001    /*
002     * CDDL HEADER START
003     *
004     * The contents of this file are subject to the terms of the
005     * Common Development and Distribution License, Version 1.0 only
006     * (the "License").  You may not use this file except in compliance
007     * with the License.
008     *
009     * You can obtain a copy of the license at
010     * trunk/opends/resource/legal-notices/OpenDS.LICENSE
011     * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
012     * See the License for the specific language governing permissions
013     * and limitations under the License.
014     *
015     * When distributing Covered Code, include this CDDL HEADER in each
016     * file and include the License file at
017     * trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
018     * add the following below this CDDL HEADER, with the fields enclosed
019     * by brackets "[]" replaced with your own identifying information:
020     *      Portions Copyright [yyyy] [name of copyright owner]
021     *
022     * CDDL HEADER END
023     *
024     *
025     *      Copyright 2008 Sun Microsystems, Inc.
026     */
027    package org.opends.server.admin.std.client;
028    
029    
030    
031    import java.util.Collection;
032    import java.util.SortedSet;
033    import org.opends.server.admin.ConfigurationClient;
034    import org.opends.server.admin.IllegalPropertyValueException;
035    import org.opends.server.admin.ManagedObjectDefinition;
036    import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn.StateUpdateFailurePolicy;
037    import org.opends.server.admin.std.server.PasswordPolicyCfg;
038    import org.opends.server.types.AttributeType;
039    
040    
041    
042    /**
043     * A client-side interface for reading and modifying Password Policy
044     * settings.
045     * <p>
046     * Password Policies define a number of password management rules, as
047     * well as requirements for authentication processing.
048     */
049    public interface PasswordPolicyCfgClient extends ConfigurationClient {
050    
051      /**
052       * Get the configuration definition associated with this Password Policy.
053       *
054       * @return Returns the configuration definition associated with this Password Policy.
055       */
056      ManagedObjectDefinition<? extends PasswordPolicyCfgClient, ? extends PasswordPolicyCfg> definition();
057    
058    
059    
060      /**
061       * Gets the "account-status-notification-handler" property.
062       * <p>
063       * Specifies the names of the account status notification handlers
064       * that are used with the associated password storage scheme.
065       *
066       * @return Returns the values of the "account-status-notification-handler" property.
067       */
068      SortedSet<String> getAccountStatusNotificationHandler();
069    
070    
071    
072      /**
073       * Sets the "account-status-notification-handler" property.
074       * <p>
075       * Specifies the names of the account status notification handlers
076       * that are used with the associated password storage scheme.
077       *
078       * @param values The values of the "account-status-notification-handler" property.
079       * @throws IllegalPropertyValueException
080       *           If one or more of the new values are invalid.
081       */
082      void setAccountStatusNotificationHandler(Collection<String> values) throws IllegalPropertyValueException;
083    
084    
085    
086      /**
087       * Gets the "allow-expired-password-changes" property.
088       * <p>
089       * Indicates whether a user whose password is expired is still
090       * allowed to change that password using the password modify extended
091       * operation.
092       *
093       * @return Returns the value of the "allow-expired-password-changes" property.
094       */
095      boolean isAllowExpiredPasswordChanges();
096    
097    
098    
099      /**
100       * Sets the "allow-expired-password-changes" property.
101       * <p>
102       * Indicates whether a user whose password is expired is still
103       * allowed to change that password using the password modify extended
104       * operation.
105       *
106       * @param value The value of the "allow-expired-password-changes" property.
107       * @throws IllegalPropertyValueException
108       *           If the new value is invalid.
109       */
110      void setAllowExpiredPasswordChanges(Boolean value) throws IllegalPropertyValueException;
111    
112    
113    
114      /**
115       * Gets the "allow-multiple-password-values" property.
116       * <p>
117       * Indicates whether user entries can have multiple distinct values
118       * for the password attribute.
119       * <p>
120       * This is potentially dangerous because many mechanisms used to
121       * change the password do not work well with such a configuration. If
122       * multiple password values are allowed, then any of them can be used
123       * to authenticate, and they are all subject to the same policy
124       * constraints.
125       *
126       * @return Returns the value of the "allow-multiple-password-values" property.
127       */
128      boolean isAllowMultiplePasswordValues();
129    
130    
131    
132      /**
133       * Sets the "allow-multiple-password-values" property.
134       * <p>
135       * Indicates whether user entries can have multiple distinct values
136       * for the password attribute.
137       * <p>
138       * This is potentially dangerous because many mechanisms used to
139       * change the password do not work well with such a configuration. If
140       * multiple password values are allowed, then any of them can be used
141       * to authenticate, and they are all subject to the same policy
142       * constraints.
143       *
144       * @param value The value of the "allow-multiple-password-values" property.
145       * @throws IllegalPropertyValueException
146       *           If the new value is invalid.
