001/* 002 * The contents of this file are subject to the terms of the Common Development and 003 * Distribution License (the License). You may not use this file except in compliance with the 004 * License. 005 * 006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the 007 * specific language governing permission and limitations under the License. 008 * 009 * When distributing Covered Software, include this CDDL Header Notice in each file and include 010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL 011 * Header, with the fields enclosed by brackets [] replaced by your own identifying 012 * information: "Portions Copyright [year] [name of copyright owner]". 013 * 014 * Copyright 2008 Sun Microsystems, Inc. 015 */ 016package org.forgerock.opendj.server.config.server; 017 018 019 020import java.util.SortedSet; 021import org.forgerock.opendj.config.server.ConfigurationChangeListener; 022import org.forgerock.opendj.ldap.DN; 023import org.forgerock.opendj.ldap.schema.AttributeType; 024import org.forgerock.opendj.server.config.meta.PasswordPolicyCfgDefn.StateUpdateFailurePolicy; 025 026 027 028/** 029 * A server-side interface for querying Password Policy settings. 030 * <p> 031 * Password Policies define a number of password management rules, as 032 * well as requirements for authentication processing. 033 */ 034public interface PasswordPolicyCfg extends AuthenticationPolicyCfg { 035 036 /** 037 * Gets the configuration class associated with this Password Policy. 038 * 039 * @return Returns the configuration class associated with this Password Policy. 040 */ 041 Class<? extends PasswordPolicyCfg> configurationClass(); 042 043 044 045 /** 046 * Register to be notified when this Password Policy is changed. 047 * 048 * @param listener 049 * The Password Policy configuration change listener. 050 */ 051 void addPasswordPolicyChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener); 052 053 054 055 /** 056 * Deregister an existing Password Policy configuration change listener. 057 * 058 * @param listener 059 * The Password Policy configuration change listener. 060 */ 061 void removePasswordPolicyChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener); 062 063 064 065 /** 066 * Gets the "account-status-notification-handler" property. 067 * <p> 068 * Specifies the names of the account status notification handlers 069 * that are used with the associated password storage scheme. 070 * 071 * @return Returns an unmodifiable set containing the values of the "account-status-notification-handler" property. 072 */ 073 SortedSet<String> getAccountStatusNotificationHandler(); 074 075 076 077 /** 078 * Gets the "account-status-notification-handler" property as a set 079 * of DNs. 080 * <p> 081 * Specifies the names of the account status notification handlers 082 * that are used with the associated password storage scheme. 083 * 084 * @return Returns the DN values of the 085 * "account-status-notification-handler" property. 086 */ 087 SortedSet<DN> getAccountStatusNotificationHandlerDNs(); 088 089 090 091 /** 092 * Gets the "allow-expired-password-changes" property. 093 * <p> 094 * Indicates whether a user whose password is expired is still 095 * allowed to change that password using the password modify extended 096 * operation. 097 * 098 * @return Returns the value of the "allow-expired-password-changes" property. 099 */ 100 boolean isAllowExpiredPasswordChanges(); 101 102 103 104 /** 105 * Gets the "allow-multiple-password-values" property. 106 * <p> 107 * Indicates whether user entries can have multiple distinct values 108 * for the password attribute. 109 * <p> 110 * This is potentially dangerous because many mechanisms used to 111 * change the password do not work well with such a configuration. If 112 * multiple password values are allowed, then any of them can be used 113 * to authenticate, and they are all subject to the same policy 114 * constraints. 115 * 116 * @return Returns the value of the "allow-multiple-password-values" property. 117 */ 118 boolean isAllowMultiplePasswordValues(); 119 120 121 122 /** 123 * Gets the "allow-pre-encoded-passwords" property. 124 * <p> 125 * Indicates whether users can change their passwords by providing a 126 * pre-encoded value. 127 * <p> 128 * This can cause a security risk because the clear-text version of 129 * the password is not known and therefore validation checks cannot 130 * be applied to it. 131 * 132 * @return Returns the value of the "allow-pre-encoded-passwords" property. 133 */ 134 boolean isAllowPreEncodedPasswords(); 135 136 137 138 /** 139 * Gets the "allow-user-password-changes" property. 