001/*
002 * The contents of this file are subject to the terms of the Common Development and
003 * Distribution License (the License). You may not use this file except in compliance with the
004 * License.
005 *
006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
007 * specific language governing permission and limitations under the License.
008 *
009 * When distributing Covered Software, include this CDDL Header Notice in each file and include
010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
011 * Header, with the fields enclosed by brackets [] replaced by your own identifying
012 * information: "Portions Copyright [year] [name of copyright owner]".
013 *
014 * Copyright 2008 Sun Microsystems, Inc.
015 */
016package org.forgerock.opendj.server.config.server;
017
018
019
020import java.util.SortedSet;
021import org.forgerock.opendj.config.server.ConfigurationChangeListener;
022import org.forgerock.opendj.ldap.DN;
023import org.forgerock.opendj.ldap.schema.AttributeType;
024import org.forgerock.opendj.server.config.meta.PasswordPolicyCfgDefn.StateUpdateFailurePolicy;
025
026
027
028/**
029 * A server-side interface for querying Password Policy settings.
030 * <p>
031 * Password Policies define a number of password management rules, as
032 * well as requirements for authentication processing.
033 */
034public interface PasswordPolicyCfg extends AuthenticationPolicyCfg {
035
036  /**
037   * Gets the configuration class associated with this Password Policy.
038   *
039   * @return Returns the configuration class associated with this Password Policy.
040   */
041  Class<? extends PasswordPolicyCfg> configurationClass();
042
043
044
045  /**
046   * Register to be notified when this Password Policy is changed.
047   *
048   * @param listener
049   *          The Password Policy configuration change listener.
050   */
051  void addPasswordPolicyChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener);
052
053
054
055  /**
056   * Deregister an existing Password Policy configuration change listener.
057   *
058   * @param listener
059   *          The Password Policy configuration change listener.
060   */
061  void removePasswordPolicyChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener);
062
063
064
065  /**
066   * Gets the "account-status-notification-handler" property.
067   * <p>
068   * Specifies the names of the account status notification handlers
069   * that are used with the associated password storage scheme.
070   *
071   * @return Returns an unmodifiable set containing the values of the "account-status-notification-handler" property.
072   */
073  SortedSet<String> getAccountStatusNotificationHandler();
074
075
076
077  /**
078   * Gets the "account-status-notification-handler" property as a set
079   * of DNs.
080   * <p>
081   * Specifies the names of the account status notification handlers
082   * that are used with the associated password storage scheme.
083   *
084   * @return Returns the DN values of the
085   *         "account-status-notification-handler" property.
086   */
087  SortedSet<DN> getAccountStatusNotificationHandlerDNs();
088
089
090
091  /**
092   * Gets the "allow-expired-password-changes" property.
093   * <p>
094   * Indicates whether a user whose password is expired is still
095   * allowed to change that password using the password modify extended
096   * operation.
097   *
098   * @return Returns the value of the "allow-expired-password-changes" property.
099   */
100  boolean isAllowExpiredPasswordChanges();
101
102
103
104  /**
105   * Gets the "allow-multiple-password-values" property.
106   * <p>
107   * Indicates whether user entries can have multiple distinct values
108   * for the password attribute.
109   * <p>
110   * This is potentially dangerous because many mechanisms used to
111   * change the password do not work well with such a configuration. If
112   * multiple password values are allowed, then any of them can be used
113   * to authenticate, and they are all subject to the same policy
114   * constraints.
115   *
116   * @return Returns the value of the "allow-multiple-password-values" property.
117   */
118  boolean isAllowMultiplePasswordValues();
119
120
121
122  /**
123   * Gets the "allow-pre-encoded-passwords" property.
124   * <p>
125   * Indicates whether users can change their passwords by providing a
126   * pre-encoded value.
127   * <p>
128   * This can cause a security risk because the clear-text version of
129   * the password is not known and therefore validation checks cannot
130   * be applied to it.
131   *
132   * @return Returns the value of the "allow-pre-encoded-passwords" property.
133   */
134  boolean isAllowPreEncodedPasswords();
135
136
137
138  /**
139   * Gets the "allow-user-password-changes" property.
