001 /* 002 * CDDL HEADER START 003 * 004 * The contents of this file are subject to the terms of the 005 * Common Development and Distribution License, Version 1.0 only 006 * (the "License"). You may not use this file except in compliance 007 * with the License. 008 * 009 * You can obtain a copy of the license at 010 * trunk/opends/resource/legal-notices/OpenDS.LICENSE 011 * or https://OpenDS.dev.java.net/OpenDS.LICENSE. 012 * See the License for the specific language governing permissions 013 * and limitations under the License. 014 * 015 * When distributing Covered Code, include this CDDL HEADER in each 016 * file and include the License file at 017 * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable, 018 * add the following below this CDDL HEADER, with the fields enclosed 019 * by brackets "[]" replaced with your own identifying information: 020 * Portions Copyright [yyyy] [name of copyright owner] 021 * 022 * CDDL HEADER END 023 * 024 * 025 * Copyright 2008 Sun Microsystems, Inc. 026 */ 027 package org.opends.server.admin.std.client; 028 029 030 031 import java.util.Collection; 032 import java.util.SortedSet; 033 import org.opends.server.admin.ConfigurationClient; 034 import org.opends.server.admin.IllegalPropertyValueException; 035 import org.opends.server.admin.ManagedObjectDefinition; 036 import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn.StateUpdateFailurePolicy; 037 import org.opends.server.admin.std.server.PasswordPolicyCfg; 038 import org.opends.server.types.AttributeType; 039 040 041 042 /** 043 * A client-side interface for reading and modifying Password Policy 044 * settings. 045 * <p> 046 * Password Policies define a number of password management rules, as 047 * well as requirements for authentication processing. 048 */ 049 public interface PasswordPolicyCfgClient extends ConfigurationClient { 050 051 /** 052 * Get the configuration definition associated with this Password Policy. 053 * 054 * @return Returns the configuration definition associated with this Password Policy. 055 */ 056 ManagedObjectDefinition<? extends PasswordPolicyCfgClient, ? extends PasswordPolicyCfg> definition(); 057 058 059 060 /** 061 * Gets the "account-status-notification-handler" property. 062 * <p> 063 * Specifies the names of the account status notification handlers 064 * that are used with the associated password storage scheme. 065 * 066 * @return Returns the values of the "account-status-notification-handler" property. 067 */ 068 SortedSet<String> getAccountStatusNotificationHandler(); 069 070 071 072 /** 073 * Sets the "account-status-notification-handler" property. 074 * <p> 075 * Specifies the names of the account status notification handlers 076 * that are used with the associated password storage scheme. 077 * 078 * @param values The values of the "account-status-notification-handler" property. 079 * @throws IllegalPropertyValueException 080 * If one or more of the new values are invalid. 081 */ 082 void setAccountStatusNotificationHandler(Collection<String> values) throws IllegalPropertyValueException; 083 084 085 086 /** 087 * Gets the "allow-expired-password-changes" property. 088 * <p> 089 * Indicates whether a user whose password is expired is still 090 * allowed to change that password using the password modify extended 091 * operation. 092 * 093 * @return Returns the value of the "allow-expired-password-changes" property. 094 */ 095 boolean isAllowExpiredPasswordChanges(); 096 097 098 099 /** 100 * Sets the "allow-expired-password-changes" property. 101 * <p> 102 * Indicates whether a user whose password is expired is still 103 * allowed to change that password using the password modify extended 104 * operation. 105 * 106 * @param value The value of the "allow-expired-password-changes" property. 107 * @throws IllegalPropertyValueException 108 * If the new value is invalid. 109 */ 110 void setAllowExpiredPasswordChanges(Boolean value) throws IllegalPropertyValueException; 111 112 113 114 /** 115 * Gets the "allow-multiple-password-values" property. 116 * <p> 117 * Indicates whether user entries can have multiple distinct values 118 * for the password attribute. 119 * <p> 120 * This is potentially dangerous because many mechanisms used to 121 * change the password do not work well with such a configuration. If 122 * multiple password values are allowed, then any of them can be used 123 * to authenticate, and they are all subject to the same policy 124 * constraints. 125 * 126 * @return Returns the value of the "allow-multiple-password-values" property. 127 */ 128 boolean isAllowMultiplePasswordValues(); 129 130 131 132 /** 133 * Sets the "allow-multiple-password-values" property. 134 * <p> 135 * Indicates whether user entries can have multiple distinct values 136 * for the password attribute. 137 * <p> 138 * This is potentially dangerous because many mechanisms used to 139 * change the password do not work well with such a configuration. If 140 * multiple password values are allowed, then any of them can be used 141 * to authenticate, and they are all subject to the same policy 142 * constraints. 143 * 144 * @param value The value of the "allow-multiple-password-values" property. 145 * @throws IllegalPropertyValueException 146 * If the new value is invalid. 