140 * <p> 141 * Indicates whether users can change their own passwords. 142 * <p> 143 * This check is made in addition to access control evaluation. Both 144 * must allow the password change for it to occur. 145 * 146 * @return Returns the value of the "allow-user-password-changes" property. 147 */ 148 boolean isAllowUserPasswordChanges(); 149 150 151 152 /** 153 * Gets the "default-password-storage-scheme" property. 154 * <p> 155 * Specifies the names of the password storage schemes that are used 156 * to encode clear-text passwords for this password policy. 157 * 158 * @return Returns an unmodifiable set containing the values of the "default-password-storage-scheme" property. 159 */ 160 SortedSet<String> getDefaultPasswordStorageScheme(); 161 162 163 164 /** 165 * Gets the "default-password-storage-scheme" property as a set of 166 * DNs. 167 * <p> 168 * Specifies the names of the password storage schemes that are used 169 * to encode clear-text passwords for this password policy. 170 * 171 * @return Returns the DN values of the 172 * "default-password-storage-scheme" property. 173 */ 174 SortedSet<DN> getDefaultPasswordStorageSchemeDNs(); 175 176 177 178 /** 179 * Gets the "deprecated-password-storage-scheme" property. 180 * <p> 181 * Specifies the names of the password storage schemes that are 182 * considered deprecated for this password policy. 183 * <p> 184 * If a user with this password policy authenticates to the server 185 * and his/her password is encoded with a deprecated scheme, those 186 * values are removed and replaced with values encoded using the 187 * default password storage scheme(s). 188 * 189 * @return Returns an unmodifiable set containing the values of the "deprecated-password-storage-scheme" property. 190 */ 191 SortedSet<String> getDeprecatedPasswordStorageScheme(); 192 193 194 195 /** 196 * Gets the "deprecated-password-storage-scheme" property as a set 197 * of DNs. 198 * <p> 199 * Specifies the names of the password storage schemes that are 200 * considered deprecated for this password policy. 201 * <p> 202 * If a user with this password policy authenticates to the server 203 * and his/her password is encoded with a deprecated scheme, those 204 * values are removed and replaced with values encoded using the 205 * default password storage scheme(s). 206 * 207 * @return Returns the DN values of the 208 * "deprecated-password-storage-scheme" property. 209 */ 210 SortedSet<DN> getDeprecatedPasswordStorageSchemeDNs(); 211 212 213 214 /** 215 * Gets the "expire-passwords-without-warning" property. 216 * <p> 217 * Indicates whether the directory server allows a user's password 218 * to expire even if that user has never seen an expiration warning 219 * notification. 220 * <p> 221 * If this property is true, accounts always expire when the 222 * expiration time arrives. If this property is false or disabled, 223 * the user always receives at least one warning notification, and 224 * the password expiration is set to the warning time plus the 225 * warning interval. 226 * 227 * @return Returns the value of the "expire-passwords-without-warning" property. 228 */ 229 boolean isExpirePasswordsWithoutWarning(); 230 231 232 233 /** 234 * Gets the "force-change-on-add" property. 235 * <p> 236 * Indicates whether users are forced to change their passwords upon 237 * first authenticating to the directory server after their account 238 * has been created. 239 * 240 * @return Returns the value of the "force-change-on-add" property. 241 */ 242 boolean isForceChangeOnAdd(); 243 244 245 246 /** 247 * Gets the "force-change-on-reset" property. 248 * <p> 249 * Indicates whether users are forced to change their passwords if 250 * they are reset by an administrator. 251 * <p> 252 * For this purpose, anyone with permission to change a given user's 253 * password other than that user is considered an administrator. 254 * 255 * @return Returns the value of the "force-change-on-reset" property. 256 */ 257 boolean isForceChangeOnReset(); 258 259 260 261 /** 262 * Gets the "grace-login-count" property. 263 * <p> 264 * Specifies the number of grace logins that a user is allowed after 265 * the account has expired to allow that user to choose a new 266 * password. 267 * <p> 268 * A value of 0 indicates that no grace logins are allowed. 269 * 270 * @return Returns the value of the "grace-login-count" property. 271 */ 272 int getGraceLoginCount(); 273 274 275 276 /** 277 * Gets the "idle-lockout-interval" property. 