001/* 002 * The contents of this file are subject to the terms of the Common Development and 003 * Distribution License (the License). You may not use this file except in compliance with the 004 * License. 005 * 006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the 007 * specific language governing permission and limitations under the License. 008 * 009 * When distributing Covered Software, include this CDDL Header Notice in each file and include 010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL 011 * Header, with the fields enclosed by brackets [] replaced by your own identifying 012 * information: "Portions Copyright [year] [name of copyright owner]". 013 * 014 * Copyright 2008 Sun Microsystems, Inc. 015 */ 016package org.forgerock.opendj.server.config.client; 017 018 019 020import java.util.Collection; 021import java.util.SortedSet; 022import org.forgerock.opendj.config.ManagedObjectDefinition; 023import org.forgerock.opendj.config.PropertyException; 024import org.forgerock.opendj.ldap.schema.AttributeType; 025import org.forgerock.opendj.server.config.meta.PasswordPolicyCfgDefn.StateUpdateFailurePolicy; 026import org.forgerock.opendj.server.config.server.PasswordPolicyCfg; 027 028 029 030/** 031 * A client-side interface for reading and modifying Password Policy 032 * settings. 033 * <p> 034 * Password Policies define a number of password management rules, as 035 * well as requirements for authentication processing. 036 */ 037public interface PasswordPolicyCfgClient extends AuthenticationPolicyCfgClient { 038 039 /** 040 * Get the configuration definition associated with this Password Policy. 041 * 042 * @return Returns the configuration definition associated with this Password Policy. 043 */ 044 ManagedObjectDefinition<? extends PasswordPolicyCfgClient, ? extends PasswordPolicyCfg> definition(); 045 046 047 048 /** 049 * Gets the "account-status-notification-handler" property. 050 * <p> 051 * Specifies the names of the account status notification handlers 052 * that are used with the associated password storage scheme. 053 * 054 * @return Returns the values of the "account-status-notification-handler" property. 055 */ 056 SortedSet<String> getAccountStatusNotificationHandler(); 057 058 059 060 /** 061 * Sets the "account-status-notification-handler" property. 062 * <p> 063 * Specifies the names of the account status notification handlers 064 * that are used with the associated password storage scheme. 065 * 066 * @param values The values of the "account-status-notification-handler" property. 067 * @throws PropertyException 068 * If one or more of the new values are invalid. 069 */ 070 void setAccountStatusNotificationHandler(Collection<String> values) throws PropertyException; 071 072 073 074 /** 075 * Gets the "allow-expired-password-changes" property. 076 * <p> 077 * Indicates whether a user whose password is expired is still 078 * allowed to change that password using the password modify extended 079 * operation. 080 * 081 * @return Returns the value of the "allow-expired-password-changes" property. 082 */ 083 boolean isAllowExpiredPasswordChanges(); 084 085 086 087 /** 088 * Sets the "allow-expired-password-changes" property. 089 * <p> 090 * Indicates whether a user whose password is expired is still 091 * allowed to change that password using the password modify extended 092 * operation. 093 * 094 * @param value The value of the "allow-expired-password-changes" property. 095 * @throws PropertyException 096 * If the new value is invalid. 097 */ 098 void setAllowExpiredPasswordChanges(Boolean value) throws PropertyException; 099 100 101 102 /** 103 * Gets the "allow-multiple-password-values" property. 104 * <p> 105 * Indicates whether user entries can have multiple distinct values 106 * for the password attribute. 107 * <p> 108 * This is potentially dangerous because many mechanisms used to 109 * change the password do not work well with such a configuration. If 110 * multiple password values are allowed, then any of them can be used 111 * to authenticate, and they are all subject to the same policy 112 * constraints. 113 * 114 * @return Returns the value of the "allow-multiple-password-values" property. 115 */ 116 boolean isAllowMultiplePasswordValues(); 117 118 119 120 /** 121 * Sets the "allow-multiple-password-values" property. 122 * <p> 123 * Indicates whether user entries can have multiple distinct values 124 * for the password attribute. 125 * <p> 126 * This is potentially dangerous because many mechanisms used to 127 * change the password do not work well with such a configuration. If 128 * multiple password values are allowed, then any of them can be used 129 * to authenticate, and they are all subject to the same policy 130 * constraints. 131 * 132 * @param value The value of the "allow-multiple-password-values" property. 133 * @throws PropertyException 134 * If the new value is invalid. 135 */ 136 void setAllowMultiplePasswordValues(Boolean value) throws PropertyException; 137 138 139 140 /** 141 * Gets the "allow-pre-encoded-passwords" property. 142 * <p> 143 * Indicates whether users can change their passwords by providing a 144 * pre-encoded value. 