001 /* 002 * CDDL HEADER START 003 * 004 * The contents of this file are subject to the terms of the 005 * Common Development and Distribution License, Version 1.0 only 006 * (the "License"). You may not use this file except in compliance 007 * with the License. 008 * 009 * You can obtain a copy of the license at 010 * trunk/opends/resource/legal-notices/OpenDS.LICENSE 011 * or https://OpenDS.dev.java.net/OpenDS.LICENSE. 012 * See the License for the specific language governing permissions 013 * and limitations under the License. 014 * 015 * When distributing Covered Code, include this CDDL HEADER in each 016 * file and include the License file at 017 * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable, 018 * add the following below this CDDL HEADER, with the fields enclosed 019 * by brackets "[]" replaced with your own identifying information: 020 * Portions Copyright [yyyy] [name of copyright owner] 021 * 022 * CDDL HEADER END 023 * 024 * 025 * Copyright 2008 Sun Microsystems, Inc. 026 */ 027 package org.opends.server.admin.std.server; 028 029 030 031 import java.util.SortedSet; 032 import org.opends.server.admin.Configuration; 033 import org.opends.server.admin.server.ConfigurationChangeListener; 034 import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn.StateUpdateFailurePolicy; 035 import org.opends.server.types.AttributeType; 036 import org.opends.server.types.DN; 037 038 039 040 /** 041 * A server-side interface for querying Password Policy settings. 042 * <p> 043 * Password Policies define a number of password management rules, as 044 * well as requirements for authentication processing. 045 */ 046 public interface PasswordPolicyCfg extends Configuration { 047 048 /** 049 * Gets the configuration class associated with this Password Policy. 050 * 051 * @return Returns the configuration class associated with this Password Policy. 052 */ 053 Class<? extends PasswordPolicyCfg> configurationClass(); 054 055 056 057 /** 058 * Register to be notified when this Password Policy is changed. 059 * 060 * @param listener 061 * The Password Policy configuration change listener. 062 */ 063 void addChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener); 064 065 066 067 /** 068 * Deregister an existing Password Policy configuration change listener. 069 * 070 * @param listener 071 * The Password Policy configuration change listener. 072 */ 073 void removeChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener); 074 075 076 077 /** 078 * Gets the "account-status-notification-handler" property. 079 * <p> 080 * Specifies the names of the account status notification handlers 081 * that are used with the associated password storage scheme. 082 * 083 * @return Returns an unmodifiable set containing the values of the "account-status-notification-handler" property. 084 */ 085 SortedSet<String> getAccountStatusNotificationHandler(); 086 087 088 089 /** 090 * Gets the "account-status-notification-handler" property as a set 091 * of DNs. 092 * <p> 093 * Specifies the names of the account status notification handlers 094 * that are used with the associated password storage scheme. 095 * 096 * @return Returns the DN values of the 097 * "account-status-notification-handler" property. 098 */ 099 SortedSet<DN> getAccountStatusNotificationHandlerDNs(); 100 101 102 103 /** 104 * Gets the "allow-expired-password-changes" property. 105 * <p> 106 * Indicates whether a user whose password is expired is still 107 * allowed to change that password using the password modify extended 108 * operation. 109 * 110 * @return Returns the value of the "allow-expired-password-changes" property. 111 */ 112 boolean isAllowExpiredPasswordChanges(); 113 114 115 116 /** 117 * Gets the "allow-multiple-password-values" property. 118 * <p> 119 * Indicates whether user entries can have multiple distinct values 120 * for the password attribute. 121 * <p> 122 * This is potentially dangerous because many mechanisms used to 123 * change the password do not work well with such a configuration. If 124 * multiple password values are allowed, then any of them can be used 125 * to authenticate, and they are all subject to the same policy 126 * constraints. 127 * 128 * @return Returns the value of the "allow-multiple-password-values" property. 129 */ 130 boolean isAllowMultiplePasswordValues(); 131 132 133 134 /** 135 * Gets the "allow-pre-encoded-passwords" property. 