147       */
148      void setAllowMultiplePasswordValues(Boolean value) throws IllegalPropertyValueException;
149    
150    
151    
152      /**
153       * Gets the "allow-pre-encoded-passwords" property.
154       * <p>
155       * Indicates whether users can change their passwords by providing a
156       * pre-encoded value.
157       * <p>
158       * This can cause a security risk because the clear-text version of
159       * the password is not known and therefore validation checks cannot
160       * be applied to it.
161       *
162       * @return Returns the value of the "allow-pre-encoded-passwords" property.
163       */
164      boolean isAllowPreEncodedPasswords();
165    
166    
167    
168      /**
169       * Sets the "allow-pre-encoded-passwords" property.
170       * <p>
171       * Indicates whether users can change their passwords by providing a
172       * pre-encoded value.
173       * <p>
174       * This can cause a security risk because the clear-text version of
175       * the password is not known and therefore validation checks cannot
176       * be applied to it.
177       *
178       * @param value The value of the "allow-pre-encoded-passwords" property.
179       * @throws IllegalPropertyValueException
180       *           If the new value is invalid.
181       */
182      void setAllowPreEncodedPasswords(Boolean value) throws IllegalPropertyValueException;
183    
184    
185    
186      /**
187       * Gets the "allow-user-password-changes" property.
188       * <p>
189       * Indicates whether users can change their own passwords.
190       * <p>
191       * This check is made in addition to access control evaluation. Both
192       * must allow the password change for it to occur.
193       *
194       * @return Returns the value of the "allow-user-password-changes" property.
195       */
196      boolean isAllowUserPasswordChanges();
197    
198    
199    
200      /**
201       * Sets the "allow-user-password-changes" property.
202       * <p>
203       * Indicates whether users can change their own passwords.
204       * <p>
205       * This check is made in addition to access control evaluation. Both
206       * must allow the password change for it to occur.
207       *
208       * @param value The value of the "allow-user-password-changes" property.
209       * @throws IllegalPropertyValueException
210       *           If the new value is invalid.
211       */
212      void setAllowUserPasswordChanges(Boolean value) throws IllegalPropertyValueException;
213    
214    
215    
216      /**
217       * Gets the "default-password-storage-scheme" property.
218       * <p>
219       * Specifies the names of the password storage schemes that are used
220       * to encode clear-text passwords for this password policy.
221       *
222       * @return Returns the values of the "default-password-storage-scheme" property.
223       */
224      SortedSet<String> getDefaultPasswordStorageScheme();
225    
226    
227    
228      /**
229       * Sets the "default-password-storage-scheme" property.
230       * <p>
231       * Specifies the names of the password storage schemes that are used
232       * to encode clear-text passwords for this password policy.
233       *
234       * @param values The values of the "default-password-storage-scheme" property.
235       * @throws IllegalPropertyValueException
236       *           If one or more of the new values are invalid.
237       */
238      void setDefaultPasswordStorageScheme(Collection<String> values) throws IllegalPropertyValueException;
239    
240    
241    
242      /**
243       * Gets the "deprecated-password-storage-scheme" property.
244       * <p>
245       * Specifies the names of the password storage schemes that are
246       * considered deprecated for this password policy.
247       * <p>
248       * If a user with this password policy authenticates to the server
249       * and his/her password is encoded with a deprecated scheme, those
250       * values are removed and replaced with values encoded using the
251       * default password storage scheme(s).
252       *
253       * @return Returns the values of the "deprecated-password-storage-scheme" property.
254       */
255      SortedSet<String> getDeprecatedPasswordStorageScheme();
256    
257    
258    
259      /**
260       * Sets the "deprecated-password-storage-scheme" property.
261       * <p>
262       * Specifies the names of the password storage schemes that are
263       * considered deprecated for this password policy.
264       * <p>
265       * If a user with this password policy authenticates to the server
266       * and his/her password is encoded with a deprecated scheme, those
267       * values are removed and replaced with values encoded using the
268       * default password storage scheme(s).
269       *
270       * @param values The values of the "deprecated-password-storage-scheme" property.
271       * @throws IllegalPropertyValueException
272       *           If one or more of the new values are invalid.
273       */
274      void setDeprecatedPasswordStorageScheme(Collection<String> values) throws IllegalPropertyValueException;
275    
276    
277    
278      /**
279       * Gets the "expire-passwords-without-warning" property.
280       * <p>
281       * Indicates whether the Directory Server allows a user's password
282       * to expire even if that user has never seen an expiration warning
283       * notification.
284       * <p>
285       * If this property is true, accounts always expire when the
286       * expiration time arrives. If this property is false disabled, the
287       * user always receives at least one warning notification, and the
288       * password expiration is set to the warning time plus the warning
289       * interval.
290       *
291       * @return Returns the value of the "expire-passwords-without-warning" property.