145 * <p> 146 * This can cause a security risk because the clear-text version of 147 * the password is not known and therefore validation checks cannot 148 * be applied to it. 149 * 150 * @return Returns the value of the "allow-pre-encoded-passwords" property. 151 */ 152 boolean isAllowPreEncodedPasswords(); 153 154 155 156 /** 157 * Sets the "allow-pre-encoded-passwords" property. 158 * <p> 159 * Indicates whether users can change their passwords by providing a 160 * pre-encoded value. 161 * <p> 162 * This can cause a security risk because the clear-text version of 163 * the password is not known and therefore validation checks cannot 164 * be applied to it. 165 * 166 * @param value The value of the "allow-pre-encoded-passwords" property. 167 * @throws PropertyException 168 * If the new value is invalid. 169 */ 170 void setAllowPreEncodedPasswords(Boolean value) throws PropertyException; 171 172 173 174 /** 175 * Gets the "allow-user-password-changes" property. 176 * <p> 177 * Indicates whether users can change their own passwords. 178 * <p> 179 * This check is made in addition to access control evaluation. Both 180 * must allow the password change for it to occur. 181 * 182 * @return Returns the value of the "allow-user-password-changes" property. 183 */ 184 boolean isAllowUserPasswordChanges(); 185 186 187 188 /** 189 * Sets the "allow-user-password-changes" property. 190 * <p> 191 * Indicates whether users can change their own passwords. 192 * <p> 193 * This check is made in addition to access control evaluation. Both 194 * must allow the password change for it to occur. 195 * 196 * @param value The value of the "allow-user-password-changes" property. 197 * @throws PropertyException 198 * If the new value is invalid. 199 */ 200 void setAllowUserPasswordChanges(Boolean value) throws PropertyException; 201 202 203 204 /** 205 * Gets the "default-password-storage-scheme" property. 206 * <p> 207 * Specifies the names of the password storage schemes that are used 208 * to encode clear-text passwords for this password policy. 209 * 210 * @return Returns the values of the "default-password-storage-scheme" property. 211 */ 212 SortedSet<String> getDefaultPasswordStorageScheme(); 213 214 215 216 /** 217 * Sets the "default-password-storage-scheme" property. 218 * <p> 219 * Specifies the names of the password storage schemes that are used 220 * to encode clear-text passwords for this password policy. 221 * 222 * @param values The values of the "default-password-storage-scheme" property. 223 * @throws PropertyException 224 * If one or more of the new values are invalid. 225 */ 226 void setDefaultPasswordStorageScheme(Collection<String> values) throws PropertyException; 227 228 229 230 /** 231 * Gets the "deprecated-password-storage-scheme" property. 232 * <p> 233 * Specifies the names of the password storage schemes that are 234 * considered deprecated for this password policy. 235 * <p> 236 * If a user with this password policy authenticates to the server 237 * and his/her password is encoded with a deprecated scheme, those 238 * values are removed and replaced with values encoded using the 239 * default password storage scheme(s). 240 * 241 * @return Returns the values of the "deprecated-password-storage-scheme" property. 242 */ 243 SortedSet<String> getDeprecatedPasswordStorageScheme(); 244 245 246 247 /** 248 * Sets the "deprecated-password-storage-scheme" property. 249 * <p> 250 * Specifies the names of the password storage schemes that are 251 * considered deprecated for this password policy. 252 * <p> 253 * If a user with this password policy authenticates to the server 254 * and his/her password is encoded with a deprecated scheme, those 255 * values are removed and replaced with values encoded using the 256 * default password storage scheme(s). 257 * 258 * @param values The values of the "deprecated-password-storage-scheme" property. 259 * @throws PropertyException 260 * If one or more of the new values are invalid. 261 */ 262 void setDeprecatedPasswordStorageScheme(Collection<String> values) throws PropertyException; 263 264 265 266 /** 267 * Gets the "expire-passwords-without-warning" property. 268 * <p> 269 * Indicates whether the directory server allows a user's password 270 * to expire even if that user has never seen an expiration warning 271 * notification. 272 * <p> 273 * If this property is true, accounts always expire when the 274 * expiration time arrives. If this property is false or disabled, 275 * the user always receives at least one warning notification, and 276 * the password expiration is set to the warning time plus the 277 * warning interval. 278 * 279 * @return Returns the value of the "expire-passwords-without-warning" property. 280 */ 281 boolean isExpirePasswordsWithoutWarning(); 282 283 284 285 /** 286 * Sets the "expire-passwords-without-warning" property. 287 * <p> 288 * Indicates whether the directory server allows a user's password 289 * to expire even if that user has never seen an expiration warning 290 * notification. 291 * <p> 292 * If this property is true, accounts always expire when the 293 * expiration time arrives. If this property is false or disabled, 294 * the user always receives at least one warning notification, and 295 * the password expiration is set to the warning time plus the 296 * warning interval. 297 * 298 * @param value The value of the "expire-passwords-without-warning" property. 