140   * <p>
141   * Indicates whether users can change their own passwords.
142   * <p>
143   * This check is made in addition to access control evaluation. Both
144   * must allow the password change for it to occur.
145   *
146   * @return Returns the value of the "allow-user-password-changes" property.
147   */
148  boolean isAllowUserPasswordChanges();
149
150
151
152  /**
153   * Gets the "default-password-storage-scheme" property.
154   * <p>
155   * Specifies the names of the password storage schemes that are used
156   * to encode clear-text passwords for this password policy.
157   *
158   * @return Returns an unmodifiable set containing the values of the "default-password-storage-scheme" property.
159   */
160  SortedSet<String> getDefaultPasswordStorageScheme();
161
162
163
164  /**
165   * Gets the "default-password-storage-scheme" property as a set of
166   * DNs.
167   * <p>
168   * Specifies the names of the password storage schemes that are used
169   * to encode clear-text passwords for this password policy.
170   *
171   * @return Returns the DN values of the
172   *         "default-password-storage-scheme" property.
173   */
174  SortedSet<DN> getDefaultPasswordStorageSchemeDNs();
175
176
177
178  /**
179   * Gets the "deprecated-password-storage-scheme" property.
180   * <p>
181   * Specifies the names of the password storage schemes that are
182   * considered deprecated for this password policy.
183   * <p>
184   * If a user with this password policy authenticates to the server
185   * and his/her password is encoded with a deprecated scheme, those
186   * values are removed and replaced with values encoded using the
187   * default password storage scheme(s).
188   *
189   * @return Returns an unmodifiable set containing the values of the "deprecated-password-storage-scheme" property.
190   */
191  SortedSet<String> getDeprecatedPasswordStorageScheme();
192
193
194
195  /**
196   * Gets the "deprecated-password-storage-scheme" property as a set
197   * of DNs.
198   * <p>
199   * Specifies the names of the password storage schemes that are
200   * considered deprecated for this password policy.
201   * <p>
202   * If a user with this password policy authenticates to the server
203   * and his/her password is encoded with a deprecated scheme, those
204   * values are removed and replaced with values encoded using the
205   * default password storage scheme(s).
206   *
207   * @return Returns the DN values of the
208   *         "deprecated-password-storage-scheme" property.
209   */
210  SortedSet<DN> getDeprecatedPasswordStorageSchemeDNs();
211
212
213
214  /**
215   * Gets the "expire-passwords-without-warning" property.
216   * <p>
217   * Indicates whether the directory server allows a user's password
218   * to expire even if that user has never seen an expiration warning
219   * notification.
220   * <p>
221   * If this property is true, accounts always expire when the
222   * expiration time arrives. If this property is false or disabled,
223   * the user always receives at least one warning notification, and
224   * the password expiration is set to the warning time plus the
225   * warning interval.
226   *
227   * @return Returns the value of the "expire-passwords-without-warning" property.
228   */
229  boolean isExpirePasswordsWithoutWarning();
230
231
232
233  /**
234   * Gets the "force-change-on-add" property.
235   * <p>
236   * Indicates whether users are forced to change their passwords upon
237   * first authenticating to the directory server after their account
238   * has been created.
239   *
240   * @return Returns the value of the "force-change-on-add" property.
241   */
242  boolean isForceChangeOnAdd();
243
244
245
246  /**
247   * Gets the "force-change-on-reset" property.
248   * <p>
249   * Indicates whether users are forced to change their passwords if
250   * they are reset by an administrator.
251   * <p>
252   * For this purpose, anyone with permission to change a given user's
253   * password other than that user is considered an administrator.
254   *
255   * @return Returns the value of the "force-change-on-reset" property.
256   */
257  boolean isForceChangeOnReset();
258
259
260
261  /**
262   * Gets the "grace-login-count" property.
263   * <p>
264   * Specifies the number of grace logins that a user is allowed after
265   * the account has expired to allow that user to choose a new
266   * password.
267   * <p>
268   * A value of 0 indicates that no grace logins are allowed.
269   *
270   * @return Returns the value of the "grace-login-count" property.
