403   * server) before that user is locked out.
404   * <p>
405   * The value of this attribute is an integer followed by a unit of
406   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
407   * indicates that idle accounts are not automatically locked out.
408   * This feature is available only if the last login time is
409   * maintained.
410   *
411   * @return Returns the value of the "idle-lockout-interval" property.
412   */
413  long getIdleLockoutInterval();
414
415
416
417  /**
418   * Sets the "idle-lockout-interval" property.
419   * <p>
420   * Specifies the maximum length of time that an account may remain
421   * idle (that is, the associated user does not authenticate to the
422   * server) before that user is locked out.
423   * <p>
424   * The value of this attribute is an integer followed by a unit of
425   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
426   * indicates that idle accounts are not automatically locked out.
427   * This feature is available only if the last login time is
428   * maintained.
429   *
430   * @param value The value of the "idle-lockout-interval" property.
431   * @throws PropertyException
432   *           If the new value is invalid.
433   */
434  void setIdleLockoutInterval(Long value) throws PropertyException;
435
436
437
438  /**
439   * Gets the "java-class" property.
440   * <p>
441   * Specifies the fully-qualified name of the Java class which
442   * provides the Password Policy implementation.
443   *
444   * @return Returns the value of the "java-class" property.
445   */
446  String getJavaClass();
447
448
449
450  /**
451   * Sets the "java-class" property.
452   * <p>
453   * Specifies the fully-qualified name of the Java class which
454   * provides the Password Policy implementation.
455   *
456   * @param value The value of the "java-class" property.
457   * @throws PropertyException
458   *           If the new value is invalid.
459   */
460  void setJavaClass(String value) throws PropertyException;
461
462
463
464  /**
465   * Gets the "last-login-time-attribute" property.
466   * <p>
467   * Specifies the name or OID of the attribute type that is used to
468   * hold the last login time for users with the associated password
469   * policy.
470   * <p>
471   * This attribute type must be defined in the directory server
472   * schema and must either be defined as an operational attribute or
473   * must be allowed by the set of objectClasses for all users with the
474   * associated password policy.
475   *
476   * @return Returns the value of the "last-login-time-attribute" property.
477   */
478  AttributeType getLastLoginTimeAttribute();
479
480
481
482  /**
483   * Sets the "last-login-time-attribute" property.
484   * <p>
485   * Specifies the name or OID of the attribute type that is used to
486   * hold the last login time for users with the associated password
487   * policy.
488   * <p>
489   * This attribute type must be defined in the directory server
490   * schema and must either be defined as an operational attribute or
491   * must be allowed by the set of objectClasses for all users with the
492   * associated password policy.
493   *
494   * @param value The value of the "last-login-time-attribute" property.
495   * @throws PropertyException
496   *           If the new value is invalid.
497   */
498  void setLastLoginTimeAttribute(AttributeType value) throws PropertyException;
499
500
501
502  /**
503   * Gets the "last-login-time-format" property.
504   * <p>
505   * Specifies the format string that is used to generate the last
506   * login time value for users with the associated password policy.
507   * <p>
508   * This format string conforms to the syntax described in the API
509   * documentation for the java.text.SimpleDateFormat class.
510   *
511   * @return Returns the value of the "last-login-time-format" property.
512   */
513  String getLastLoginTimeFormat();
514
515
516
517  /**
518   * Sets the "last-login-time-format" property.
519   * <p>
520   * Specifies the format string that is used to generate the last
521   * login time value for users with the associated password policy.
522   * <p>
523   * This format string conforms to the syntax described in the API
524   * documentation for the java.text.SimpleDateFormat class.
525   *
526   * @param value The value of the "last-login-time-format" property.
527   * @throws PropertyException
528   *           If the new value is invalid.
529   */
530  void setLastLoginTimeFormat(String value) throws PropertyException;
531
532
533
534  /**
535   * Gets the "lockout-duration" property.
536   * <p>
537   * Specifies the length of time that an account is locked after too
538   * many authentication failures.
539   * <p>
540   * The value of this attribute is an integer followed by a unit of
541   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
542   * indicates that the account must remain locked until an
543   * administrator resets the password.