292       */
293      boolean isExpirePasswordsWithoutWarning();
294    
295    
296    
297      /**
298       * Sets the "expire-passwords-without-warning" property.
299       * <p>
300       * Indicates whether the Directory Server allows a user's password
301       * to expire even if that user has never seen an expiration warning
302       * notification.
303       * <p>
304       * If this property is true, accounts always expire when the
305       * expiration time arrives. If this property is false disabled, the
306       * user always receives at least one warning notification, and the
307       * password expiration is set to the warning time plus the warning
308       * interval.
309       *
310       * @param value The value of the "expire-passwords-without-warning" property.
311       * @throws IllegalPropertyValueException
312       *           If the new value is invalid.
313       */
314      void setExpirePasswordsWithoutWarning(Boolean value) throws IllegalPropertyValueException;
315    
316    
317    
318      /**
319       * Gets the "force-change-on-add" property.
320       * <p>
321       * Indicates whether users are forced to change their passwords upon
322       * first authenticating to the Directory Server after their account
323       * has been created.
324       *
325       * @return Returns the value of the "force-change-on-add" property.
326       */
327      boolean isForceChangeOnAdd();
328    
329    
330    
331      /**
332       * Sets the "force-change-on-add" property.
333       * <p>
334       * Indicates whether users are forced to change their passwords upon
335       * first authenticating to the Directory Server after their account
336       * has been created.
337       *
338       * @param value The value of the "force-change-on-add" property.
339       * @throws IllegalPropertyValueException
340       *           If the new value is invalid.
341       */
342      void setForceChangeOnAdd(Boolean value) throws IllegalPropertyValueException;
343    
344    
345    
346      /**
347       * Gets the "force-change-on-reset" property.
348       * <p>
349       * Indicates whether users are forced to change their passwords if
350       * they are reset by an administrator.
351       * <p>
352       * For this purpose, anyone with permission to change a given user's
353       * password other than that user is considered an administrator.
354       *
355       * @return Returns the value of the "force-change-on-reset" property.
356       */
357      boolean isForceChangeOnReset();
358    
359    
360    
361      /**
362       * Sets the "force-change-on-reset" property.
363       * <p>
364       * Indicates whether users are forced to change their passwords if
365       * they are reset by an administrator.
366       * <p>
367       * For this purpose, anyone with permission to change a given user's
368       * password other than that user is considered an administrator.
369       *
370       * @param value The value of the "force-change-on-reset" property.
371       * @throws IllegalPropertyValueException
372       *           If the new value is invalid.
373       */
374      void setForceChangeOnReset(Boolean value) throws IllegalPropertyValueException;
375    
376    
377    
378      /**
379       * Gets the "grace-login-count" property.
380       * <p>
381       * Specifies the number of grace logins that a user is allowed after
382       * the account has expired to allow that user to choose a new
383       * password.
384       * <p>
385       * A value of 0 indicates that no grace logins are allowed.
386       *
387       * @return Returns the value of the "grace-login-count" property.
388       */
389      int getGraceLoginCount();
390    
391    
392    
393      /**
394       * Sets the "grace-login-count" property.
395       * <p>
396       * Specifies the number of grace logins that a user is allowed after
397       * the account has expired to allow that user to choose a new
398       * password.
399       * <p>
400       * A value of 0 indicates that no grace logins are allowed.
401       *
402       * @param value The value of the "grace-login-count" property.
403       * @throws IllegalPropertyValueException
404       *           If the new value is invalid.
405       */
406      void setGraceLoginCount(Integer value) throws IllegalPropertyValueException;
407    
408    
409    
410      /**
411       * Gets the "idle-lockout-interval" property.
412       * <p>
413       * Specifies the maximum length of time that an account may remain
414       * idle (that is, the associated user does not authenticate to the
415       * server) before that user is locked out.
416       * <p>
417       * The value of this attribute is an integer followed by a unit of
418       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
419       * indicates that idle accounts are not automatically locked out.
420       * This feature is available only if the last login time is
421       * maintained.
422       *
423       * @return Returns the value of the "idle-lockout-interval" property.
424       */
425      long getIdleLockoutInterval();
426    
427    
428    
429      /**
430       * Sets the "idle-lockout-interval" property.
431       * <p>
432       * Specifies the maximum length of time that an account may remain
433       * idle (that is, the associated user does not authenticate to the
434       * server) before that user is locked out.
435       * <p>
436       * The value of this attribute is an integer followed by a unit of
437       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
438       * indicates that idle accounts are not automatically locked out.
439       * This feature is available only if the last login time is
440       * maintained.
441       *
442       * @param value The value of the "idle-lockout-interval" property.
443       * @throws IllegalPropertyValueException
444       *           If the new value is invalid.
445       */
446      void setIdleLockoutInterval(Long value) throws IllegalPropertyValueException;
447    
448    
449    
450      /**
451       * Gets the "last-login-time-attribute" property.