271   */
272  int getGraceLoginCount();
273
274
275
276  /**
277   * Gets the "idle-lockout-interval" property.
278   * <p>
279   * Specifies the maximum length of time that an account may remain
280   * idle (that is, the associated user does not authenticate to the
281   * server) before that user is locked out.
282   * <p>
283   * The value of this attribute is an integer followed by a unit of
284   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
285   * indicates that idle accounts are not automatically locked out.
286   * This feature is available only if the last login time is
287   * maintained.
288   *
289   * @return Returns the value of the "idle-lockout-interval" property.
290   */
291  long getIdleLockoutInterval();
292
293
294
295  /**
296   * Gets the "java-class" property.
297   * <p>
298   * Specifies the fully-qualified name of the Java class which
299   * provides the Password Policy implementation.
300   *
301   * @return Returns the value of the "java-class" property.
302   */
303  String getJavaClass();
304
305
306
307  /**
308   * Gets the "last-login-time-attribute" property.
309   * <p>
310   * Specifies the name or OID of the attribute type that is used to
311   * hold the last login time for users with the associated password
312   * policy.
313   * <p>
314   * This attribute type must be defined in the directory server
315   * schema and must either be defined as an operational attribute or
316   * must be allowed by the set of objectClasses for all users with the
317   * associated password policy.
318   *
319   * @return Returns the value of the "last-login-time-attribute" property.
320   */
321  AttributeType getLastLoginTimeAttribute();
322
323
324
325  /**
326   * Gets the "last-login-time-format" property.
327   * <p>
328   * Specifies the format string that is used to generate the last
329   * login time value for users with the associated password policy.
330   * <p>
331   * This format string conforms to the syntax described in the API
332   * documentation for the java.text.SimpleDateFormat class.
333   *
334   * @return Returns the value of the "last-login-time-format" property.
335   */
336  String getLastLoginTimeFormat();
337
338
339
340  /**
341   * Gets the "lockout-duration" property.
342   * <p>
343   * Specifies the length of time that an account is locked after too
344   * many authentication failures.
345   * <p>
346   * The value of this attribute is an integer followed by a unit of
347   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
348   * indicates that the account must remain locked until an
349   * administrator resets the password.
350   *
351   * @return Returns the value of the "lockout-duration" property.
352   */
353  long getLockoutDuration();
354
355
356
357  /**
358   * Gets the "lockout-failure-count" property.
359   * <p>
360   * Specifies the maximum number of authentication failures that a
361   * user is allowed before the account is locked out.
362   * <p>
363   * A value of 0 indicates that accounts are never locked out due to
364   * failed attempts.
365   *
366   * @return Returns the value of the "lockout-failure-count" property.
367   */
368  int getLockoutFailureCount();
369
370
371
372  /**
373   * Gets the "lockout-failure-expiration-interval" property.
374   * <p>
375   * Specifies the length of time before an authentication failure is
376   * no longer counted against a user for the purposes of account
377   * lockout.
378   * <p>
379   * The value of this attribute is an integer followed by a unit of
380   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
381   * indicates that the authentication failures must never expire. The
382   * failure count is always cleared upon a successful authentication.
383   *
384   * @return Returns the value of the "lockout-failure-expiration-interval" property.
385   */
386  long getLockoutFailureExpirationInterval();
387
388
389
390  /**
391   * Gets the "max-password-age" property.
392   * <p>
393   * Specifies the maximum length of time that a user can continue
394   * using the same password before it must be changed (that is, the
395   * password expiration interval).
396   * <p>
397   * The value of this attribute is an integer followed by a unit of
398   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
399   * disables password expiration.
400   *
401   * @return Returns the value of the "max-password-age" property.
402   */
403  long getMaxPasswordAge();
404
405
406
407  /**
408   * Gets the "max-password-reset-age" property.
409   * <p>
410   * Specifies the maximum length of time that users have to change
411   * passwords after they have been reset by an administrator before
412   * they become locked.
413   * <p>
414   * The value of this attribute is an integer followed by a unit of
415   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
416   * disables this feature.
417   *
418   * @return Returns the value of the "max-password-reset-age" property.