544   *
545   * @return Returns the value of the "lockout-duration" property.
546   */
547  long getLockoutDuration();
548
549
550
551  /**
552   * Sets the "lockout-duration" property.
553   * <p>
554   * Specifies the length of time that an account is locked after too
555   * many authentication failures.
556   * <p>
557   * The value of this attribute is an integer followed by a unit of
558   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
559   * indicates that the account must remain locked until an
560   * administrator resets the password.
561   *
562   * @param value The value of the "lockout-duration" property.
563   * @throws PropertyException
564   *           If the new value is invalid.
565   */
566  void setLockoutDuration(Long value) throws PropertyException;
567
568
569
570  /**
571   * Gets the "lockout-failure-count" property.
572   * <p>
573   * Specifies the maximum number of authentication failures that a
574   * user is allowed before the account is locked out.
575   * <p>
576   * A value of 0 indicates that accounts are never locked out due to
577   * failed attempts.
578   *
579   * @return Returns the value of the "lockout-failure-count" property.
580   */
581  int getLockoutFailureCount();
582
583
584
585  /**
586   * Sets the "lockout-failure-count" property.
587   * <p>
588   * Specifies the maximum number of authentication failures that a
589   * user is allowed before the account is locked out.
590   * <p>
591   * A value of 0 indicates that accounts are never locked out due to
592   * failed attempts.
593   *
594   * @param value The value of the "lockout-failure-count" property.
595   * @throws PropertyException
596   *           If the new value is invalid.
597   */
598  void setLockoutFailureCount(Integer value) throws PropertyException;
599
600
601
602  /**
603   * Gets the "lockout-failure-expiration-interval" property.
604   * <p>
605   * Specifies the length of time before an authentication failure is
606   * no longer counted against a user for the purposes of account
607   * lockout.
608   * <p>
609   * The value of this attribute is an integer followed by a unit of
610   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
611   * indicates that the authentication failures must never expire. The
612   * failure count is always cleared upon a successful authentication.
613   *
614   * @return Returns the value of the "lockout-failure-expiration-interval" property.
615   */
616  long getLockoutFailureExpirationInterval();
617
618
619
620  /**
621   * Sets the "lockout-failure-expiration-interval" property.
622   * <p>
623   * Specifies the length of time before an authentication failure is
624   * no longer counted against a user for the purposes of account
625   * lockout.
626   * <p>
627   * The value of this attribute is an integer followed by a unit of
628   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
629   * indicates that the authentication failures must never expire. The
630   * failure count is always cleared upon a successful authentication.
631   *
632   * @param value The value of the "lockout-failure-expiration-interval" property.
633   * @throws PropertyException
634   *           If the new value is invalid.
635   */
636  void setLockoutFailureExpirationInterval(Long value) throws PropertyException;
637
638
639
640  /**
641   * Gets the "max-password-age" property.
642   * <p>
643   * Specifies the maximum length of time that a user can continue
644   * using the same password before it must be changed (that is, the
645   * password expiration interval).
646   * <p>
647   * The value of this attribute is an integer followed by a unit of
648   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
649   * disables password expiration.
650   *
651   * @return Returns the value of the "max-password-age" property.
652   */
653  long getMaxPasswordAge();
654
655
656
657  /**
658   * Sets the "max-password-age" property.
659   * <p>
660   * Specifies the maximum length of time that a user can continue
661   * using the same password before it must be changed (that is, the
662   * password expiration interval).
663   * <p>
664   * The value of this attribute is an integer followed by a unit of
665   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
666   * disables password expiration.
667   *
668   * @param value The value of the "max-password-age" property.
669   * @throws PropertyException
670   *           If the new value is invalid.
671   */
672  void setMaxPasswordAge(Long value) throws PropertyException;
673
674
675
676  /**
677   * Gets the "max-password-reset-age" property.
678   * <p>
679   * Specifies the maximum length of time that users have to change
680   * passwords after they have been reset by an administrator before
681   * they become locked.
682   * <p>
683   * The value of this attribute is an integer followed by a unit of
684   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
685   * disables this feature.
686   *
687   * @return Returns the value of the "max-password-reset-age" property.