452       * <p>
453       * Specifies the name or OID of the attribute type that is used to
454       * hold the last login time for users with the associated password
455       * policy.
456       * <p>
457       * This attribute type must be defined in the Directory Server
458       * schema and must either be defined as an operational attribute or
459       * must be allowed by the set of objectClasses for all users with the
460       * associated password policy.
461       *
462       * @return Returns the value of the "last-login-time-attribute" property.
463       */
464      AttributeType getLastLoginTimeAttribute();
465    
466    
467    
468      /**
469       * Sets the "last-login-time-attribute" property.
470       * <p>
471       * Specifies the name or OID of the attribute type that is used to
472       * hold the last login time for users with the associated password
473       * policy.
474       * <p>
475       * This attribute type must be defined in the Directory Server
476       * schema and must either be defined as an operational attribute or
477       * must be allowed by the set of objectClasses for all users with the
478       * associated password policy.
479       *
480       * @param value The value of the "last-login-time-attribute" property.
481       * @throws IllegalPropertyValueException
482       *           If the new value is invalid.
483       */
484      void setLastLoginTimeAttribute(AttributeType value) throws IllegalPropertyValueException;
485    
486    
487    
488      /**
489       * Gets the "last-login-time-format" property.
490       * <p>
491       * Specifies the format string that is used to generate the last
492       * login time value for users with the associated password policy.
493       * <p>
494       * This format string conforms to the syntax described in the API
495       * documentation for the java.text.SimpleDateFormat class.
496       *
497       * @return Returns the value of the "last-login-time-format" property.
498       */
499      String getLastLoginTimeFormat();
500    
501    
502    
503      /**
504       * Sets the "last-login-time-format" property.
505       * <p>
506       * Specifies the format string that is used to generate the last
507       * login time value for users with the associated password policy.
508       * <p>
509       * This format string conforms to the syntax described in the API
510       * documentation for the java.text.SimpleDateFormat class.
511       *
512       * @param value The value of the "last-login-time-format" property.
513       * @throws IllegalPropertyValueException
514       *           If the new value is invalid.
515       */
516      void setLastLoginTimeFormat(String value) throws IllegalPropertyValueException;
517    
518    
519    
520      /**
521       * Gets the "lockout-duration" property.
522       * <p>
523       * Specifies the length of time that an account is locked after too
524       * many authentication failures.
525       * <p>
526       * The value of this attribute is an integer followed by a unit of
527       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
528       * indicates that the account must remain locked until an
529       * administrator resets the password.
530       *
531       * @return Returns the value of the "lockout-duration" property.
532       */
533      long getLockoutDuration();
534    
535    
536    
537      /**
538       * Sets the "lockout-duration" property.
539       * <p>
540       * Specifies the length of time that an account is locked after too
541       * many authentication failures.
542       * <p>
543       * The value of this attribute is an integer followed by a unit of
544       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
545       * indicates that the account must remain locked until an
546       * administrator resets the password.
547       *
548       * @param value The value of the "lockout-duration" property.
549       * @throws IllegalPropertyValueException
550       *           If the new value is invalid.
551       */
552      void setLockoutDuration(Long value) throws IllegalPropertyValueException;
553    
554    
555    
556      /**
557       * Gets the "lockout-failure-count" property.
558       * <p>
559       * Specifies the maximum number of authentication failures that a
560       * user is allowed before the account is locked out.
561       * <p>
562       * A value of 0 indicates that accounts are never locked out due to
563       * failed attempts.
564       *
565       * @return Returns the value of the "lockout-failure-count" property.
566       */
567      int getLockoutFailureCount();
568    
569    
570    
571      /**
572       * Sets the "lockout-failure-count" property.
573       * <p>
574       * Specifies the maximum number of authentication failures that a
575       * user is allowed before the account is locked out.
576       * <p>
577       * A value of 0 indicates that accounts are never locked out due to
578       * failed attempts.
579       *
580       * @param value The value of the "lockout-failure-count" property.
581       * @throws IllegalPropertyValueException
582       *           If the new value is invalid.
583       */
584      void setLockoutFailureCount(Integer value) throws IllegalPropertyValueException;
585    
586    
587    
588      /**
589       * Gets the "lockout-failure-expiration-interval" property.
590       * <p>
591       * Specifies the length of time before an authentication failure is
592       * no longer counted against a user for the purposes of account
593       * lockout.
594       * <p>
595       * The value of this attribute is an integer followed by a unit of
596       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
597       * indicates that the authentication failures must never expire. The
598       * failure count is always cleared upon a successful authentication.
599       *
600       * @return Returns the value of the "lockout-failure-expiration-interval" property.
601       */
602      long getLockoutFailureExpirationInterval();
603    
604    
605    
606      /**
607       * Sets the "lockout-failure-expiration-interval" property.