278 * <p> 279 * Specifies the maximum length of time that an account may remain 280 * idle (that is, the associated user does not authenticate to the 281 * server) before that user is locked out. 282 * <p> 283 * The value of this attribute is an integer followed by a unit of 284 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 285 * indicates that idle accounts are not automatically locked out. 286 * This feature is available only if the last login time is 287 * maintained. 288 * 289 * @return Returns the value of the "idle-lockout-interval" property. 290 */ 291 long getIdleLockoutInterval(); 292 293 294 295 /** 296 * Gets the "java-class" property. 297 * <p> 298 * Specifies the fully-qualified name of the Java class which 299 * provides the Password Policy implementation. 300 * 301 * @return Returns the value of the "java-class" property. 302 */ 303 String getJavaClass(); 304 305 306 307 /** 308 * Gets the "last-login-time-attribute" property. 309 * <p> 310 * Specifies the name or OID of the attribute type that is used to 311 * hold the last login time for users with the associated password 312 * policy. 313 * <p> 314 * This attribute type must be defined in the directory server 315 * schema and must either be defined as an operational attribute or 316 * must be allowed by the set of objectClasses for all users with the 317 * associated password policy. 318 * 319 * @return Returns the value of the "last-login-time-attribute" property. 320 */ 321 AttributeType getLastLoginTimeAttribute(); 322 323 324 325 /** 326 * Gets the "last-login-time-format" property. 327 * <p> 328 * Specifies the format string that is used to generate the last 329 * login time value for users with the associated password policy. 330 * <p> 331 * This format string conforms to the syntax described in the API 332 * documentation for the java.text.SimpleDateFormat class. 333 * 334 * @return Returns the value of the "last-login-time-format" property. 335 */ 336 String getLastLoginTimeFormat(); 337 338 339 340 /** 341 * Gets the "lockout-duration" property. 342 * <p> 343 * Specifies the length of time that an account is locked after too 344 * many authentication failures. 345 * <p> 346 * The value of this attribute is an integer followed by a unit of 347 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 348 * indicates that the account must remain locked until an 349 * administrator resets the password. 350 * 351 * @return Returns the value of the "lockout-duration" property. 352 */ 353 long getLockoutDuration(); 354 355 356 357 /** 358 * Gets the "lockout-failure-count" property. 359 * <p> 360 * Specifies the maximum number of authentication failures that a 361 * user is allowed before the account is locked out. 362 * <p> 363 * A value of 0 indicates that accounts are never locked out due to 364 * failed attempts. 365 * 366 * @return Returns the value of the "lockout-failure-count" property. 367 */ 368 int getLockoutFailureCount(); 369 370 371 372 /** 373 * Gets the "lockout-failure-expiration-interval" property. 374 * <p> 375 * Specifies the length of time before an authentication failure is 376 * no longer counted against a user for the purposes of account 377 * lockout. 378 * <p> 379 * The value of this attribute is an integer followed by a unit of 380 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 381 * indicates that the authentication failures must never expire. The 382 * failure count is always cleared upon a successful authentication. 383 * 384 * @return Returns the value of the "lockout-failure-expiration-interval" property. 385 */ 386 long getLockoutFailureExpirationInterval(); 387 388 389 390 /** 391 * Gets the "max-password-age" property. 392 * <p> 393 * Specifies the maximum length of time that a user can continue 394 * using the same password before it must be changed (that is, the 395 * password expiration interval). 396 * <p> 397 * The value of this attribute is an integer followed by a unit of 398 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 399 * disables password expiration. 400 * 401 * @return Returns the value of the "max-password-age" property. 402 */ 403 long getMaxPasswordAge(); 404 405 406 407 /** 408 * Gets the "max-password-reset-age" property. 409 * <p> 410 * Specifies the maximum length of time that users have to change 411 * passwords after they have been reset by an administrator before 412 * they become locked. 413 * <p> 414 * The value of this attribute is an integer followed by a unit of 415 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 416 * disables this feature. 417 * 418 * @return Returns the value of the "max-password-reset-age" property. 419 */ 420 long getMaxPasswordResetAge(); 421 422 423 424 /** 425 * Gets the "min-password-age" property. 426 * <p> 427 * Specifies the minimum length of time after a password change 428 * before the user is allowed to change the password again. 