299 * @throws PropertyException 300 * If the new value is invalid. 301 */ 302 void setExpirePasswordsWithoutWarning(Boolean value) throws PropertyException; 303 304 305 306 /** 307 * Gets the "force-change-on-add" property. 308 * <p> 309 * Indicates whether users are forced to change their passwords upon 310 * first authenticating to the directory server after their account 311 * has been created. 312 * 313 * @return Returns the value of the "force-change-on-add" property. 314 */ 315 boolean isForceChangeOnAdd(); 316 317 318 319 /** 320 * Sets the "force-change-on-add" property. 321 * <p> 322 * Indicates whether users are forced to change their passwords upon 323 * first authenticating to the directory server after their account 324 * has been created. 325 * 326 * @param value The value of the "force-change-on-add" property. 327 * @throws PropertyException 328 * If the new value is invalid. 329 */ 330 void setForceChangeOnAdd(Boolean value) throws PropertyException; 331 332 333 334 /** 335 * Gets the "force-change-on-reset" property. 336 * <p> 337 * Indicates whether users are forced to change their passwords if 338 * they are reset by an administrator. 339 * <p> 340 * For this purpose, anyone with permission to change a given user's 341 * password other than that user is considered an administrator. 342 * 343 * @return Returns the value of the "force-change-on-reset" property. 344 */ 345 boolean isForceChangeOnReset(); 346 347 348 349 /** 350 * Sets the "force-change-on-reset" property. 351 * <p> 352 * Indicates whether users are forced to change their passwords if 353 * they are reset by an administrator. 354 * <p> 355 * For this purpose, anyone with permission to change a given user's 356 * password other than that user is considered an administrator. 357 * 358 * @param value The value of the "force-change-on-reset" property. 359 * @throws PropertyException 360 * If the new value is invalid. 361 */ 362 void setForceChangeOnReset(Boolean value) throws PropertyException; 363 364 365 366 /** 367 * Gets the "grace-login-count" property. 368 * <p> 369 * Specifies the number of grace logins that a user is allowed after 370 * the account has expired to allow that user to choose a new 371 * password. 372 * <p> 373 * A value of 0 indicates that no grace logins are allowed. 374 * 375 * @return Returns the value of the "grace-login-count" property. 376 */ 377 int getGraceLoginCount(); 378 379 380 381 /** 382 * Sets the "grace-login-count" property. 383 * <p> 384 * Specifies the number of grace logins that a user is allowed after 385 * the account has expired to allow that user to choose a new 386 * password. 387 * <p> 388 * A value of 0 indicates that no grace logins are allowed. 389 * 390 * @param value The value of the "grace-login-count" property. 391 * @throws PropertyException 392 * If the new value is invalid. 393 */ 394 void setGraceLoginCount(Integer value) throws PropertyException; 395 396 397 398 /** 399 * Gets the "idle-lockout-interval" property. 400 * <p> 401 * Specifies the maximum length of time that an account may remain 402 * idle (that is, the associated user does not authenticate to the 403 * server) before that user is locked out. 404 * <p> 405 * The value of this attribute is an integer followed by a unit of 406 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 407 * indicates that idle accounts are not automatically locked out. 408 * This feature is available only if the last login time is 409 * maintained. 410 * 411 * @return Returns the value of the "idle-lockout-interval" property. 412 */ 413 long getIdleLockoutInterval(); 414 415 416 417 /** 418 * Sets the "idle-lockout-interval" property. 419 * <p> 420 * Specifies the maximum length of time that an account may remain 421 * idle (that is, the associated user does not authenticate to the 422 * server) before that user is locked out. 423 * <p> 424 * The value of this attribute is an integer followed by a unit of 425 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 426 * indicates that idle accounts are not automatically locked out. 427 * This feature is available only if the last login time is 428 * maintained. 429 * 430 * @param value The value of the "idle-lockout-interval" property. 431 * @throws PropertyException 432 * If the new value is invalid. 433 */ 434 void setIdleLockoutInterval(Long value) throws PropertyException; 435 436 437 438 /** 439 * Gets the "java-class" property. 440 * <p> 441 * Specifies the fully-qualified name of the Java class which 442 * provides the Password Policy implementation. 443 * 444 * @return Returns the value of the "java-class" property. 445 */ 446 String getJavaClass(); 447 448 449 450 /** 451 * Sets the "java-class" property. 452 * <p> 453 * Specifies the fully-qualified name of the Java class which 454 * provides the Password Policy implementation. 455 * 456 * @param value The value of the "java-class" property. 457 * @throws PropertyException 458 * If the new value is invalid. 459 */ 460 void setJavaClass(String value) throws PropertyException; 461 462 463 464 /** 465 * Gets the "last-login-time-attribute" property. 466 * <p> 467 * Specifies the name or OID of the attribute type that is used to 468 * hold the last login time for users with the associated password 469 * policy. 