608       * <p>
609       * Specifies the length of time before an authentication failure is
610       * no longer counted against a user for the purposes of account
611       * lockout.
612       * <p>
613       * The value of this attribute is an integer followed by a unit of
614       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
615       * indicates that the authentication failures must never expire. The
616       * failure count is always cleared upon a successful authentication.
617       *
618       * @param value The value of the "lockout-failure-expiration-interval" property.
619       * @throws IllegalPropertyValueException
620       *           If the new value is invalid.
621       */
622      void setLockoutFailureExpirationInterval(Long value) throws IllegalPropertyValueException;
623    
624    
625    
626      /**
627       * Gets the "max-password-age" property.
628       * <p>
629       * Specifies the maximum length of time that a user can continue
630       * using the same password before it must be changed (that is, the
631       * password expiration interval).
632       * <p>
633       * The value of this attribute is an integer followed by a unit of
634       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
635       * disables password expiration.
636       *
637       * @return Returns the value of the "max-password-age" property.
638       */
639      long getMaxPasswordAge();
640    
641    
642    
643      /**
644       * Sets the "max-password-age" property.
645       * <p>
646       * Specifies the maximum length of time that a user can continue
647       * using the same password before it must be changed (that is, the
648       * password expiration interval).
649       * <p>
650       * The value of this attribute is an integer followed by a unit of
651       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
652       * disables password expiration.
653       *
654       * @param value The value of the "max-password-age" property.
655       * @throws IllegalPropertyValueException
656       *           If the new value is invalid.
657       */
658      void setMaxPasswordAge(Long value) throws IllegalPropertyValueException;
659    
660    
661    
662      /**
663       * Gets the "max-password-reset-age" property.
664       * <p>
665       * Specifies the maximum length of time that users have to change
666       * passwords after they have been reset by an administrator before
667       * they become locked.
668       * <p>
669       * The value of this attribute is an integer followed by a unit of
670       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
671       * disables this feature.
672       *
673       * @return Returns the value of the "max-password-reset-age" property.
674       */
675      long getMaxPasswordResetAge();
676    
677    
678    
679      /**
680       * Sets the "max-password-reset-age" property.
681       * <p>
682       * Specifies the maximum length of time that users have to change
683       * passwords after they have been reset by an administrator before
684       * they become locked.
685       * <p>
686       * The value of this attribute is an integer followed by a unit of
687       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
688       * disables this feature.
689       *
690       * @param value The value of the "max-password-reset-age" property.
691       * @throws IllegalPropertyValueException
692       *           If the new value is invalid.
693       */
694      void setMaxPasswordResetAge(Long value) throws IllegalPropertyValueException;
695    
696    
697    
698      /**
699       * Gets the "min-password-age" property.
700       * <p>
701       * Specifies the minimum length of time after a password change
702       * before the user is allowed to change the password again.
703       * <p>
704       * The value of this attribute is an integer followed by a unit of
705       * seconds, minutes, hours, days, or weeks. This setting can be used
706       * to prevent users from changing their passwords repeatedly over a
707       * short period of time to flush an old password from the history so
708       * that it can be re-used.
709       *
710       * @return Returns the value of the "min-password-age" property.
711       */
712      long getMinPasswordAge();
713    
714    
715    
716      /**
717       * Sets the "min-password-age" property.
718       * <p>
719       * Specifies the minimum length of time after a password change
720       * before the user is allowed to change the password again.
721       * <p>
722       * The value of this attribute is an integer followed by a unit of
723       * seconds, minutes, hours, days, or weeks. This setting can be used
724       * to prevent users from changing their passwords repeatedly over a
725       * short period of time to flush an old password from the history so
726       * that it can be re-used.
727       *
728       * @param value The value of the "min-password-age" property.
729       * @throws IllegalPropertyValueException
730       *           If the new value is invalid.
731       */
732      void setMinPasswordAge(Long value) throws IllegalPropertyValueException;
733    
734    
735    
736      /**
737       * Gets the "password-attribute" property.
738       * <p>
739       * Specifies the attribute type used to hold user passwords.
740       * <p>
741       * This attribute type must be defined in the server schema, and it
742       * must have either the user password or auth password syntax.
743       *
744       * @return Returns the value of the "password-attribute" property.
745       */
746      AttributeType getPasswordAttribute();
747    
748    
749    
750      /**
751       * Sets the "password-attribute" property.
752       * <p>
753       * Specifies the attribute type used to hold user passwords.
754       * <p>
755       * This attribute type must be defined in the server schema, and it
756       * must have either the user password or auth password syntax.
757       *
758       * @param value The value of the "password-attribute" property.
759       * @throws IllegalPropertyValueException
760       *           If the new value is invalid.
761       */
762      void setPasswordAttribute(AttributeType value) throws IllegalPropertyValueException;
763    
764    
765    
766      /**
767       * Gets the "password-change-requires-current-password" property.