419   */
420  long getMaxPasswordResetAge();
421
422
423
424  /**
425   * Gets the "min-password-age" property.
426   * <p>
427   * Specifies the minimum length of time after a password change
428   * before the user is allowed to change the password again.
429   * <p>
430   * The value of this attribute is an integer followed by a unit of
431   * seconds, minutes, hours, days, or weeks. This setting can be used
432   * to prevent users from changing their passwords repeatedly over a
433   * short period of time to flush an old password from the history so
434   * that it can be re-used.
435   *
436   * @return Returns the value of the "min-password-age" property.
437   */
438  long getMinPasswordAge();
439
440
441
442  /**
443   * Gets the "password-attribute" property.
444   * <p>
445   * Specifies the attribute type used to hold user passwords.
446   * <p>
447   * This attribute type must be defined in the server schema, and it
448   * must have either the user password or auth password syntax.
449   *
450   * @return Returns the value of the "password-attribute" property.
451   */
452  AttributeType getPasswordAttribute();
453
454
455
456  /**
457   * Gets the "password-change-requires-current-password" property.
458   * <p>
459   * Indicates whether user password changes must use the password
460   * modify extended operation and must include the user's current
461   * password before the change is allowed.
462   *
463   * @return Returns the value of the "password-change-requires-current-password" property.
464   */
465  boolean isPasswordChangeRequiresCurrentPassword();
466
467
468
469  /**
470   * Gets the "password-expiration-warning-interval" property.
471   * <p>
472   * Specifies the maximum length of time before a user's password
473   * actually expires that the server begins to include warning
474   * notifications in bind responses for that user.
475   * <p>
476   * The value of this attribute is an integer followed by a unit of
477   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
478   * disables the warning interval.
479   *
480   * @return Returns the value of the "password-expiration-warning-interval" property.
481   */
482  long getPasswordExpirationWarningInterval();
483
484
485
486  /**
487   * Gets the "password-generator" property.
488   * <p>
489   * Specifies the name of the password generator that is used with
490   * the associated password policy.
491   * <p>
492   * This is used in conjunction with the password modify extended
493   * operation to generate a new password for a user when none was
494   * provided in the request.
495   *
496   * @return Returns the value of the "password-generator" property.
497   */
498  String getPasswordGenerator();
499
500
501
502  /**
503   * Gets the "password-generator" property as a DN.
504   * <p>
505   * Specifies the name of the password generator that is used with
506   * the associated password policy.
507   * <p>
508   * This is used in conjunction with the password modify extended
509   * operation to generate a new password for a user when none was
510   * provided in the request.
511   *
512   * @return Returns the DN value of the "password-generator"
513   *         property.
514   */
515  DN getPasswordGeneratorDN();
516
517
518
519  /**
520   * Gets the "password-history-count" property.
521   * <p>
522   * Specifies the maximum number of former passwords to maintain in
523   * the password history.
524   * <p>
525   * When choosing a new password, the proposed password is checked to
526   * ensure that it does not match the current password, nor any other
527   * password in the history list. A value of zero indicates that
528   * either no password history is to be maintained (if the password
529   * history duration has a value of zero seconds), or that there is no
530   * maximum number of passwords to maintain in the history (if the
531   * password history duration has a value greater than zero seconds).
532   *
533   * @return Returns the value of the "password-history-count" property.
534   */
535  int getPasswordHistoryCount();
536
537
538
539  /**
540   * Gets the "password-history-duration" property.
541   * <p>
542   * Specifies the maximum length of time that passwords remain in the
543   * password history.
544   * <p>
545   * When choosing a new password, the proposed password is checked to
546   * ensure that it does not match the current password, nor any other
547   * password in the history list. A value of zero seconds indicates
548   * that either no password history is to be maintained (if the
549   * password history count has a value of zero), or that there is no
550   * maximum duration for passwords in the history (if the password
551   * history count has a value greater than zero).
552   *
553   * @return Returns the value of the "password-history-duration" property.
554   */
555  long getPasswordHistoryDuration();
556
557
558
559  /**
560   * Gets the "password-validator" property.