470 * <p> 471 * This attribute type must be defined in the directory server 472 * schema and must either be defined as an operational attribute or 473 * must be allowed by the set of objectClasses for all users with the 474 * associated password policy. 475 * 476 * @return Returns the value of the "last-login-time-attribute" property. 477 */ 478 AttributeType getLastLoginTimeAttribute(); 479 480 481 482 /** 483 * Sets the "last-login-time-attribute" property. 484 * <p> 485 * Specifies the name or OID of the attribute type that is used to 486 * hold the last login time for users with the associated password 487 * policy. 488 * <p> 489 * This attribute type must be defined in the directory server 490 * schema and must either be defined as an operational attribute or 491 * must be allowed by the set of objectClasses for all users with the 492 * associated password policy. 493 * 494 * @param value The value of the "last-login-time-attribute" property. 495 * @throws PropertyException 496 * If the new value is invalid. 497 */ 498 void setLastLoginTimeAttribute(AttributeType value) throws PropertyException; 499 500 501 502 /** 503 * Gets the "last-login-time-format" property. 504 * <p> 505 * Specifies the format string that is used to generate the last 506 * login time value for users with the associated password policy. 507 * <p> 508 * This format string conforms to the syntax described in the API 509 * documentation for the java.text.SimpleDateFormat class. 510 * 511 * @return Returns the value of the "last-login-time-format" property. 512 */ 513 String getLastLoginTimeFormat(); 514 515 516 517 /** 518 * Sets the "last-login-time-format" property. 519 * <p> 520 * Specifies the format string that is used to generate the last 521 * login time value for users with the associated password policy. 522 * <p> 523 * This format string conforms to the syntax described in the API 524 * documentation for the java.text.SimpleDateFormat class. 525 * 526 * @param value The value of the "last-login-time-format" property. 527 * @throws PropertyException 528 * If the new value is invalid. 529 */ 530 void setLastLoginTimeFormat(String value) throws PropertyException; 531 532 533 534 /** 535 * Gets the "lockout-duration" property. 536 * <p> 537 * Specifies the length of time that an account is locked after too 538 * many authentication failures. 539 * <p> 540 * The value of this attribute is an integer followed by a unit of 541 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 542 * indicates that the account must remain locked until an 543 * administrator resets the password. 544 * 545 * @return Returns the value of the "lockout-duration" property. 546 */ 547 long getLockoutDuration(); 548 549 550 551 /** 552 * Sets the "lockout-duration" property. 553 * <p> 554 * Specifies the length of time that an account is locked after too 555 * many authentication failures. 556 * <p> 557 * The value of this attribute is an integer followed by a unit of 558 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 559 * indicates that the account must remain locked until an 560 * administrator resets the password. 561 * 562 * @param value The value of the "lockout-duration" property. 563 * @throws PropertyException 564 * If the new value is invalid. 565 */ 566 void setLockoutDuration(Long value) throws PropertyException; 567 568 569 570 /** 571 * Gets the "lockout-failure-count" property. 572 * <p> 573 * Specifies the maximum number of authentication failures that a 574 * user is allowed before the account is locked out. 575 * <p> 576 * A value of 0 indicates that accounts are never locked out due to 577 * failed attempts. 578 * 579 * @return Returns the value of the "lockout-failure-count" property. 580 */ 581 int getLockoutFailureCount(); 582 583 584 585 /** 586 * Sets the "lockout-failure-count" property. 587 * <p> 588 * Specifies the maximum number of authentication failures that a 589 * user is allowed before the account is locked out. 590 * <p> 591 * A value of 0 indicates that accounts are never locked out due to 592 * failed attempts. 593 * 594 * @param value The value of the "lockout-failure-count" property. 595 * @throws PropertyException 596 * If the new value is invalid. 597 */ 598 void setLockoutFailureCount(Integer value) throws PropertyException; 599 600 601 602 /** 603 * Gets the "lockout-failure-expiration-interval" property. 604 * <p> 605 * Specifies the length of time before an authentication failure is 606 * no longer counted against a user for the purposes of account 607 * lockout. 608 * <p> 609 * The value of this attribute is an integer followed by a unit of 610 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 611 * indicates that the authentication failures must never expire. The 612 * failure count is always cleared upon a successful authentication. 613 * 614 * @return Returns the value of the "lockout-failure-expiration-interval" property. 615 */ 616 long getLockoutFailureExpirationInterval(); 617 618 619 620 /** 621 * Sets the "lockout-failure-expiration-interval" property. 622 * <p> 623 * Specifies the length of time before an authentication failure is 624 * no longer counted against a user for the purposes of account 625 * lockout. 