768       * <p>
769       * Indicates whether user password changes must use the password
770       * modify extended operation and must include the user's current
771       * password before the change is allowed.
772       *
773       * @return Returns the value of the "password-change-requires-current-password" property.
774       */
775      boolean isPasswordChangeRequiresCurrentPassword();
776    
777    
778    
779      /**
780       * Sets the "password-change-requires-current-password" property.
781       * <p>
782       * Indicates whether user password changes must use the password
783       * modify extended operation and must include the user's current
784       * password before the change is allowed.
785       *
786       * @param value The value of the "password-change-requires-current-password" property.
787       * @throws IllegalPropertyValueException
788       *           If the new value is invalid.
789       */
790      void setPasswordChangeRequiresCurrentPassword(Boolean value) throws IllegalPropertyValueException;
791    
792    
793    
794      /**
795       * Gets the "password-expiration-warning-interval" property.
796       * <p>
797       * Specifies the maximum length of time before a user's password
798       * actually expires that the server begins to include warning
799       * notifications in bind responses for that user.
800       * <p>
801       * The value of this attribute is an integer followed by a unit of
802       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
803       * disables the warning interval.
804       *
805       * @return Returns the value of the "password-expiration-warning-interval" property.
806       */
807      long getPasswordExpirationWarningInterval();
808    
809    
810    
811      /**
812       * Sets the "password-expiration-warning-interval" property.
813       * <p>
814       * Specifies the maximum length of time before a user's password
815       * actually expires that the server begins to include warning
816       * notifications in bind responses for that user.
817       * <p>
818       * The value of this attribute is an integer followed by a unit of
819       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
820       * disables the warning interval.
821       *
822       * @param value The value of the "password-expiration-warning-interval" property.
823       * @throws IllegalPropertyValueException
824       *           If the new value is invalid.
825       */
826      void setPasswordExpirationWarningInterval(Long value) throws IllegalPropertyValueException;
827    
828    
829    
830      /**
831       * Gets the "password-generator" property.
832       * <p>
833       * Specifies the name of the password generator that is used with
834       * the associated password policy.
835       * <p>
836       * This is used in conjunction with the password modify extended
837       * operation to generate a new password for a user when none was
838       * provided in the request.
839       *
840       * @return Returns the value of the "password-generator" property.
841       */
842      String getPasswordGenerator();
843    
844    
845    
846      /**
847       * Sets the "password-generator" property.
848       * <p>
849       * Specifies the name of the password generator that is used with
850       * the associated password policy.
851       * <p>
852       * This is used in conjunction with the password modify extended
853       * operation to generate a new password for a user when none was
854       * provided in the request.
855       *
856       * @param value The value of the "password-generator" property.
857       * @throws IllegalPropertyValueException
858       *           If the new value is invalid.
859       */
860      void setPasswordGenerator(String value) throws IllegalPropertyValueException;
861    
862    
863    
864      /**
865       * Gets the "password-history-count" property.
866       * <p>
867       * Specifies the maximum number of former passwords to maintain in
868       * the password history.
869       * <p>
870       * When choosing a new password, the proposed password is checked to
871       * ensure that it does not match the current password, nor any other
872       * password in the history list. A value of zero indicates that
873       * either no password history is to be maintained (if the password
874       * history duration has a value of zero seconds), or that there is no
875       * maximum number of passwords to maintain in the history (if the
876       * password history duration has a value greater than zero seconds).
877       *
878       * @return Returns the value of the "password-history-count" property.
879       */
880      int getPasswordHistoryCount();
881    
882    
883    
884      /**
885       * Sets the "password-history-count" property.
886       * <p>
887       * Specifies the maximum number of former passwords to maintain in
888       * the password history.
889       * <p>
890       * When choosing a new password, the proposed password is checked to
891       * ensure that it does not match the current password, nor any other
892       * password in the history list. A value of zero indicates that
893       * either no password history is to be maintained (if the password
894       * history duration has a value of zero seconds), or that there is no
895       * maximum number of passwords to maintain in the history (if the
896       * password history duration has a value greater than zero seconds).
897       *
898       * @param value The value of the "password-history-count" property.
899       * @throws IllegalPropertyValueException
900       *           If the new value is invalid.
901       */
902      void setPasswordHistoryCount(Integer value) throws IllegalPropertyValueException;
903    
904    
905    
906      /**
907       * Gets the "password-history-duration" property.
908       * <p>
909       * Specifies the maximum length of time that passwords remain in the
910       * password history.
911       * <p>
912       * When choosing a new password, the proposed password is checked to
913       * ensure that it does not match the current password, nor any other
914       * password in the history list. A value of zero seconds indicates
915       * that either no password history is to be maintained (if the
916       * password history count has a value of zero), or that there is no
917       * maximum duration for passwords in the history (if the password
918       * history count has a value greater than zero).