429 * <p> 430 * The value of this attribute is an integer followed by a unit of 431 * seconds, minutes, hours, days, or weeks. This setting can be used 432 * to prevent users from changing their passwords repeatedly over a 433 * short period of time to flush an old password from the history so 434 * that it can be re-used. 435 * 436 * @return Returns the value of the "min-password-age" property. 437 */ 438 long getMinPasswordAge(); 439 440 441 442 /** 443 * Gets the "password-attribute" property. 444 * <p> 445 * Specifies the attribute type used to hold user passwords. 446 * <p> 447 * This attribute type must be defined in the server schema, and it 448 * must have either the user password or auth password syntax. 449 * 450 * @return Returns the value of the "password-attribute" property. 451 */ 452 AttributeType getPasswordAttribute(); 453 454 455 456 /** 457 * Gets the "password-change-requires-current-password" property. 458 * <p> 459 * Indicates whether user password changes must use the password 460 * modify extended operation and must include the user's current 461 * password before the change is allowed. 462 * 463 * @return Returns the value of the "password-change-requires-current-password" property. 464 */ 465 boolean isPasswordChangeRequiresCurrentPassword(); 466 467 468 469 /** 470 * Gets the "password-expiration-warning-interval" property. 471 * <p> 472 * Specifies the maximum length of time before a user's password 473 * actually expires that the server begins to include warning 474 * notifications in bind responses for that user. 475 * <p> 476 * The value of this attribute is an integer followed by a unit of 477 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 478 * disables the warning interval. 479 * 480 * @return Returns the value of the "password-expiration-warning-interval" property. 481 */ 482 long getPasswordExpirationWarningInterval(); 483 484 485 486 /** 487 * Gets the "password-generator" property. 488 * <p> 489 * Specifies the name of the password generator that is used with 490 * the associated password policy. 491 * <p> 492 * This is used in conjunction with the password modify extended 493 * operation to generate a new password for a user when none was 494 * provided in the request. 495 * 496 * @return Returns the value of the "password-generator" property. 497 */ 498 String getPasswordGenerator(); 499 500 501 502 /** 503 * Gets the "password-generator" property as a DN. 504 * <p> 505 * Specifies the name of the password generator that is used with 506 * the associated password policy. 507 * <p> 508 * This is used in conjunction with the password modify extended 509 * operation to generate a new password for a user when none was 510 * provided in the request. 511 * 512 * @return Returns the DN value of the "password-generator" 513 * property. 514 */ 515 DN getPasswordGeneratorDN(); 516 517 518 519 /** 520 * Gets the "password-history-count" property. 521 * <p> 522 * Specifies the maximum number of former passwords to maintain in 523 * the password history. 524 * <p> 525 * When choosing a new password, the proposed password is checked to 526 * ensure that it does not match the current password, nor any other 527 * password in the history list. A value of zero indicates that 528 * either no password history is to be maintained (if the password 529 * history duration has a value of zero seconds), or that there is no 530 * maximum number of passwords to maintain in the history (if the 531 * password history duration has a value greater than zero seconds). 532 * 533 * @return Returns the value of the "password-history-count" property. 534 */ 535 int getPasswordHistoryCount(); 536 537 538 539 /** 540 * Gets the "password-history-duration" property. 541 * <p> 542 * Specifies the maximum length of time that passwords remain in the 543 * password history. 544 * <p> 545 * When choosing a new password, the proposed password is checked to 546 * ensure that it does not match the current password, nor any other 547 * password in the history list. A value of zero seconds indicates 548 * that either no password history is to be maintained (if the 549 * password history count has a value of zero), or that there is no 550 * maximum duration for passwords in the history (if the password 551 * history count has a value greater than zero). 552 * 553 * @return Returns the value of the "password-history-duration" property. 554 */ 555 long getPasswordHistoryDuration(); 556 557 558 559 /** 560 * Gets the "password-validator" property. 561 * <p> 562 * Specifies the names of the password validators that are used with 563 * the associated password storage scheme. 