688   */
689  long getMaxPasswordResetAge();
690
691
692
693  /**
694   * Sets the "max-password-reset-age" property.
695   * <p>
696   * Specifies the maximum length of time that users have to change
697   * passwords after they have been reset by an administrator before
698   * they become locked.
699   * <p>
700   * The value of this attribute is an integer followed by a unit of
701   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
702   * disables this feature.
703   *
704   * @param value The value of the "max-password-reset-age" property.
705   * @throws PropertyException
706   *           If the new value is invalid.
707   */
708  void setMaxPasswordResetAge(Long value) throws PropertyException;
709
710
711
712  /**
713   * Gets the "min-password-age" property.
714   * <p>
715   * Specifies the minimum length of time after a password change
716   * before the user is allowed to change the password again.
717   * <p>
718   * The value of this attribute is an integer followed by a unit of
719   * seconds, minutes, hours, days, or weeks. This setting can be used
720   * to prevent users from changing their passwords repeatedly over a
721   * short period of time to flush an old password from the history so
722   * that it can be re-used.
723   *
724   * @return Returns the value of the "min-password-age" property.
725   */
726  long getMinPasswordAge();
727
728
729
730  /**
731   * Sets the "min-password-age" property.
732   * <p>
733   * Specifies the minimum length of time after a password change
734   * before the user is allowed to change the password again.
735   * <p>
736   * The value of this attribute is an integer followed by a unit of
737   * seconds, minutes, hours, days, or weeks. This setting can be used
738   * to prevent users from changing their passwords repeatedly over a
739   * short period of time to flush an old password from the history so
740   * that it can be re-used.
741   *
742   * @param value The value of the "min-password-age" property.
743   * @throws PropertyException
744   *           If the new value is invalid.
745   */
746  void setMinPasswordAge(Long value) throws PropertyException;
747
748
749
750  /**
751   * Gets the "password-attribute" property.
752   * <p>
753   * Specifies the attribute type used to hold user passwords.
754   * <p>
755   * This attribute type must be defined in the server schema, and it
756   * must have either the user password or auth password syntax.
757   *
758   * @return Returns the value of the "password-attribute" property.
759   */
760  AttributeType getPasswordAttribute();
761
762
763
764  /**
765   * Sets the "password-attribute" property.
766   * <p>
767   * Specifies the attribute type used to hold user passwords.
768   * <p>
769   * This attribute type must be defined in the server schema, and it
770   * must have either the user password or auth password syntax.
771   *
772   * @param value The value of the "password-attribute" property.
773   * @throws PropertyException
774   *           If the new value is invalid.
775   */
776  void setPasswordAttribute(AttributeType value) throws PropertyException;
777
778
779
780  /**
781   * Gets the "password-change-requires-current-password" property.
782   * <p>
783   * Indicates whether user password changes must use the password
784   * modify extended operation and must include the user's current
785   * password before the change is allowed.
786   *
787   * @return Returns the value of the "password-change-requires-current-password" property.
788   */
789  boolean isPasswordChangeRequiresCurrentPassword();
790
791
792
793  /**
794   * Sets the "password-change-requires-current-password" property.
795   * <p>
796   * Indicates whether user password changes must use the password
797   * modify extended operation and must include the user's current
798   * password before the change is allowed.
799   *
800   * @param value The value of the "password-change-requires-current-password" property.
801   * @throws PropertyException
802   *           If the new value is invalid.
803   */
804  void setPasswordChangeRequiresCurrentPassword(Boolean value) throws PropertyException;
805
806
807
808  /**
809   * Gets the "password-expiration-warning-interval" property.
810   * <p>
811   * Specifies the maximum length of time before a user's password
812   * actually expires that the server begins to include warning
813   * notifications in bind responses for that user.
814   * <p>
815   * The value of this attribute is an integer followed by a unit of
816   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
817   * disables the warning interval.
818   *
819   * @return Returns the value of the "password-expiration-warning-interval" property.
820   */
821  long getPasswordExpirationWarningInterval();
822
823
824
825  /**
826   * Sets the "password-expiration-warning-interval" property.
827   * <p>
828   * Specifies the maximum length of time before a user's password
829   * actually expires that the server begins to include warning
830   * notifications in bind responses for that user.