136 * <p> 137 * Indicates whether users can change their passwords by providing a 138 * pre-encoded value. 139 * <p> 140 * This can cause a security risk because the clear-text version of 141 * the password is not known and therefore validation checks cannot 142 * be applied to it. 143 * 144 * @return Returns the value of the "allow-pre-encoded-passwords" property. 145 */ 146 boolean isAllowPreEncodedPasswords(); 147 148 149 150 /** 151 * Gets the "allow-user-password-changes" property. 152 * <p> 153 * Indicates whether users can change their own passwords. 154 * <p> 155 * This check is made in addition to access control evaluation. Both 156 * must allow the password change for it to occur. 157 * 158 * @return Returns the value of the "allow-user-password-changes" property. 159 */ 160 boolean isAllowUserPasswordChanges(); 161 162 163 164 /** 165 * Gets the "default-password-storage-scheme" property. 166 * <p> 167 * Specifies the names of the password storage schemes that are used 168 * to encode clear-text passwords for this password policy. 169 * 170 * @return Returns an unmodifiable set containing the values of the "default-password-storage-scheme" property. 171 */ 172 SortedSet<String> getDefaultPasswordStorageScheme(); 173 174 175 176 /** 177 * Gets the "default-password-storage-scheme" property as a set of 178 * DNs. 179 * <p> 180 * Specifies the names of the password storage schemes that are used 181 * to encode clear-text passwords for this password policy. 182 * 183 * @return Returns the DN values of the 184 * "default-password-storage-scheme" property. 185 */ 186 SortedSet<DN> getDefaultPasswordStorageSchemeDNs(); 187 188 189 190 /** 191 * Gets the "deprecated-password-storage-scheme" property. 192 * <p> 193 * Specifies the names of the password storage schemes that are 194 * considered deprecated for this password policy. 195 * <p> 196 * If a user with this password policy authenticates to the server 197 * and his/her password is encoded with a deprecated scheme, those 198 * values are removed and replaced with values encoded using the 199 * default password storage scheme(s). 200 * 201 * @return Returns an unmodifiable set containing the values of the "deprecated-password-storage-scheme" property. 202 */ 203 SortedSet<String> getDeprecatedPasswordStorageScheme(); 204 205 206 207 /** 208 * Gets the "deprecated-password-storage-scheme" property as a set 209 * of DNs. 210 * <p> 211 * Specifies the names of the password storage schemes that are 212 * considered deprecated for this password policy. 213 * <p> 214 * If a user with this password policy authenticates to the server 215 * and his/her password is encoded with a deprecated scheme, those 216 * values are removed and replaced with values encoded using the 217 * default password storage scheme(s). 218 * 219 * @return Returns the DN values of the 220 * "deprecated-password-storage-scheme" property. 221 */ 222 SortedSet<DN> getDeprecatedPasswordStorageSchemeDNs(); 223 224 225 226 /** 227 * Gets the "expire-passwords-without-warning" property. 228 * <p> 229 * Indicates whether the Directory Server allows a user's password 230 * to expire even if that user has never seen an expiration warning 231 * notification. 232 * <p> 233 * If this property is true, accounts always expire when the 234 * expiration time arrives. If this property is false disabled, the 235 * user always receives at least one warning notification, and the 236 * password expiration is set to the warning time plus the warning 237 * interval. 238 * 239 * @return Returns the value of the "expire-passwords-without-warning" property. 240 */ 241 boolean isExpirePasswordsWithoutWarning(); 242 243 244 245 /** 246 * Gets the "force-change-on-add" property. 247 * <p> 248 * Indicates whether users are forced to change their passwords upon 249 * first authenticating to the Directory Server after their account 250 * has been created. 251 * 252 * @return Returns the value of the "force-change-on-add" property. 253 */ 254 boolean isForceChangeOnAdd(); 255 256 257 258 /** 259 * Gets the "force-change-on-reset" property. 260 * <p> 261 * Indicates whether users are forced to change their passwords if 262 * they are reset by an administrator. 263 * <p> 264 * For this purpose, anyone with permission to change a given user's 265 * password other than that user is considered an administrator. 266 * 267 * @return Returns the value of the "force-change-on-reset" property. 