147 */ 148 void setAllowMultiplePasswordValues(Boolean value) throws IllegalPropertyValueException; 149 150 151 152 /** 153 * Gets the "allow-pre-encoded-passwords" property. 154 * <p> 155 * Indicates whether users can change their passwords by providing a 156 * pre-encoded value. 157 * <p> 158 * This can cause a security risk because the clear-text version of 159 * the password is not known and therefore validation checks cannot 160 * be applied to it. 161 * 162 * @return Returns the value of the "allow-pre-encoded-passwords" property. 163 */ 164 boolean isAllowPreEncodedPasswords(); 165 166 167 168 /** 169 * Sets the "allow-pre-encoded-passwords" property. 170 * <p> 171 * Indicates whether users can change their passwords by providing a 172 * pre-encoded value. 173 * <p> 174 * This can cause a security risk because the clear-text version of 175 * the password is not known and therefore validation checks cannot 176 * be applied to it. 177 * 178 * @param value The value of the "allow-pre-encoded-passwords" property. 179 * @throws IllegalPropertyValueException 180 * If the new value is invalid. 181 */ 182 void setAllowPreEncodedPasswords(Boolean value) throws IllegalPropertyValueException; 183 184 185 186 /** 187 * Gets the "allow-user-password-changes" property. 188 * <p> 189 * Indicates whether users can change their own passwords. 190 * <p> 191 * This check is made in addition to access control evaluation. Both 192 * must allow the password change for it to occur. 193 * 194 * @return Returns the value of the "allow-user-password-changes" property. 195 */ 196 boolean isAllowUserPasswordChanges(); 197 198 199 200 /** 201 * Sets the "allow-user-password-changes" property. 202 * <p> 203 * Indicates whether users can change their own passwords. 204 * <p> 205 * This check is made in addition to access control evaluation. Both 206 * must allow the password change for it to occur. 207 * 208 * @param value The value of the "allow-user-password-changes" property. 209 * @throws IllegalPropertyValueException 210 * If the new value is invalid. 211 */ 212 void setAllowUserPasswordChanges(Boolean value) throws IllegalPropertyValueException; 213 214 215 216 /** 217 * Gets the "default-password-storage-scheme" property. 218 * <p> 219 * Specifies the names of the password storage schemes that are used 220 * to encode clear-text passwords for this password policy. 221 * 222 * @return Returns the values of the "default-password-storage-scheme" property. 223 */ 224 SortedSet<String> getDefaultPasswordStorageScheme(); 225 226 227 228 /** 229 * Sets the "default-password-storage-scheme" property. 230 * <p> 231 * Specifies the names of the password storage schemes that are used 232 * to encode clear-text passwords for this password policy. 233 * 234 * @param values The values of the "default-password-storage-scheme" property. 235 * @throws IllegalPropertyValueException 236 * If one or more of the new values are invalid. 237 */ 238 void setDefaultPasswordStorageScheme(Collection<String> values) throws IllegalPropertyValueException; 239 240 241 242 /** 243 * Gets the "deprecated-password-storage-scheme" property. 244 * <p> 245 * Specifies the names of the password storage schemes that are 246 * considered deprecated for this password policy. 247 * <p> 248 * If a user with this password policy authenticates to the server 249 * and his/her password is encoded with a deprecated scheme, those 250 * values are removed and replaced with values encoded using the 251 * default password storage scheme(s). 252 * 253 * @return Returns the values of the "deprecated-password-storage-scheme" property. 254 */ 255 SortedSet<String> getDeprecatedPasswordStorageScheme(); 256 257 258 259 /** 260 * Sets the "deprecated-password-storage-scheme" property. 261 * <p> 262 * Specifies the names of the password storage schemes that are 263 * considered deprecated for this password policy. 264 * <p> 265 * If a user with this password policy authenticates to the server 266 * and his/her password is encoded with a deprecated scheme, those 267 * values are removed and replaced with values encoded using the 268 * default password storage scheme(s). 269 * 270 * @param values The values of the "deprecated-password-storage-scheme" property. 271 * @throws IllegalPropertyValueException 272 * If one or more of the new values are invalid. 273 */ 274 void setDeprecatedPasswordStorageScheme(Collection<String> values) throws IllegalPropertyValueException; 275 276 277 278 /** 279 * Gets the "expire-passwords-without-warning" property. 280 * <p> 281 * Indicates whether the Directory Server allows a user's password 282 * to expire even if that user has never seen an expiration warning 283 * notification. 284 * <p> 285 * If this property is true, accounts always expire when the 286 * expiration time arrives. If this property is false disabled, the 287 * user always receives at least one warning notification, and the 288 * password expiration is set to the warning time plus the warning 289 * interval. 290 * 291 * @return Returns the value of the "expire-passwords-without-warning" property. 292 */ 293 boolean isExpirePasswordsWithoutWarning(); 294 295 296 297 /** 298 * Sets the "expire-passwords-without-warning" property. 299 * <p> 300 * Indicates whether the Directory Server allows a user's password 301 * to expire even if that user has never seen an expiration warning 302 * notification. 