831   * <p>
832   * The value of this attribute is an integer followed by a unit of
833   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
834   * disables the warning interval.
835   *
836   * @param value The value of the "password-expiration-warning-interval" property.
837   * @throws PropertyException
838   *           If the new value is invalid.
839   */
840  void setPasswordExpirationWarningInterval(Long value) throws PropertyException;
841
842
843
844  /**
845   * Gets the "password-generator" property.
846   * <p>
847   * Specifies the name of the password generator that is used with
848   * the associated password policy.
849   * <p>
850   * This is used in conjunction with the password modify extended
851   * operation to generate a new password for a user when none was
852   * provided in the request.
853   *
854   * @return Returns the value of the "password-generator" property.
855   */
856  String getPasswordGenerator();
857
858
859
860  /**
861   * Sets the "password-generator" property.
862   * <p>
863   * Specifies the name of the password generator that is used with
864   * the associated password policy.
865   * <p>
866   * This is used in conjunction with the password modify extended
867   * operation to generate a new password for a user when none was
868   * provided in the request.
869   *
870   * @param value The value of the "password-generator" property.
871   * @throws PropertyException
872   *           If the new value is invalid.
873   */
874  void setPasswordGenerator(String value) throws PropertyException;
875
876
877
878  /**
879   * Gets the "password-history-count" property.
880   * <p>
881   * Specifies the maximum number of former passwords to maintain in
882   * the password history.
883   * <p>
884   * When choosing a new password, the proposed password is checked to
885   * ensure that it does not match the current password, nor any other
886   * password in the history list. A value of zero indicates that
887   * either no password history is to be maintained (if the password
888   * history duration has a value of zero seconds), or that there is no
889   * maximum number of passwords to maintain in the history (if the
890   * password history duration has a value greater than zero seconds).
891   *
892   * @return Returns the value of the "password-history-count" property.
893   */
894  int getPasswordHistoryCount();
895
896
897
898  /**
899   * Sets the "password-history-count" property.
900   * <p>
901   * Specifies the maximum number of former passwords to maintain in
902   * the password history.
903   * <p>
904   * When choosing a new password, the proposed password is checked to
905   * ensure that it does not match the current password, nor any other
906   * password in the history list. A value of zero indicates that
907   * either no password history is to be maintained (if the password
908   * history duration has a value of zero seconds), or that there is no
909   * maximum number of passwords to maintain in the history (if the
910   * password history duration has a value greater than zero seconds).
911   *
912   * @param value The value of the "password-history-count" property.
913   * @throws PropertyException
914   *           If the new value is invalid.
915   */
916  void setPasswordHistoryCount(Integer value) throws PropertyException;
917
918
919
920  /**
921   * Gets the "password-history-duration" property.
922   * <p>
923   * Specifies the maximum length of time that passwords remain in the
924   * password history.
925   * <p>
926   * When choosing a new password, the proposed password is checked to
927   * ensure that it does not match the current password, nor any other
928   * password in the history list. A value of zero seconds indicates
929   * that either no password history is to be maintained (if the
930   * password history count has a value of zero), or that there is no
931   * maximum duration for passwords in the history (if the password
932   * history count has a value greater than zero).
933   *
934   * @return Returns the value of the "password-history-duration" property.
935   */
936  long getPasswordHistoryDuration();
937
938
939
940  /**
941   * Sets the "password-history-duration" property.
942   * <p>
943   * Specifies the maximum length of time that passwords remain in the
944   * password history.
945   * <p>
946   * When choosing a new password, the proposed password is checked to
947   * ensure that it does not match the current password, nor any other
948   * password in the history list. A value of zero seconds indicates
949   * that either no password history is to be maintained (if the
950   * password history count has a value of zero), or that there is no
951   * maximum duration for passwords in the history (if the password
952   * history count has a value greater than zero).
953   *
954   * @param value The value of the "password-history-duration" property.
955   * @throws PropertyException
956   *           If the new value is invalid.
957   */
958  void setPasswordHistoryDuration(Long value) throws PropertyException;
959
960
961
962  /**
963   * Gets the "password-validator" property.