626 * <p> 627 * The value of this attribute is an integer followed by a unit of 628 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 629 * indicates that the authentication failures must never expire. The 630 * failure count is always cleared upon a successful authentication. 631 * 632 * @param value The value of the "lockout-failure-expiration-interval" property. 633 * @throws PropertyException 634 * If the new value is invalid. 635 */ 636 void setLockoutFailureExpirationInterval(Long value) throws PropertyException; 637 638 639 640 /** 641 * Gets the "max-password-age" property. 642 * <p> 643 * Specifies the maximum length of time that a user can continue 644 * using the same password before it must be changed (that is, the 645 * password expiration interval). 646 * <p> 647 * The value of this attribute is an integer followed by a unit of 648 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 649 * disables password expiration. 650 * 651 * @return Returns the value of the "max-password-age" property. 652 */ 653 long getMaxPasswordAge(); 654 655 656 657 /** 658 * Sets the "max-password-age" property. 659 * <p> 660 * Specifies the maximum length of time that a user can continue 661 * using the same password before it must be changed (that is, the 662 * password expiration interval). 663 * <p> 664 * The value of this attribute is an integer followed by a unit of 665 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 666 * disables password expiration. 667 * 668 * @param value The value of the "max-password-age" property. 669 * @throws PropertyException 670 * If the new value is invalid. 671 */ 672 void setMaxPasswordAge(Long value) throws PropertyException; 673 674 675 676 /** 677 * Gets the "max-password-reset-age" property. 678 * <p> 679 * Specifies the maximum length of time that users have to change 680 * passwords after they have been reset by an administrator before 681 * they become locked. 682 * <p> 683 * The value of this attribute is an integer followed by a unit of 684 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 685 * disables this feature. 686 * 687 * @return Returns the value of the "max-password-reset-age" property. 688 */ 689 long getMaxPasswordResetAge(); 690 691 692 693 /** 694 * Sets the "max-password-reset-age" property. 695 * <p> 696 * Specifies the maximum length of time that users have to change 697 * passwords after they have been reset by an administrator before 698 * they become locked. 699 * <p> 700 * The value of this attribute is an integer followed by a unit of 701 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 702 * disables this feature. 703 * 704 * @param value The value of the "max-password-reset-age" property. 705 * @throws PropertyException 706 * If the new value is invalid. 707 */ 708 void setMaxPasswordResetAge(Long value) throws PropertyException; 709 710 711 712 /** 713 * Gets the "min-password-age" property. 714 * <p> 715 * Specifies the minimum length of time after a password change 716 * before the user is allowed to change the password again. 717 * <p> 718 * The value of this attribute is an integer followed by a unit of 719 * seconds, minutes, hours, days, or weeks. This setting can be used 720 * to prevent users from changing their passwords repeatedly over a 721 * short period of time to flush an old password from the history so 722 * that it can be re-used. 723 * 724 * @return Returns the value of the "min-password-age" property. 725 */ 726 long getMinPasswordAge(); 727 728 729 730 /** 731 * Sets the "min-password-age" property. 732 * <p> 733 * Specifies the minimum length of time after a password change 734 * before the user is allowed to change the password again. 735 * <p> 736 * The value of this attribute is an integer followed by a unit of 737 * seconds, minutes, hours, days, or weeks. This setting can be used 738 * to prevent users from changing their passwords repeatedly over a 739 * short period of time to flush an old password from the history so 740 * that it can be re-used. 741 * 742 * @param value The value of the "min-password-age" property. 743 * @throws PropertyException 744 * If the new value is invalid. 745 */ 746 void setMinPasswordAge(Long value) throws PropertyException; 747 748 749 750 /** 751 * Gets the "password-attribute" property. 752 * <p> 753 * Specifies the attribute type used to hold user passwords. 754 * <p> 755 * This attribute type must be defined in the server schema, and it 756 * must have either the user password or auth password syntax. 757 * 758 * @return Returns the value of the "password-attribute" property. 759 */ 760 AttributeType getPasswordAttribute(); 761 762 763 764 /** 765 * Sets the "password-attribute" property. 766 * <p> 767 * Specifies the attribute type used to hold user passwords. 768 * <p> 769 * This attribute type must be defined in the server schema, and it 770 * must have either the user password or auth password syntax. 771 * 772 * @param value The value of the "password-attribute" property. 773 * @throws PropertyException 774 * If the new value is invalid. 775 */ 776 void setPasswordAttribute(AttributeType value) throws PropertyException; 777 778 779 780 /** 781 * Gets the "password-change-requires-current-password" property. 782 * <p> 783 * Indicates whether user password changes must use the password 784 * modify extended operation and must include the user's current 785 * password before the change is allowed. 