303 * <p> 304 * If this property is true, accounts always expire when the 305 * expiration time arrives. If this property is false disabled, the 306 * user always receives at least one warning notification, and the 307 * password expiration is set to the warning time plus the warning 308 * interval. 309 * 310 * @param value The value of the "expire-passwords-without-warning" property. 311 * @throws IllegalPropertyValueException 312 * If the new value is invalid. 313 */ 314 void setExpirePasswordsWithoutWarning(Boolean value) throws IllegalPropertyValueException; 315 316 317 318 /** 319 * Gets the "force-change-on-add" property. 320 * <p> 321 * Indicates whether users are forced to change their passwords upon 322 * first authenticating to the Directory Server after their account 323 * has been created. 324 * 325 * @return Returns the value of the "force-change-on-add" property. 326 */ 327 boolean isForceChangeOnAdd(); 328 329 330 331 /** 332 * Sets the "force-change-on-add" property. 333 * <p> 334 * Indicates whether users are forced to change their passwords upon 335 * first authenticating to the Directory Server after their account 336 * has been created. 337 * 338 * @param value The value of the "force-change-on-add" property. 339 * @throws IllegalPropertyValueException 340 * If the new value is invalid. 341 */ 342 void setForceChangeOnAdd(Boolean value) throws IllegalPropertyValueException; 343 344 345 346 /** 347 * Gets the "force-change-on-reset" property. 348 * <p> 349 * Indicates whether users are forced to change their passwords if 350 * they are reset by an administrator. 351 * <p> 352 * For this purpose, anyone with permission to change a given user's 353 * password other than that user is considered an administrator. 354 * 355 * @return Returns the value of the "force-change-on-reset" property. 356 */ 357 boolean isForceChangeOnReset(); 358 359 360 361 /** 362 * Sets the "force-change-on-reset" property. 363 * <p> 364 * Indicates whether users are forced to change their passwords if 365 * they are reset by an administrator. 366 * <p> 367 * For this purpose, anyone with permission to change a given user's 368 * password other than that user is considered an administrator. 369 * 370 * @param value The value of the "force-change-on-reset" property. 371 * @throws IllegalPropertyValueException 372 * If the new value is invalid. 373 */ 374 void setForceChangeOnReset(Boolean value) throws IllegalPropertyValueException; 375 376 377 378 /** 379 * Gets the "grace-login-count" property. 380 * <p> 381 * Specifies the number of grace logins that a user is allowed after 382 * the account has expired to allow that user to choose a new 383 * password. 384 * <p> 385 * A value of 0 indicates that no grace logins are allowed. 386 * 387 * @return Returns the value of the "grace-login-count" property. 388 */ 389 int getGraceLoginCount(); 390 391 392 393 /** 394 * Sets the "grace-login-count" property. 395 * <p> 396 * Specifies the number of grace logins that a user is allowed after 397 * the account has expired to allow that user to choose a new 398 * password. 399 * <p> 400 * A value of 0 indicates that no grace logins are allowed. 401 * 402 * @param value The value of the "grace-login-count" property. 403 * @throws IllegalPropertyValueException 404 * If the new value is invalid. 405 */ 406 void setGraceLoginCount(Integer value) throws IllegalPropertyValueException; 407 408 409 410 /** 411 * Gets the "idle-lockout-interval" property. 412 * <p> 413 * Specifies the maximum length of time that an account may remain 414 * idle (that is, the associated user does not authenticate to the 415 * server) before that user is locked out. 416 * <p> 417 * The value of this attribute is an integer followed by a unit of 418 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 419 * indicates that idle accounts are not automatically locked out. 420 * This feature is available only if the last login time is 421 * maintained. 422 * 423 * @return Returns the value of the "idle-lockout-interval" property. 424 */ 425 long getIdleLockoutInterval(); 426 427 428 429 /** 430 * Sets the "idle-lockout-interval" property. 431 * <p> 432 * Specifies the maximum length of time that an account may remain 433 * idle (that is, the associated user does not authenticate to the 434 * server) before that user is locked out. 435 * <p> 436 * The value of this attribute is an integer followed by a unit of 437 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 438 * indicates that idle accounts are not automatically locked out. 439 * This feature is available only if the last login time is 440 * maintained. 441 * 442 * @param value The value of the "idle-lockout-interval" property. 443 * @throws IllegalPropertyValueException 444 * If the new value is invalid. 445 */ 446 void setIdleLockoutInterval(Long value) throws IllegalPropertyValueException; 447 448 449 450 /** 451 * Gets the "last-login-time-attribute" property. 452 * <p> 453 * Specifies the name or OID of the attribute type that is used to 454 * hold the last login time for users with the associated password 455 * policy. 456 * <p> 457 * This attribute type must be defined in the Directory Server 458 * schema and must either be defined as an operational attribute or 459 * must be allowed by the set of objectClasses for all users with the 460 * associated password policy. 