964   * <p>
965   * Specifies the names of the password validators that are used with
966   * the associated password storage scheme.
967   * <p>
968   * The password validators are invoked when a user attempts to
969   * provide a new password, to determine whether the new password is
970   * acceptable.
971   *
972   * @return Returns the values of the "password-validator" property.
973   */
974  SortedSet<String> getPasswordValidator();
975
976
977
978  /**
979   * Sets the "password-validator" property.
980   * <p>
981   * Specifies the names of the password validators that are used with
982   * the associated password storage scheme.
983   * <p>
984   * The password validators are invoked when a user attempts to
985   * provide a new password, to determine whether the new password is
986   * acceptable.
987   *
988   * @param values The values of the "password-validator" property.
989   * @throws PropertyException
990   *           If one or more of the new values are invalid.
991   */
992  void setPasswordValidator(Collection<String> values) throws PropertyException;
993
994
995
996  /**
997   * Gets the "previous-last-login-time-format" property.
998   * <p>
999   * Specifies the format string(s) that might have been used with the
1000   * last login time at any point in the past for users associated with
1001   * the password policy.
1002   * <p>
1003   * These values are used to make it possible to parse previous
1004   * values, but are not used to set new values. The format strings
1005   * conform to the syntax described in the API documentation for the
1006   * java.text.SimpleDateFormat class.
1007   *
1008   * @return Returns the values of the "previous-last-login-time-format" property.
1009   */
1010  SortedSet<String> getPreviousLastLoginTimeFormat();
1011
1012
1013
1014  /**
1015   * Sets the "previous-last-login-time-format" property.
1016   * <p>
1017   * Specifies the format string(s) that might have been used with the
1018   * last login time at any point in the past for users associated with
1019   * the password policy.
1020   * <p>
1021   * These values are used to make it possible to parse previous
1022   * values, but are not used to set new values. The format strings
1023   * conform to the syntax described in the API documentation for the
1024   * java.text.SimpleDateFormat class.
1025   *
1026   * @param values The values of the "previous-last-login-time-format" property.
1027   * @throws PropertyException
1028   *           If one or more of the new values are invalid.
1029   */
1030  void setPreviousLastLoginTimeFormat(Collection<String> values) throws PropertyException;
1031
1032
1033
1034  /**
1035   * Gets the "require-change-by-time" property.
1036   * <p>
1037   * Specifies the time by which all users with the associated
1038   * password policy must change their passwords.
1039   * <p>
1040   * The value is expressed in a generalized time format. If this time
1041   * is equal to the current time or is in the past, then all users are
1042   * required to change their passwords immediately. The behavior of
1043   * the server in this mode is identical to the behavior observed when
1044   * users are forced to change their passwords after an administrative
1045   * reset.
1046   *
1047   * @return Returns the value of the "require-change-by-time" property.
1048   */
1049  String getRequireChangeByTime();
1050
1051
1052
1053  /**
1054   * Sets the "require-change-by-time" property.
1055   * <p>
1056   * Specifies the time by which all users with the associated
1057   * password policy must change their passwords.
1058   * <p>
1059   * The value is expressed in a generalized time format. If this time
1060   * is equal to the current time or is in the past, then all users are
1061   * required to change their passwords immediately. The behavior of
1062   * the server in this mode is identical to the behavior observed when
1063   * users are forced to change their passwords after an administrative
1064   * reset.
1065   *
1066   * @param value The value of the "require-change-by-time" property.
1067   * @throws PropertyException
1068   *           If the new value is invalid.
1069   */
1070  void setRequireChangeByTime(String value) throws PropertyException;
1071
1072
1073
1074  /**
1075   * Gets the "require-secure-authentication" property.
1076   * <p>
1077   * Indicates whether users with the associated password policy are
1078   * required to authenticate in a secure manner.
1079   * <p>
1080   * This might mean either using a secure communication channel
1081   * between the client and the server, or using a SASL mechanism that
1082   * does not expose the credentials.
1083   *
1084   * @return Returns the value of the "require-secure-authentication" property.
1085   */
1086  boolean isRequireSecureAuthentication();
1087
1088
1089
1090  /**
1091   * Sets the "require-secure-authentication" property.