919       *
920       * @return Returns the value of the "password-history-duration" property.
921       */
922      long getPasswordHistoryDuration();
923    
924    
925    
926      /**
927       * Sets the "password-history-duration" property.
928       * <p>
929       * Specifies the maximum length of time that passwords remain in the
930       * password history.
931       * <p>
932       * When choosing a new password, the proposed password is checked to
933       * ensure that it does not match the current password, nor any other
934       * password in the history list. A value of zero seconds indicates
935       * that either no password history is to be maintained (if the
936       * password history count has a value of zero), or that there is no
937       * maximum duration for passwords in the history (if the password
938       * history count has a value greater than zero).
939       *
940       * @param value The value of the "password-history-duration" property.
941       * @throws IllegalPropertyValueException
942       *           If the new value is invalid.
943       */
944      void setPasswordHistoryDuration(Long value) throws IllegalPropertyValueException;
945    
946    
947    
948      /**
949       * Gets the "password-validator" property.
950       * <p>
951       * Specifies the names of the password validators that are used with
952       * the associated password storage scheme.
953       * <p>
954       * The password validators are invoked when a user attempts to
955       * provide a new password, to determine whether the new password is
956       * acceptable.
957       *
958       * @return Returns the values of the "password-validator" property.
959       */
960      SortedSet<String> getPasswordValidator();
961    
962    
963    
964      /**
965       * Sets the "password-validator" property.
966       * <p>
967       * Specifies the names of the password validators that are used with
968       * the associated password storage scheme.
969       * <p>
970       * The password validators are invoked when a user attempts to
971       * provide a new password, to determine whether the new password is
972       * acceptable.
973       *
974       * @param values The values of the "password-validator" property.
975       * @throws IllegalPropertyValueException
976       *           If one or more of the new values are invalid.
977       */
978      void setPasswordValidator(Collection<String> values) throws IllegalPropertyValueException;
979    
980    
981    
982      /**
983       * Gets the "previous-last-login-time-format" property.
984       * <p>
985       * Specifies the format string(s) that might have been used with the
986       * last login time at any point in the past for users associated with
987       * the password policy.
988       * <p>
989       * These values are used to make it possible to parse previous
990       * values, but are not used to set new values. The format strings
991       * conform to the syntax described in the API documentation for the
992       * java.text.SimpleDateFormat class.
993       *
994       * @return Returns the values of the "previous-last-login-time-format" property.
995       */
996      SortedSet<String> getPreviousLastLoginTimeFormat();
997    
998    
999    
1000      /**
1001       * Sets the "previous-last-login-time-format" property.
1002       * <p>
1003       * Specifies the format string(s) that might have been used with the
1004       * last login time at any point in the past for users associated with
1005       * the password policy.
1006       * <p>
1007       * These values are used to make it possible to parse previous
1008       * values, but are not used to set new values. The format strings
1009       * conform to the syntax described in the API documentation for the
1010       * java.text.SimpleDateFormat class.
1011       *
1012       * @param values The values of the "previous-last-login-time-format" property.
1013       * @throws IllegalPropertyValueException
1014       *           If one or more of the new values are invalid.
1015       */
1016      void setPreviousLastLoginTimeFormat(Collection<String> values) throws IllegalPropertyValueException;
1017    
1018    
1019    
1020      /**
1021       * Gets the "require-change-by-time" property.
1022       * <p>
1023       * Specifies the time by which all users with the associated
1024       * password policy must change their passwords.
1025       * <p>
1026       * The value is expressed in a generalized time format. If this time
1027       * is equal to the current time or is in the past, then all users are
1028       * required to change their passwords immediately. The behavior of
1029       * the server in this mode is identical to the behavior observed when
1030       * users are forced to change their passwords after an administrative
1031       * reset.
1032       *
1033       * @return Returns the value of the "require-change-by-time" property.
1034       */
1035      String getRequireChangeByTime();
1036    
1037    
1038    
1039      /**
1040       * Sets the "require-change-by-time" property.
1041       * <p>
1042       * Specifies the time by which all users with the associated
1043       * password policy must change their passwords.
1044       * <p>
1045       * The value is expressed in a generalized time format. If this time
1046       * is equal to the current time or is in the past, then all users are
1047       * required to change their passwords immediately. The behavior of
1048       * the server in this mode is identical to the behavior observed when
1049       * users are forced to change their passwords after an administrative
1050       * reset.
1051       *
1052       * @param value The value of the "require-change-by-time" property.
1053       * @throws IllegalPropertyValueException
1054       *           If the new value is invalid.
1055       */
1056      void setRequireChangeByTime(String value) throws IllegalPropertyValueException;
1057    
1058    
1059    
1060      /**
1061       * Gets the "require-secure-authentication" property.