268 */ 269 boolean isForceChangeOnReset(); 270 271 272 273 /** 274 * Gets the "grace-login-count" property. 275 * <p> 276 * Specifies the number of grace logins that a user is allowed after 277 * the account has expired to allow that user to choose a new 278 * password. 279 * <p> 280 * A value of 0 indicates that no grace logins are allowed. 281 * 282 * @return Returns the value of the "grace-login-count" property. 283 */ 284 int getGraceLoginCount(); 285 286 287 288 /** 289 * Gets the "idle-lockout-interval" property. 290 * <p> 291 * Specifies the maximum length of time that an account may remain 292 * idle (that is, the associated user does not authenticate to the 293 * server) before that user is locked out. 294 * <p> 295 * The value of this attribute is an integer followed by a unit of 296 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 297 * indicates that idle accounts are not automatically locked out. 298 * This feature is available only if the last login time is 299 * maintained. 300 * 301 * @return Returns the value of the "idle-lockout-interval" property. 302 */ 303 long getIdleLockoutInterval(); 304 305 306 307 /** 308 * Gets the "last-login-time-attribute" property. 309 * <p> 310 * Specifies the name or OID of the attribute type that is used to 311 * hold the last login time for users with the associated password 312 * policy. 313 * <p> 314 * This attribute type must be defined in the Directory Server 315 * schema and must either be defined as an operational attribute or 316 * must be allowed by the set of objectClasses for all users with the 317 * associated password policy. 318 * 319 * @return Returns the value of the "last-login-time-attribute" property. 320 */ 321 AttributeType getLastLoginTimeAttribute(); 322 323 324 325 /** 326 * Gets the "last-login-time-format" property. 327 * <p> 328 * Specifies the format string that is used to generate the last 329 * login time value for users with the associated password policy. 330 * <p> 331 * This format string conforms to the syntax described in the API 332 * documentation for the java.text.SimpleDateFormat class. 333 * 334 * @return Returns the value of the "last-login-time-format" property. 335 */ 336 String getLastLoginTimeFormat(); 337 338 339 340 /** 341 * Gets the "lockout-duration" property. 342 * <p> 343 * Specifies the length of time that an account is locked after too 344 * many authentication failures. 345 * <p> 346 * The value of this attribute is an integer followed by a unit of 347 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 348 * indicates that the account must remain locked until an 349 * administrator resets the password. 350 * 351 * @return Returns the value of the "lockout-duration" property. 352 */ 353 long getLockoutDuration(); 354 355 356 357 /** 358 * Gets the "lockout-failure-count" property. 359 * <p> 360 * Specifies the maximum number of authentication failures that a 361 * user is allowed before the account is locked out. 362 * <p> 363 * A value of 0 indicates that accounts are never locked out due to 364 * failed attempts. 365 * 366 * @return Returns the value of the "lockout-failure-count" property. 367 */ 368 int getLockoutFailureCount(); 369 370 371 372 /** 373 * Gets the "lockout-failure-expiration-interval" property. 374 * <p> 375 * Specifies the length of time before an authentication failure is 376 * no longer counted against a user for the purposes of account 377 * lockout. 378 * <p> 379 * The value of this attribute is an integer followed by a unit of 380 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 381 * indicates that the authentication failures must never expire. The 382 * failure count is always cleared upon a successful authentication. 383 * 384 * @return Returns the value of the "lockout-failure-expiration-interval" property. 385 */ 386 long getLockoutFailureExpirationInterval(); 387 388 389 390 /** 391 * Gets the "max-password-age" property. 392 * <p> 393 * Specifies the maximum length of time that a user can continue 394 * using the same password before it must be changed (that is, the 395 * password expiration interval). 396 * <p> 397 * The value of this attribute is an integer followed by a unit of 398 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 399 * disables password expiration. 400 * 401 * @return Returns the value of the "max-password-age" property. 402 */ 403 long getMaxPasswordAge(); 404 405 406 407 /** 408 * Gets the "max-password-reset-age" property. 