461 * 462 * @return Returns the value of the "last-login-time-attribute" property. 463 */ 464 AttributeType getLastLoginTimeAttribute(); 465 466 467 468 /** 469 * Sets the "last-login-time-attribute" property. 470 * <p> 471 * Specifies the name or OID of the attribute type that is used to 472 * hold the last login time for users with the associated password 473 * policy. 474 * <p> 475 * This attribute type must be defined in the Directory Server 476 * schema and must either be defined as an operational attribute or 477 * must be allowed by the set of objectClasses for all users with the 478 * associated password policy. 479 * 480 * @param value The value of the "last-login-time-attribute" property. 481 * @throws IllegalPropertyValueException 482 * If the new value is invalid. 483 */ 484 void setLastLoginTimeAttribute(AttributeType value) throws IllegalPropertyValueException; 485 486 487 488 /** 489 * Gets the "last-login-time-format" property. 490 * <p> 491 * Specifies the format string that is used to generate the last 492 * login time value for users with the associated password policy. 493 * <p> 494 * This format string conforms to the syntax described in the API 495 * documentation for the java.text.SimpleDateFormat class. 496 * 497 * @return Returns the value of the "last-login-time-format" property. 498 */ 499 String getLastLoginTimeFormat(); 500 501 502 503 /** 504 * Sets the "last-login-time-format" property. 505 * <p> 506 * Specifies the format string that is used to generate the last 507 * login time value for users with the associated password policy. 508 * <p> 509 * This format string conforms to the syntax described in the API 510 * documentation for the java.text.SimpleDateFormat class. 511 * 512 * @param value The value of the "last-login-time-format" property. 513 * @throws IllegalPropertyValueException 514 * If the new value is invalid. 515 */ 516 void setLastLoginTimeFormat(String value) throws IllegalPropertyValueException; 517 518 519 520 /** 521 * Gets the "lockout-duration" property. 522 * <p> 523 * Specifies the length of time that an account is locked after too 524 * many authentication failures. 525 * <p> 526 * The value of this attribute is an integer followed by a unit of 527 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 528 * indicates that the account must remain locked until an 529 * administrator resets the password. 530 * 531 * @return Returns the value of the "lockout-duration" property. 532 */ 533 long getLockoutDuration(); 534 535 536 537 /** 538 * Sets the "lockout-duration" property. 539 * <p> 540 * Specifies the length of time that an account is locked after too 541 * many authentication failures. 542 * <p> 543 * The value of this attribute is an integer followed by a unit of 544 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 545 * indicates that the account must remain locked until an 546 * administrator resets the password. 547 * 548 * @param value The value of the "lockout-duration" property. 549 * @throws IllegalPropertyValueException 550 * If the new value is invalid. 551 */ 552 void setLockoutDuration(Long value) throws IllegalPropertyValueException; 553 554 555 556 /** 557 * Gets the "lockout-failure-count" property. 558 * <p> 559 * Specifies the maximum number of authentication failures that a 560 * user is allowed before the account is locked out. 561 * <p> 562 * A value of 0 indicates that accounts are never locked out due to 563 * failed attempts. 564 * 565 * @return Returns the value of the "lockout-failure-count" property. 566 */ 567 int getLockoutFailureCount(); 568 569 570 571 /** 572 * Sets the "lockout-failure-count" property. 573 * <p> 574 * Specifies the maximum number of authentication failures that a 575 * user is allowed before the account is locked out. 576 * <p> 577 * A value of 0 indicates that accounts are never locked out due to 578 * failed attempts. 579 * 580 * @param value The value of the "lockout-failure-count" property. 581 * @throws IllegalPropertyValueException 582 * If the new value is invalid. 583 */ 584 void setLockoutFailureCount(Integer value) throws IllegalPropertyValueException; 585 586 587 588 /** 589 * Gets the "lockout-failure-expiration-interval" property. 590 * <p> 591 * Specifies the length of time before an authentication failure is 592 * no longer counted against a user for the purposes of account 593 * lockout. 594 * <p> 595 * The value of this attribute is an integer followed by a unit of 596 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 597 * indicates that the authentication failures must never expire. The 598 * failure count is always cleared upon a successful authentication. 599 * 600 * @return Returns the value of the "lockout-failure-expiration-interval" property. 601 */ 602 long getLockoutFailureExpirationInterval(); 603 604 605 606 /** 607 * Sets the "lockout-failure-expiration-interval" property. 608 * <p> 609 * Specifies the length of time before an authentication failure is 610 * no longer counted against a user for the purposes of account 611 * lockout. 612 * <p> 613 * The value of this attribute is an integer followed by a unit of 614 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 615 * indicates that the authentication failures must never expire. The 616 * failure count is always cleared upon a successful authentication. 