1062       * <p>
1063       * Indicates whether users with the associated password policy are
1064       * required to authenticate in a secure manner.
1065       * <p>
1066       * This might mean either using a secure communication channel
1067       * between the client and the server, or using a SASL mechanism that
1068       * does not expose the credentials.
1069       *
1070       * @return Returns the value of the "require-secure-authentication" property.
1071       */
1072      boolean isRequireSecureAuthentication();
1073    
1074    
1075    
1076      /**
1077       * Sets the "require-secure-authentication" property.
1078       * <p>
1079       * Indicates whether users with the associated password policy are
1080       * required to authenticate in a secure manner.
1081       * <p>
1082       * This might mean either using a secure communication channel
1083       * between the client and the server, or using a SASL mechanism that
1084       * does not expose the credentials.
1085       *
1086       * @param value The value of the "require-secure-authentication" property.
1087       * @throws IllegalPropertyValueException
1088       *           If the new value is invalid.
1089       */
1090      void setRequireSecureAuthentication(Boolean value) throws IllegalPropertyValueException;
1091    
1092    
1093    
1094      /**
1095       * Gets the "require-secure-password-changes" property.
1096       * <p>
1097       * Indicates whether users with the associated password policy are
1098       * required to change their password in a secure manner that does not
1099       * expose the credentials.
1100       *
1101       * @return Returns the value of the "require-secure-password-changes" property.
1102       */
1103      boolean isRequireSecurePasswordChanges();
1104    
1105    
1106    
1107      /**
1108       * Sets the "require-secure-password-changes" property.
1109       * <p>
1110       * Indicates whether users with the associated password policy are
1111       * required to change their password in a secure manner that does not
1112       * expose the credentials.
1113       *
1114       * @param value The value of the "require-secure-password-changes" property.
1115       * @throws IllegalPropertyValueException
1116       *           If the new value is invalid.
1117       */
1118      void setRequireSecurePasswordChanges(Boolean value) throws IllegalPropertyValueException;
1119    
1120    
1121    
1122      /**
1123       * Gets the "skip-validation-for-administrators" property.
1124       * <p>
1125       * Indicates whether passwords set by administrators are allowed to
1126       * bypass the password validation process that is required for user
1127       * password changes.
1128       *
1129       * @return Returns the value of the "skip-validation-for-administrators" property.
1130       */
1131      boolean isSkipValidationForAdministrators();
1132    
1133    
1134    
1135      /**
1136       * Sets the "skip-validation-for-administrators" property.
1137       * <p>
1138       * Indicates whether passwords set by administrators are allowed to
1139       * bypass the password validation process that is required for user
1140       * password changes.
1141       *
1142       * @param value The value of the "skip-validation-for-administrators" property.
1143       * @throws IllegalPropertyValueException
1144       *           If the new value is invalid.
1145       */
1146      void setSkipValidationForAdministrators(Boolean value) throws IllegalPropertyValueException;
1147    
1148    
1149    
1150      /**
1151       * Gets the "state-update-failure-policy" property.
1152       * <p>
1153       * Specifies how the server deals with the inability to update
1154       * password policy state information during an authentication
1155       * attempt.
1156       * <p>
1157       * In particular, this property can be used to control whether an
1158       * otherwise successful bind operation fails if a failure occurs
1159       * while attempting to update password policy state information (for
1160       * example, to clear a record of previous authentication failures or
1161       * to update the last login time). It can also be used to control
1162       * whether to reject a bind request if it is known ahead of time that
1163       * it will not be possible to update the authentication failure times
1164       * in the event of an unsuccessful bind attempt (for example, if the
1165       * backend writability mode is disabled).
1166       *
1167       * @return Returns the value of the "state-update-failure-policy" property.
1168       */
1169      StateUpdateFailurePolicy getStateUpdateFailurePolicy();
1170    
1171    
1172    
1173      /**
1174       * Sets the "state-update-failure-policy" property.
1175       * <p>
1176       * Specifies how the server deals with the inability to update
1177       * password policy state information during an authentication
1178       * attempt.
1179       * <p>
1180       * In particular, this property can be used to control whether an
1181       * otherwise successful bind operation fails if a failure occurs
1182       * while attempting to update password policy state information (for
1183       * example, to clear a record of previous authentication failures or
1184       * to update the last login time). It can also be used to control
1185       * whether to reject a bind request if it is known ahead of time that
1186       * it will not be possible to update the authentication failure times
1187       * in the event of an unsuccessful bind attempt (for example, if the
1188       * backend writability mode is disabled).
1189       *
1190       * @param value The value of the "state-update-failure-policy" property.
1191       * @throws IllegalPropertyValueException
1192       *           If the new value is invalid.
1193       */
1194      void setStateUpdateFailurePolicy(StateUpdateFailurePolicy value) throws IllegalPropertyValueException;
1195    
1196    }