564 * <p> 565 * The password validators are invoked when a user attempts to 566 * provide a new password, to determine whether the new password is 567 * acceptable. 568 * 569 * @return Returns an unmodifiable set containing the values of the "password-validator" property. 570 */ 571 SortedSet<String> getPasswordValidator(); 572 573 574 575 /** 576 * Gets the "password-validator" property as a set of DNs. 577 * <p> 578 * Specifies the names of the password validators that are used with 579 * the associated password storage scheme. 580 * <p> 581 * The password validators are invoked when a user attempts to 582 * provide a new password, to determine whether the new password is 583 * acceptable. 584 * 585 * @return Returns the DN values of the "password-validator" 586 * property. 587 */ 588 SortedSet<DN> getPasswordValidatorDNs(); 589 590 591 592 /** 593 * Gets the "previous-last-login-time-format" property. 594 * <p> 595 * Specifies the format string(s) that might have been used with the 596 * last login time at any point in the past for users associated with 597 * the password policy. 598 * <p> 599 * These values are used to make it possible to parse previous 600 * values, but are not used to set new values. The format strings 601 * conform to the syntax described in the API documentation for the 602 * java.text.SimpleDateFormat class. 603 * 604 * @return Returns an unmodifiable set containing the values of the "previous-last-login-time-format" property. 605 */ 606 SortedSet<String> getPreviousLastLoginTimeFormat(); 607 608 609 610 /** 611 * Gets the "require-change-by-time" property. 612 * <p> 613 * Specifies the time by which all users with the associated 614 * password policy must change their passwords. 615 * <p> 616 * The value is expressed in a generalized time format. If this time 617 * is equal to the current time or is in the past, then all users are 618 * required to change their passwords immediately. The behavior of 619 * the server in this mode is identical to the behavior observed when 620 * users are forced to change their passwords after an administrative 621 * reset. 622 * 623 * @return Returns the value of the "require-change-by-time" property. 624 */ 625 String getRequireChangeByTime(); 626 627 628 629 /** 630 * Gets the "require-secure-authentication" property. 631 * <p> 632 * Indicates whether users with the associated password policy are 633 * required to authenticate in a secure manner. 634 * <p> 635 * This might mean either using a secure communication channel 636 * between the client and the server, or using a SASL mechanism that 637 * does not expose the credentials. 638 * 639 * @return Returns the value of the "require-secure-authentication" property. 640 */ 641 boolean isRequireSecureAuthentication(); 642 643 644 645 /** 646 * Gets the "require-secure-password-changes" property. 647 * <p> 648 * Indicates whether users with the associated password policy are 649 * required to change their password in a secure manner that does not 650 * expose the credentials. 651 * 652 * @return Returns the value of the "require-secure-password-changes" property. 653 */ 654 boolean isRequireSecurePasswordChanges(); 655 656 657 658 /** 659 * Gets the "skip-validation-for-administrators" property. 660 * <p> 661 * Indicates whether passwords set by administrators are allowed to 662 * bypass the password validation process that is required for user 663 * password changes. 664 * 665 * @return Returns the value of the "skip-validation-for-administrators" property. 666 */ 667 boolean isSkipValidationForAdministrators(); 668 669 670 671 /** 672 * Gets the "state-update-failure-policy" property. 673 * <p> 674 * Specifies how the server deals with the inability to update 675 * password policy state information during an authentication 676 * attempt. 677 * <p> 678 * In particular, this property can be used to control whether an 679 * otherwise successful bind operation fails if a failure occurs 680 * while attempting to update password policy state information (for 681 * example, to clear a record of previous authentication failures or 682 * to update the last login time). It can also be used to control 683 * whether to reject a bind request if it is known ahead of time that 684 * it will not be possible to update the authentication failure times 685 * in the event of an unsuccessful bind attempt (for example, if the 686 * backend writability mode is disabled). 687 * 688 * @return Returns the value of the "state-update-failure-policy" property. 689 */ 690 StateUpdateFailurePolicy getStateUpdateFailurePolicy(); 691 692}