617 * 618 * @param value The value of the "lockout-failure-expiration-interval" property. 619 * @throws IllegalPropertyValueException 620 * If the new value is invalid. 621 */ 622 void setLockoutFailureExpirationInterval(Long value) throws IllegalPropertyValueException; 623 624 625 626 /** 627 * Gets the "max-password-age" property. 628 * <p> 629 * Specifies the maximum length of time that a user can continue 630 * using the same password before it must be changed (that is, the 631 * password expiration interval). 632 * <p> 633 * The value of this attribute is an integer followed by a unit of 634 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 635 * disables password expiration. 636 * 637 * @return Returns the value of the "max-password-age" property. 638 */ 639 long getMaxPasswordAge(); 640 641 642 643 /** 644 * Sets the "max-password-age" property. 645 * <p> 646 * Specifies the maximum length of time that a user can continue 647 * using the same password before it must be changed (that is, the 648 * password expiration interval). 649 * <p> 650 * The value of this attribute is an integer followed by a unit of 651 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 652 * disables password expiration. 653 * 654 * @param value The value of the "max-password-age" property. 655 * @throws IllegalPropertyValueException 656 * If the new value is invalid. 657 */ 658 void setMaxPasswordAge(Long value) throws IllegalPropertyValueException; 659 660 661 662 /** 663 * Gets the "max-password-reset-age" property. 664 * <p> 665 * Specifies the maximum length of time that users have to change 666 * passwords after they have been reset by an administrator before 667 * they become locked. 668 * <p> 669 * The value of this attribute is an integer followed by a unit of 670 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 671 * disables this feature. 672 * 673 * @return Returns the value of the "max-password-reset-age" property. 674 */ 675 long getMaxPasswordResetAge(); 676 677 678 679 /** 680 * Sets the "max-password-reset-age" property. 681 * <p> 682 * Specifies the maximum length of time that users have to change 683 * passwords after they have been reset by an administrator before 684 * they become locked. 685 * <p> 686 * The value of this attribute is an integer followed by a unit of 687 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 688 * disables this feature. 689 * 690 * @param value The value of the "max-password-reset-age" property. 691 * @throws IllegalPropertyValueException 692 * If the new value is invalid. 693 */ 694 void setMaxPasswordResetAge(Long value) throws IllegalPropertyValueException; 695 696 697 698 /** 699 * Gets the "min-password-age" property. 700 * <p> 701 * Specifies the minimum length of time after a password change 702 * before the user is allowed to change the password again. 703 * <p> 704 * The value of this attribute is an integer followed by a unit of 705 * seconds, minutes, hours, days, or weeks. This setting can be used 706 * to prevent users from changing their passwords repeatedly over a 707 * short period of time to flush an old password from the history so 708 * that it can be re-used. 709 * 710 * @return Returns the value of the "min-password-age" property. 711 */ 712 long getMinPasswordAge(); 713 714 715 716 /** 717 * Sets the "min-password-age" property. 718 * <p> 719 * Specifies the minimum length of time after a password change 720 * before the user is allowed to change the password again. 721 * <p> 722 * The value of this attribute is an integer followed by a unit of 723 * seconds, minutes, hours, days, or weeks. This setting can be used 724 * to prevent users from changing their passwords repeatedly over a 725 * short period of time to flush an old password from the history so 726 * that it can be re-used. 727 * 728 * @param value The value of the "min-password-age" property. 729 * @throws IllegalPropertyValueException 730 * If the new value is invalid. 731 */ 732 void setMinPasswordAge(Long value) throws IllegalPropertyValueException; 733 734 735 736 /** 737 * Gets the "password-attribute" property. 738 * <p> 739 * Specifies the attribute type used to hold user passwords. 740 * <p> 741 * This attribute type must be defined in the server schema, and it 742 * must have either the user password or auth password syntax. 743 * 744 * @return Returns the value of the "password-attribute" property. 745 */ 746 AttributeType getPasswordAttribute(); 747 748 749 750 /** 751 * Sets the "password-attribute" property. 752 * <p> 753 * Specifies the attribute type used to hold user passwords. 754 * <p> 755 * This attribute type must be defined in the server schema, and it 756 * must have either the user password or auth password syntax. 757 * 758 * @param value The value of the "password-attribute" property. 759 * @throws IllegalPropertyValueException 760 * If the new value is invalid. 761 */ 762 void setPasswordAttribute(AttributeType value) throws IllegalPropertyValueException; 763 764 765 766 /** 767 * Gets the "password-change-requires-current-password" property. 768 * <p> 769 * Indicates whether user password changes must use the password 770 * modify extended operation and must include the user's current 771 * password before the change is allowed. 772 * 773 * @return Returns the value of the "password-change-requires-current-password" property. 