786 * 787 * @return Returns the value of the "password-change-requires-current-password" property. 788 */ 789 boolean isPasswordChangeRequiresCurrentPassword(); 790 791 792 793 /** 794 * Sets the "password-change-requires-current-password" property. 795 * <p> 796 * Indicates whether user password changes must use the password 797 * modify extended operation and must include the user's current 798 * password before the change is allowed. 799 * 800 * @param value The value of the "password-change-requires-current-password" property. 801 * @throws PropertyException 802 * If the new value is invalid. 803 */ 804 void setPasswordChangeRequiresCurrentPassword(Boolean value) throws PropertyException; 805 806 807 808 /** 809 * Gets the "password-expiration-warning-interval" property. 810 * <p> 811 * Specifies the maximum length of time before a user's password 812 * actually expires that the server begins to include warning 813 * notifications in bind responses for that user. 814 * <p> 815 * The value of this attribute is an integer followed by a unit of 816 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 817 * disables the warning interval. 818 * 819 * @return Returns the value of the "password-expiration-warning-interval" property. 820 */ 821 long getPasswordExpirationWarningInterval(); 822 823 824 825 /** 826 * Sets the "password-expiration-warning-interval" property. 827 * <p> 828 * Specifies the maximum length of time before a user's password 829 * actually expires that the server begins to include warning 830 * notifications in bind responses for that user. 831 * <p> 832 * The value of this attribute is an integer followed by a unit of 833 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 834 * disables the warning interval. 835 * 836 * @param value The value of the "password-expiration-warning-interval" property. 837 * @throws PropertyException 838 * If the new value is invalid. 839 */ 840 void setPasswordExpirationWarningInterval(Long value) throws PropertyException; 841 842 843 844 /** 845 * Gets the "password-generator" property. 846 * <p> 847 * Specifies the name of the password generator that is used with 848 * the associated password policy. 849 * <p> 850 * This is used in conjunction with the password modify extended 851 * operation to generate a new password for a user when none was 852 * provided in the request. 853 * 854 * @return Returns the value of the "password-generator" property. 855 */ 856 String getPasswordGenerator(); 857 858 859 860 /** 861 * Sets the "password-generator" property. 862 * <p> 863 * Specifies the name of the password generator that is used with 864 * the associated password policy. 865 * <p> 866 * This is used in conjunction with the password modify extended 867 * operation to generate a new password for a user when none was 868 * provided in the request. 869 * 870 * @param value The value of the "password-generator" property. 871 * @throws PropertyException 872 * If the new value is invalid. 873 */ 874 void setPasswordGenerator(String value) throws PropertyException; 875 876 877 878 /** 879 * Gets the "password-history-count" property. 880 * <p> 881 * Specifies the maximum number of former passwords to maintain in 882 * the password history. 883 * <p> 884 * When choosing a new password, the proposed password is checked to 885 * ensure that it does not match the current password, nor any other 886 * password in the history list. A value of zero indicates that 887 * either no password history is to be maintained (if the password 888 * history duration has a value of zero seconds), or that there is no 889 * maximum number of passwords to maintain in the history (if the 890 * password history duration has a value greater than zero seconds). 891 * 892 * @return Returns the value of the "password-history-count" property. 893 */ 894 int getPasswordHistoryCount(); 895 896 897 898 /** 899 * Sets the "password-history-count" property. 900 * <p> 901 * Specifies the maximum number of former passwords to maintain in 902 * the password history. 903 * <p> 904 * When choosing a new password, the proposed password is checked to 905 * ensure that it does not match the current password, nor any other 906 * password in the history list. A value of zero indicates that 907 * either no password history is to be maintained (if the password 908 * history duration has a value of zero seconds), or that there is no 909 * maximum number of passwords to maintain in the history (if the 910 * password history duration has a value greater than zero seconds). 911 * 912 * @param value The value of the "password-history-count" property. 913 * @throws PropertyException 914 * If the new value is invalid. 915 */ 916 void setPasswordHistoryCount(Integer value) throws PropertyException; 917 918 919 920 /** 921 * Gets the "password-history-duration" property. 922 * <p> 923 * Specifies the maximum length of time that passwords remain in the 924 * password history. 925 * <p> 926 * When choosing a new password, the proposed password is checked to 927 * ensure that it does not match the current password, nor any other 928 * password in the history list. A value of zero seconds indicates 929 * that either no password history is to be maintained (if the 930 * password history count has a value of zero), or that there is no 931 * maximum duration for passwords in the history (if the password 932 * history count has a value greater than zero). 