1092   * <p>
1093   * Indicates whether users with the associated password policy are
1094   * required to authenticate in a secure manner.
1095   * <p>
1096   * This might mean either using a secure communication channel
1097   * between the client and the server, or using a SASL mechanism that
1098   * does not expose the credentials.
1099   *
1100   * @param value The value of the "require-secure-authentication" property.
1101   * @throws PropertyException
1102   *           If the new value is invalid.
1103   */
1104  void setRequireSecureAuthentication(Boolean value) throws PropertyException;
1105
1106
1107
1108  /**
1109   * Gets the "require-secure-password-changes" property.
1110   * <p>
1111   * Indicates whether users with the associated password policy are
1112   * required to change their password in a secure manner that does not
1113   * expose the credentials.
1114   *
1115   * @return Returns the value of the "require-secure-password-changes" property.
1116   */
1117  boolean isRequireSecurePasswordChanges();
1118
1119
1120
1121  /**
1122   * Sets the "require-secure-password-changes" property.
1123   * <p>
1124   * Indicates whether users with the associated password policy are
1125   * required to change their password in a secure manner that does not
1126   * expose the credentials.
1127   *
1128   * @param value The value of the "require-secure-password-changes" property.
1129   * @throws PropertyException
1130   *           If the new value is invalid.
1131   */
1132  void setRequireSecurePasswordChanges(Boolean value) throws PropertyException;
1133
1134
1135
1136  /**
1137   * Gets the "skip-validation-for-administrators" property.
1138   * <p>
1139   * Indicates whether passwords set by administrators are allowed to
1140   * bypass the password validation process that is required for user
1141   * password changes.
1142   *
1143   * @return Returns the value of the "skip-validation-for-administrators" property.
1144   */
1145  boolean isSkipValidationForAdministrators();
1146
1147
1148
1149  /**
1150   * Sets the "skip-validation-for-administrators" property.
1151   * <p>
1152   * Indicates whether passwords set by administrators are allowed to
1153   * bypass the password validation process that is required for user
1154   * password changes.
1155   *
1156   * @param value The value of the "skip-validation-for-administrators" property.
1157   * @throws PropertyException
1158   *           If the new value is invalid.
1159   */
1160  void setSkipValidationForAdministrators(Boolean value) throws PropertyException;
1161
1162
1163
1164  /**
1165   * Gets the "state-update-failure-policy" property.
1166   * <p>
1167   * Specifies how the server deals with the inability to update
1168   * password policy state information during an authentication
1169   * attempt.
1170   * <p>
1171   * In particular, this property can be used to control whether an
1172   * otherwise successful bind operation fails if a failure occurs
1173   * while attempting to update password policy state information (for
1174   * example, to clear a record of previous authentication failures or
1175   * to update the last login time). It can also be used to control
1176   * whether to reject a bind request if it is known ahead of time that
1177   * it will not be possible to update the authentication failure times
1178   * in the event of an unsuccessful bind attempt (for example, if the
1179   * backend writability mode is disabled).
1180   *
1181   * @return Returns the value of the "state-update-failure-policy" property.
1182   */
1183  StateUpdateFailurePolicy getStateUpdateFailurePolicy();
1184
1185
1186
1187  /**
1188   * Sets the "state-update-failure-policy" property.
1189   * <p>
1190   * Specifies how the server deals with the inability to update
1191   * password policy state information during an authentication
1192   * attempt.
1193   * <p>
1194   * In particular, this property can be used to control whether an
1195   * otherwise successful bind operation fails if a failure occurs
1196   * while attempting to update password policy state information (for
1197   * example, to clear a record of previous authentication failures or
1198   * to update the last login time). It can also be used to control
1199   * whether to reject a bind request if it is known ahead of time that
1200   * it will not be possible to update the authentication failure times
1201   * in the event of an unsuccessful bind attempt (for example, if the
1202   * backend writability mode is disabled).
1203   *
1204   * @param value The value of the "state-update-failure-policy" property.
1205   * @throws PropertyException
1206   *           If the new value is invalid.
1207   */
1208  void setStateUpdateFailurePolicy(StateUpdateFailurePolicy value) throws PropertyException;
1209
1210}