774 */ 775 boolean isPasswordChangeRequiresCurrentPassword(); 776 777 778 779 /** 780 * Sets the "password-change-requires-current-password" property. 781 * <p> 782 * Indicates whether user password changes must use the password 783 * modify extended operation and must include the user's current 784 * password before the change is allowed. 785 * 786 * @param value The value of the "password-change-requires-current-password" property. 787 * @throws IllegalPropertyValueException 788 * If the new value is invalid. 789 */ 790 void setPasswordChangeRequiresCurrentPassword(Boolean value) throws IllegalPropertyValueException; 791 792 793 794 /** 795 * Gets the "password-expiration-warning-interval" property. 796 * <p> 797 * Specifies the maximum length of time before a user's password 798 * actually expires that the server begins to include warning 799 * notifications in bind responses for that user. 800 * <p> 801 * The value of this attribute is an integer followed by a unit of 802 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 803 * disables the warning interval. 804 * 805 * @return Returns the value of the "password-expiration-warning-interval" property. 806 */ 807 long getPasswordExpirationWarningInterval(); 808 809 810 811 /** 812 * Sets the "password-expiration-warning-interval" property. 813 * <p> 814 * Specifies the maximum length of time before a user's password 815 * actually expires that the server begins to include warning 816 * notifications in bind responses for that user. 817 * <p> 818 * The value of this attribute is an integer followed by a unit of 819 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 820 * disables the warning interval. 821 * 822 * @param value The value of the "password-expiration-warning-interval" property. 823 * @throws IllegalPropertyValueException 824 * If the new value is invalid. 825 */ 826 void setPasswordExpirationWarningInterval(Long value) throws IllegalPropertyValueException; 827 828 829 830 /** 831 * Gets the "password-generator" property. 832 * <p> 833 * Specifies the name of the password generator that is used with 834 * the associated password policy. 835 * <p> 836 * This is used in conjunction with the password modify extended 837 * operation to generate a new password for a user when none was 838 * provided in the request. 839 * 840 * @return Returns the value of the "password-generator" property. 841 */ 842 String getPasswordGenerator(); 843 844 845 846 /** 847 * Sets the "password-generator" property. 848 * <p> 849 * Specifies the name of the password generator that is used with 850 * the associated password policy. 851 * <p> 852 * This is used in conjunction with the password modify extended 853 * operation to generate a new password for a user when none was 854 * provided in the request. 855 * 856 * @param value The value of the "password-generator" property. 857 * @throws IllegalPropertyValueException 858 * If the new value is invalid. 859 */ 860 void setPasswordGenerator(String value) throws IllegalPropertyValueException; 861 862 863 864 /** 865 * Gets the "password-history-count" property. 866 * <p> 867 * Specifies the maximum number of former passwords to maintain in 868 * the password history. 869 * <p> 870 * When choosing a new password, the proposed password is checked to 871 * ensure that it does not match the current password, nor any other 872 * password in the history list. A value of zero indicates that 873 * either no password history is to be maintained (if the password 874 * history duration has a value of zero seconds), or that there is no 875 * maximum number of passwords to maintain in the history (if the 876 * password history duration has a value greater than zero seconds). 877 * 878 * @return Returns the value of the "password-history-count" property. 879 */ 880 int getPasswordHistoryCount(); 881 882 883 884 /** 885 * Sets the "password-history-count" property. 886 * <p> 887 * Specifies the maximum number of former passwords to maintain in 888 * the password history. 889 * <p> 890 * When choosing a new password, the proposed password is checked to 891 * ensure that it does not match the current password, nor any other 892 * password in the history list. A value of zero indicates that 893 * either no password history is to be maintained (if the password 894 * history duration has a value of zero seconds), or that there is no 895 * maximum number of passwords to maintain in the history (if the 896 * password history duration has a value greater than zero seconds). 897 * 898 * @param value The value of the "password-history-count" property. 899 * @throws IllegalPropertyValueException 900 * If the new value is invalid. 901 */ 902 void setPasswordHistoryCount(Integer value) throws IllegalPropertyValueException; 903 904 905 906 /** 907 * Gets the "password-history-duration" property. 908 * <p> 909 * Specifies the maximum length of time that passwords remain in the 910 * password history. 911 * <p> 912 * When choosing a new password, the proposed password is checked to 913 * ensure that it does not match the current password, nor any other 914 * password in the history list. A value of zero seconds indicates 915 * that either no password history is to be maintained (if the 916 * password history count has a value of zero), or that there is no 917 * maximum duration for passwords in the history (if the password 918 * history count has a value greater than zero). 