933 * 934 * @return Returns the value of the "password-history-duration" property. 935 */ 936 long getPasswordHistoryDuration(); 937 938 939 940 /** 941 * Sets the "password-history-duration" property. 942 * <p> 943 * Specifies the maximum length of time that passwords remain in the 944 * password history. 945 * <p> 946 * When choosing a new password, the proposed password is checked to 947 * ensure that it does not match the current password, nor any other 948 * password in the history list. A value of zero seconds indicates 949 * that either no password history is to be maintained (if the 950 * password history count has a value of zero), or that there is no 951 * maximum duration for passwords in the history (if the password 952 * history count has a value greater than zero). 953 * 954 * @param value The value of the "password-history-duration" property. 955 * @throws PropertyException 956 * If the new value is invalid. 957 */ 958 void setPasswordHistoryDuration(Long value) throws PropertyException; 959 960 961 962 /** 963 * Gets the "password-validator" property. 964 * <p> 965 * Specifies the names of the password validators that are used with 966 * the associated password storage scheme. 967 * <p> 968 * The password validators are invoked when a user attempts to 969 * provide a new password, to determine whether the new password is 970 * acceptable. 971 * 972 * @return Returns the values of the "password-validator" property. 973 */ 974 SortedSet<String> getPasswordValidator(); 975 976 977 978 /** 979 * Sets the "password-validator" property. 980 * <p> 981 * Specifies the names of the password validators that are used with 982 * the associated password storage scheme. 983 * <p> 984 * The password validators are invoked when a user attempts to 985 * provide a new password, to determine whether the new password is 986 * acceptable. 987 * 988 * @param values The values of the "password-validator" property. 989 * @throws PropertyException 990 * If one or more of the new values are invalid. 991 */ 992 void setPasswordValidator(Collection<String> values) throws PropertyException; 993 994 995 996 /** 997 * Gets the "previous-last-login-time-format" property. 998 * <p> 999 * Specifies the format string(s) that might have been used with the 1000 * last login time at any point in the past for users associated with 1001 * the password policy. 1002 * <p> 1003 * These values are used to make it possible to parse previous 1004 * values, but are not used to set new values. The format strings 1005 * conform to the syntax described in the API documentation for the 1006 * java.text.SimpleDateFormat class. 1007 * 1008 * @return Returns the values of the "previous-last-login-time-format" property. 1009 */ 1010 SortedSet<String> getPreviousLastLoginTimeFormat(); 1011 1012 1013 1014 /** 1015 * Sets the "previous-last-login-time-format" property. 1016 * <p> 1017 * Specifies the format string(s) that might have been used with the 1018 * last login time at any point in the past for users associated with 1019 * the password policy. 1020 * <p> 1021 * These values are used to make it possible to parse previous 1022 * values, but are not used to set new values. The format strings 1023 * conform to the syntax described in the API documentation for the 1024 * java.text.SimpleDateFormat class. 1025 * 1026 * @param values The values of the "previous-last-login-time-format" property. 1027 * @throws PropertyException 1028 * If one or more of the new values are invalid. 1029 */ 1030 void setPreviousLastLoginTimeFormat(Collection<String> values) throws PropertyException; 1031 1032 1033 1034 /** 1035 * Gets the "require-change-by-time" property. 1036 * <p> 1037 * Specifies the time by which all users with the associated 1038 * password policy must change their passwords. 1039 * <p> 1040 * The value is expressed in a generalized time format. If this time 1041 * is equal to the current time or is in the past, then all users are 1042 * required to change their passwords immediately. The behavior of 1043 * the server in this mode is identical to the behavior observed when 1044 * users are forced to change their passwords after an administrative 1045 * reset. 1046 * 1047 * @return Returns the value of the "require-change-by-time" property. 1048 */ 1049 String getRequireChangeByTime(); 1050 1051 1052 1053 /** 1054 * Sets the "require-change-by-time" property. 1055 * <p> 1056 * Specifies the time by which all users with the associated 1057 * password policy must change their passwords. 1058 * <p> 1059 * The value is expressed in a generalized time format. If this time 1060 * is equal to the current time or is in the past, then all users are 1061 * required to change their passwords immediately. The behavior of 1062 * the server in this mode is identical to the behavior observed when 1063 * users are forced to change their passwords after an administrative 1064 * reset. 1065 * 1066 * @param value The value of the "require-change-by-time" property. 1067 * @throws PropertyException 1068 * If the new value is invalid. 