561   * <p>
562   * Specifies the names of the password validators that are used with
563   * the associated password storage scheme.
564   * <p>
565   * The password validators are invoked when a user attempts to
566   * provide a new password, to determine whether the new password is
567   * acceptable.
568   *
569   * @return Returns an unmodifiable set containing the values of the "password-validator" property.
570   */
571  SortedSet<String> getPasswordValidator();
572
573
574
575  /**
576   * Gets the "password-validator" property as a set of DNs.
577   * <p>
578   * Specifies the names of the password validators that are used with
579   * the associated password storage scheme.
580   * <p>
581   * The password validators are invoked when a user attempts to
582   * provide a new password, to determine whether the new password is
583   * acceptable.
584   *
585   * @return Returns the DN values of the "password-validator"
586   *         property.
587   */
588  SortedSet<DN> getPasswordValidatorDNs();
589
590
591
592  /**
593   * Gets the "previous-last-login-time-format" property.
594   * <p>
595   * Specifies the format string(s) that might have been used with the
596   * last login time at any point in the past for users associated with
597   * the password policy.
598   * <p>
599   * These values are used to make it possible to parse previous
600   * values, but are not used to set new values. The format strings
601   * conform to the syntax described in the API documentation for the
602   * java.text.SimpleDateFormat class.
603   *
604   * @return Returns an unmodifiable set containing the values of the "previous-last-login-time-format" property.
605   */
606  SortedSet<String> getPreviousLastLoginTimeFormat();
607
608
609
610  /**
611   * Gets the "require-change-by-time" property.
612   * <p>
613   * Specifies the time by which all users with the associated
614   * password policy must change their passwords.
615   * <p>
616   * The value is expressed in a generalized time format. If this time
617   * is equal to the current time or is in the past, then all users are
618   * required to change their passwords immediately. The behavior of
619   * the server in this mode is identical to the behavior observed when
620   * users are forced to change their passwords after an administrative
621   * reset.
622   *
623   * @return Returns the value of the "require-change-by-time" property.
624   */
625  String getRequireChangeByTime();
626
627
628
629  /**
630   * Gets the "require-secure-authentication" property.
631   * <p>
632   * Indicates whether users with the associated password policy are
633   * required to authenticate in a secure manner.
634   * <p>
635   * This might mean either using a secure communication channel
636   * between the client and the server, or using a SASL mechanism that
637   * does not expose the credentials.
638   *
639   * @return Returns the value of the "require-secure-authentication" property.
640   */
641  boolean isRequireSecureAuthentication();
642
643
644
645  /**
646   * Gets the "require-secure-password-changes" property.
647   * <p>
648   * Indicates whether users with the associated password policy are
649   * required to change their password in a secure manner that does not
650   * expose the credentials.
651   *
652   * @return Returns the value of the "require-secure-password-changes" property.
653   */
654  boolean isRequireSecurePasswordChanges();
655
656
657
658  /**
659   * Gets the "skip-validation-for-administrators" property.
660   * <p>
661   * Indicates whether passwords set by administrators are allowed to
662   * bypass the password validation process that is required for user
663   * password changes.
664   *
665   * @return Returns the value of the "skip-validation-for-administrators" property.
666   */
667  boolean isSkipValidationForAdministrators();
668
669
670
671  /**
672   * Gets the "state-update-failure-policy" property.
673   * <p>
674   * Specifies how the server deals with the inability to update
675   * password policy state information during an authentication
676   * attempt.
677   * <p>
678   * In particular, this property can be used to control whether an
679   * otherwise successful bind operation fails if a failure occurs
680   * while attempting to update password policy state information (for
681   * example, to clear a record of previous authentication failures or
682   * to update the last login time). It can also be used to control
683   * whether to reject a bind request if it is known ahead of time that
684   * it will not be possible to update the authentication failure times
685   * in the event of an unsuccessful bind attempt (for example, if the
686   * backend writability mode is disabled).
687   *
688   * @return Returns the value of the "state-update-failure-policy" property.
689   */
690  StateUpdateFailurePolicy getStateUpdateFailurePolicy();
691
692}