919 * 920 * @return Returns the value of the "password-history-duration" property. 921 */ 922 long getPasswordHistoryDuration(); 923 924 925 926 /** 927 * Sets the "password-history-duration" property. 928 * <p> 929 * Specifies the maximum length of time that passwords remain in the 930 * password history. 931 * <p> 932 * When choosing a new password, the proposed password is checked to 933 * ensure that it does not match the current password, nor any other 934 * password in the history list. A value of zero seconds indicates 935 * that either no password history is to be maintained (if the 936 * password history count has a value of zero), or that there is no 937 * maximum duration for passwords in the history (if the password 938 * history count has a value greater than zero). 939 * 940 * @param value The value of the "password-history-duration" property. 941 * @throws IllegalPropertyValueException 942 * If the new value is invalid. 943 */ 944 void setPasswordHistoryDuration(Long value) throws IllegalPropertyValueException; 945 946 947 948 /** 949 * Gets the "password-validator" property. 950 * <p> 951 * Specifies the names of the password validators that are used with 952 * the associated password storage scheme. 953 * <p> 954 * The password validators are invoked when a user attempts to 955 * provide a new password, to determine whether the new password is 956 * acceptable. 957 * 958 * @return Returns the values of the "password-validator" property. 959 */ 960 SortedSet<String> getPasswordValidator(); 961 962 963 964 /** 965 * Sets the "password-validator" property. 966 * <p> 967 * Specifies the names of the password validators that are used with 968 * the associated password storage scheme. 969 * <p> 970 * The password validators are invoked when a user attempts to 971 * provide a new password, to determine whether the new password is 972 * acceptable. 973 * 974 * @param values The values of the "password-validator" property. 975 * @throws IllegalPropertyValueException 976 * If one or more of the new values are invalid. 977 */ 978 void setPasswordValidator(Collection<String> values) throws IllegalPropertyValueException; 979 980 981 982 /** 983 * Gets the "previous-last-login-time-format" property. 984 * <p> 985 * Specifies the format string(s) that might have been used with the 986 * last login time at any point in the past for users associated with 987 * the password policy. 988 * <p> 989 * These values are used to make it possible to parse previous 990 * values, but are not used to set new values. The format strings 991 * conform to the syntax described in the API documentation for the 992 * java.text.SimpleDateFormat class. 993 * 994 * @return Returns the values of the "previous-last-login-time-format" property. 995 */ 996 SortedSet<String> getPreviousLastLoginTimeFormat(); 997 998 999 1000 /** 1001 * Sets the "previous-last-login-time-format" property. 1002 * <p> 1003 * Specifies the format string(s) that might have been used with the 1004 * last login time at any point in the past for users associated with 1005 * the password policy. 1006 * <p> 1007 * These values are used to make it possible to parse previous 1008 * values, but are not used to set new values. The format strings 1009 * conform to the syntax described in the API documentation for the 1010 * java.text.SimpleDateFormat class. 1011 * 1012 * @param values The values of the "previous-last-login-time-format" property. 1013 * @throws IllegalPropertyValueException 1014 * If one or more of the new values are invalid. 1015 */ 1016 void setPreviousLastLoginTimeFormat(Collection<String> values) throws IllegalPropertyValueException; 1017 1018 1019 1020 /** 1021 * Gets the "require-change-by-time" property. 1022 * <p> 1023 * Specifies the time by which all users with the associated 1024 * password policy must change their passwords. 1025 * <p> 1026 * The value is expressed in a generalized time format. If this time 1027 * is equal to the current time or is in the past, then all users are 1028 * required to change their passwords immediately. The behavior of 1029 * the server in this mode is identical to the behavior observed when 1030 * users are forced to change their passwords after an administrative 1031 * reset. 1032 * 1033 * @return Returns the value of the "require-change-by-time" property. 1034 */ 1035 String getRequireChangeByTime(); 1036 1037 1038 1039 /** 1040 * Sets the "require-change-by-time" property. 1041 * <p> 1042 * Specifies the time by which all users with the associated 1043 * password policy must change their passwords. 1044 * <p> 1045 * The value is expressed in a generalized time format. If this time 1046 * is equal to the current time or is in the past, then all users are 1047 * required to change their passwords immediately. The behavior of 1048 * the server in this mode is identical to the behavior observed when 1049 * users are forced to change their passwords after an administrative 1050 * reset. 1051 * 1052 * @param value The value of the "require-change-by-time" property. 1053 * @throws IllegalPropertyValueException 1054 * If the new value is invalid. 