1069 */ 1070 void setRequireChangeByTime(String value) throws PropertyException; 1071 1072 1073 1074 /** 1075 * Gets the "require-secure-authentication" property. 1076 * <p> 1077 * Indicates whether users with the associated password policy are 1078 * required to authenticate in a secure manner. 1079 * <p> 1080 * This might mean either using a secure communication channel 1081 * between the client and the server, or using a SASL mechanism that 1082 * does not expose the credentials. 1083 * 1084 * @return Returns the value of the "require-secure-authentication" property. 1085 */ 1086 boolean isRequireSecureAuthentication(); 1087 1088 1089 1090 /** 1091 * Sets the "require-secure-authentication" property. 1092 * <p> 1093 * Indicates whether users with the associated password policy are 1094 * required to authenticate in a secure manner. 1095 * <p> 1096 * This might mean either using a secure communication channel 1097 * between the client and the server, or using a SASL mechanism that 1098 * does not expose the credentials. 1099 * 1100 * @param value The value of the "require-secure-authentication" property. 1101 * @throws PropertyException 1102 * If the new value is invalid. 1103 */ 1104 void setRequireSecureAuthentication(Boolean value) throws PropertyException; 1105 1106 1107 1108 /** 1109 * Gets the "require-secure-password-changes" property. 1110 * <p> 1111 * Indicates whether users with the associated password policy are 1112 * required to change their password in a secure manner that does not 1113 * expose the credentials. 1114 * 1115 * @return Returns the value of the "require-secure-password-changes" property. 1116 */ 1117 boolean isRequireSecurePasswordChanges(); 1118 1119 1120 1121 /** 1122 * Sets the "require-secure-password-changes" property. 1123 * <p> 1124 * Indicates whether users with the associated password policy are 1125 * required to change their password in a secure manner that does not 1126 * expose the credentials. 1127 * 1128 * @param value The value of the "require-secure-password-changes" property. 1129 * @throws PropertyException 1130 * If the new value is invalid. 1131 */ 1132 void setRequireSecurePasswordChanges(Boolean value) throws PropertyException; 1133 1134 1135 1136 /** 1137 * Gets the "skip-validation-for-administrators" property. 1138 * <p> 1139 * Indicates whether passwords set by administrators are allowed to 1140 * bypass the password validation process that is required for user 1141 * password changes. 1142 * 1143 * @return Returns the value of the "skip-validation-for-administrators" property. 1144 */ 1145 boolean isSkipValidationForAdministrators(); 1146 1147 1148 1149 /** 1150 * Sets the "skip-validation-for-administrators" property. 1151 * <p> 1152 * Indicates whether passwords set by administrators are allowed to 1153 * bypass the password validation process that is required for user 1154 * password changes. 1155 * 1156 * @param value The value of the "skip-validation-for-administrators" property. 1157 * @throws PropertyException 1158 * If the new value is invalid. 1159 */ 1160 void setSkipValidationForAdministrators(Boolean value) throws PropertyException; 1161 1162 1163 1164 /** 1165 * Gets the "state-update-failure-policy" property. 1166 * <p> 1167 * Specifies how the server deals with the inability to update 1168 * password policy state information during an authentication 1169 * attempt. 1170 * <p> 1171 * In particular, this property can be used to control whether an 1172 * otherwise successful bind operation fails if a failure occurs 1173 * while attempting to update password policy state information (for 1174 * example, to clear a record of previous authentication failures or 1175 * to update the last login time). It can also be used to control 1176 * whether to reject a bind request if it is known ahead of time that 1177 * it will not be possible to update the authentication failure times 1178 * in the event of an unsuccessful bind attempt (for example, if the 1179 * backend writability mode is disabled). 1180 * 1181 * @return Returns the value of the "state-update-failure-policy" property. 1182 */ 1183 StateUpdateFailurePolicy getStateUpdateFailurePolicy(); 1184 1185 1186 1187 /** 1188 * Sets the "state-update-failure-policy" property. 1189 * <p> 1190 * Specifies how the server deals with the inability to update 1191 * password policy state information during an authentication 1192 * attempt. 1193 * <p> 1194 * In particular, this property can be used to control whether an 1195 * otherwise successful bind operation fails if a failure occurs 1196 * while attempting to update password policy state information (for 1197 * example, to clear a record of previous authentication failures or 1198 * to update the last login time). It can also be used to control 1199 * whether to reject a bind request if it is known ahead of time that 1200 * it will not be possible to update the authentication failure times 1201 * in the event of an unsuccessful bind attempt (for example, if the 1202 * backend writability mode is disabled). 1203 * 1204 * @param value The value of the "state-update-failure-policy" property. 1205 * @throws PropertyException 1206 * If the new value is invalid. 1207 */ 1208 void setStateUpdateFailurePolicy(StateUpdateFailurePolicy value) throws PropertyException; 1209 1210}