409 * <p> 410 * Specifies the maximum length of time that users have to change 411 * passwords after they have been reset by an administrator before 412 * they become locked. 413 * <p> 414 * The value of this attribute is an integer followed by a unit of 415 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 416 * disables this feature. 417 * 418 * @return Returns the value of the "max-password-reset-age" property. 419 */ 420 long getMaxPasswordResetAge(); 421 422 423 424 /** 425 * Gets the "min-password-age" property. 426 * <p> 427 * Specifies the minimum length of time after a password change 428 * before the user is allowed to change the password again. 429 * <p> 430 * The value of this attribute is an integer followed by a unit of 431 * seconds, minutes, hours, days, or weeks. This setting can be used 432 * to prevent users from changing their passwords repeatedly over a 433 * short period of time to flush an old password from the history so 434 * that it can be re-used. 435 * 436 * @return Returns the value of the "min-password-age" property. 437 */ 438 long getMinPasswordAge(); 439 440 441 442 /** 443 * Gets the "password-attribute" property. 444 * <p> 445 * Specifies the attribute type used to hold user passwords. 446 * <p> 447 * This attribute type must be defined in the server schema, and it 448 * must have either the user password or auth password syntax. 449 * 450 * @return Returns the value of the "password-attribute" property. 451 */ 452 AttributeType getPasswordAttribute(); 453 454 455 456 /** 457 * Gets the "password-change-requires-current-password" property. 458 * <p> 459 * Indicates whether user password changes must use the password 460 * modify extended operation and must include the user's current 461 * password before the change is allowed. 462 * 463 * @return Returns the value of the "password-change-requires-current-password" property. 464 */ 465 boolean isPasswordChangeRequiresCurrentPassword(); 466 467 468 469 /** 470 * Gets the "password-expiration-warning-interval" property. 471 * <p> 472 * Specifies the maximum length of time before a user's password 473 * actually expires that the server begins to include warning 474 * notifications in bind responses for that user. 475 * <p> 476 * The value of this attribute is an integer followed by a unit of 477 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 478 * disables the warning interval. 479 * 480 * @return Returns the value of the "password-expiration-warning-interval" property. 481 */ 482 long getPasswordExpirationWarningInterval(); 483 484 485 486 /** 487 * Gets the "password-generator" property. 488 * <p> 489 * Specifies the name of the password generator that is used with 490 * the associated password policy. 491 * <p> 492 * This is used in conjunction with the password modify extended 493 * operation to generate a new password for a user when none was 494 * provided in the request. 495 * 496 * @return Returns the value of the "password-generator" property. 497 */ 498 String getPasswordGenerator(); 499 500 501 502 /** 503 * Gets the "password-generator" property as a DN. 504 * <p> 505 * Specifies the name of the password generator that is used with 506 * the associated password policy. 507 * <p> 508 * This is used in conjunction with the password modify extended 509 * operation to generate a new password for a user when none was 510 * provided in the request. 511 * 512 * @return Returns the DN value of the "password-generator" 513 * property. 514 */ 515 DN getPasswordGeneratorDN(); 516 517 518 519 /** 520 * Gets the "password-history-count" property. 521 * <p> 522 * Specifies the maximum number of former passwords to maintain in 523 * the password history. 524 * <p> 525 * When choosing a new password, the proposed password is checked to 526 * ensure that it does not match the current password, nor any other 527 * password in the history list. A value of zero indicates that 528 * either no password history is to be maintained (if the password 529 * history duration has a value of zero seconds), or that there is no 530 * maximum number of passwords to maintain in the history (if the 531 * password history duration has a value greater than zero seconds). 532 * 533 * @return Returns the value of the "password-history-count" property. 534 */ 535 int getPasswordHistoryCount(); 536 537 538 539 /** 540 * Gets the "password-history-duration" property. 541 * <p> 542 * Specifies the maximum length of time that passwords remain in the 543 * password history. 