1055 */ 1056 void setRequireChangeByTime(String value) throws IllegalPropertyValueException; 1057 1058 1059 1060 /** 1061 * Gets the "require-secure-authentication" property. 1062 * <p> 1063 * Indicates whether users with the associated password policy are 1064 * required to authenticate in a secure manner. 1065 * <p> 1066 * This might mean either using a secure communication channel 1067 * between the client and the server, or using a SASL mechanism that 1068 * does not expose the credentials. 1069 * 1070 * @return Returns the value of the "require-secure-authentication" property. 1071 */ 1072 boolean isRequireSecureAuthentication(); 1073 1074 1075 1076 /** 1077 * Sets the "require-secure-authentication" property. 1078 * <p> 1079 * Indicates whether users with the associated password policy are 1080 * required to authenticate in a secure manner. 1081 * <p> 1082 * This might mean either using a secure communication channel 1083 * between the client and the server, or using a SASL mechanism that 1084 * does not expose the credentials. 1085 * 1086 * @param value The value of the "require-secure-authentication" property. 1087 * @throws IllegalPropertyValueException 1088 * If the new value is invalid. 1089 */ 1090 void setRequireSecureAuthentication(Boolean value) throws IllegalPropertyValueException; 1091 1092 1093 1094 /** 1095 * Gets the "require-secure-password-changes" property. 1096 * <p> 1097 * Indicates whether users with the associated password policy are 1098 * required to change their password in a secure manner that does not 1099 * expose the credentials. 1100 * 1101 * @return Returns the value of the "require-secure-password-changes" property. 1102 */ 1103 boolean isRequireSecurePasswordChanges(); 1104 1105 1106 1107 /** 1108 * Sets the "require-secure-password-changes" property. 1109 * <p> 1110 * Indicates whether users with the associated password policy are 1111 * required to change their password in a secure manner that does not 1112 * expose the credentials. 1113 * 1114 * @param value The value of the "require-secure-password-changes" property. 1115 * @throws IllegalPropertyValueException 1116 * If the new value is invalid. 1117 */ 1118 void setRequireSecurePasswordChanges(Boolean value) throws IllegalPropertyValueException; 1119 1120 1121 1122 /** 1123 * Gets the "skip-validation-for-administrators" property. 1124 * <p> 1125 * Indicates whether passwords set by administrators are allowed to 1126 * bypass the password validation process that is required for user 1127 * password changes. 1128 * 1129 * @return Returns the value of the "skip-validation-for-administrators" property. 1130 */ 1131 boolean isSkipValidationForAdministrators(); 1132 1133 1134 1135 /** 1136 * Sets the "skip-validation-for-administrators" property. 1137 * <p> 1138 * Indicates whether passwords set by administrators are allowed to 1139 * bypass the password validation process that is required for user 1140 * password changes. 1141 * 1142 * @param value The value of the "skip-validation-for-administrators" property. 1143 * @throws IllegalPropertyValueException 1144 * If the new value is invalid. 1145 */ 1146 void setSkipValidationForAdministrators(Boolean value) throws IllegalPropertyValueException; 1147 1148 1149 1150 /** 1151 * Gets the "state-update-failure-policy" property. 1152 * <p> 1153 * Specifies how the server deals with the inability to update 1154 * password policy state information during an authentication 1155 * attempt. 1156 * <p> 1157 * In particular, this property can be used to control whether an 1158 * otherwise successful bind operation fails if a failure occurs 1159 * while attempting to update password policy state information (for 1160 * example, to clear a record of previous authentication failures or 1161 * to update the last login time). It can also be used to control 1162 * whether to reject a bind request if it is known ahead of time that 1163 * it will not be possible to update the authentication failure times 1164 * in the event of an unsuccessful bind attempt (for example, if the 1165 * backend writability mode is disabled). 1166 * 1167 * @return Returns the value of the "state-update-failure-policy" property. 1168 */ 1169 StateUpdateFailurePolicy getStateUpdateFailurePolicy(); 1170 1171 1172 1173 /** 1174 * Sets the "state-update-failure-policy" property. 1175 * <p> 1176 * Specifies how the server deals with the inability to update 1177 * password policy state information during an authentication 1178 * attempt. 1179 * <p> 1180 * In particular, this property can be used to control whether an 1181 * otherwise successful bind operation fails if a failure occurs 1182 * while attempting to update password policy state information (for 1183 * example, to clear a record of previous authentication failures or 1184 * to update the last login time). It can also be used to control 1185 * whether to reject a bind request if it is known ahead of time that 1186 * it will not be possible to update the authentication failure times 1187 * in the event of an unsuccessful bind attempt (for example, if the 1188 * backend writability mode is disabled). 1189 * 1190 * @param value The value of the "state-update-failure-policy" property. 1191 * @throws IllegalPropertyValueException 1192 * If the new value is invalid. 1193 */ 1194 void setStateUpdateFailurePolicy(StateUpdateFailurePolicy value) throws IllegalPropertyValueException; 1195 1196 }