544 * <p> 545 * When choosing a new password, the proposed password is checked to 546 * ensure that it does not match the current password, nor any other 547 * password in the history list. A value of zero seconds indicates 548 * that either no password history is to be maintained (if the 549 * password history count has a value of zero), or that there is no 550 * maximum duration for passwords in the history (if the password 551 * history count has a value greater than zero). 552 * 553 * @return Returns the value of the "password-history-duration" property. 554 */ 555 long getPasswordHistoryDuration(); 556 557 558 559 /** 560 * Gets the "password-validator" property. 561 * <p> 562 * Specifies the names of the password validators that are used with 563 * the associated password storage scheme. 564 * <p> 565 * The password validators are invoked when a user attempts to 566 * provide a new password, to determine whether the new password is 567 * acceptable. 568 * 569 * @return Returns an unmodifiable set containing the values of the "password-validator" property. 570 */ 571 SortedSet<String> getPasswordValidator(); 572 573 574 575 /** 576 * Gets the "password-validator" property as a set of DNs. 577 * <p> 578 * Specifies the names of the password validators that are used with 579 * the associated password storage scheme. 580 * <p> 581 * The password validators are invoked when a user attempts to 582 * provide a new password, to determine whether the new password is 583 * acceptable. 584 * 585 * @return Returns the DN values of the "password-validator" 586 * property. 587 */ 588 SortedSet<DN> getPasswordValidatorDNs(); 589 590 591 592 /** 593 * Gets the "previous-last-login-time-format" property. 594 * <p> 595 * Specifies the format string(s) that might have been used with the 596 * last login time at any point in the past for users associated with 597 * the password policy. 598 * <p> 599 * These values are used to make it possible to parse previous 600 * values, but are not used to set new values. The format strings 601 * conform to the syntax described in the API documentation for the 602 * java.text.SimpleDateFormat class. 603 * 604 * @return Returns an unmodifiable set containing the values of the "previous-last-login-time-format" property. 605 */ 606 SortedSet<String> getPreviousLastLoginTimeFormat(); 607 608 609 610 /** 611 * Gets the "require-change-by-time" property. 612 * <p> 613 * Specifies the time by which all users with the associated 614 * password policy must change their passwords. 615 * <p> 616 * The value is expressed in a generalized time format. If this time 617 * is equal to the current time or is in the past, then all users are 618 * required to change their passwords immediately. The behavior of 619 * the server in this mode is identical to the behavior observed when 620 * users are forced to change their passwords after an administrative 621 * reset. 622 * 623 * @return Returns the value of the "require-change-by-time" property. 624 */ 625 String getRequireChangeByTime(); 626 627 628 629 /** 630 * Gets the "require-secure-authentication" property. 631 * <p> 632 * Indicates whether users with the associated password policy are 633 * required to authenticate in a secure manner. 634 * <p> 635 * This might mean either using a secure communication channel 636 * between the client and the server, or using a SASL mechanism that 637 * does not expose the credentials. 638 * 639 * @return Returns the value of the "require-secure-authentication" property. 640 */ 641 boolean isRequireSecureAuthentication(); 642 643 644 645 /** 646 * Gets the "require-secure-password-changes" property. 647 * <p> 648 * Indicates whether users with the associated password policy are 649 * required to change their password in a secure manner that does not 650 * expose the credentials. 651 * 652 * @return Returns the value of the "require-secure-password-changes" property. 653 */ 654 boolean isRequireSecurePasswordChanges(); 655 656 657 658 /** 659 * Gets the "skip-validation-for-administrators" property. 660 * <p> 661 * Indicates whether passwords set by administrators are allowed to 662 * bypass the password validation process that is required for user 663 * password changes. 664 * 665 * @return Returns the value of the "skip-validation-for-administrators" property. 666 */ 667 boolean isSkipValidationForAdministrators(); 668 669 670 671 /** 672 * Gets the "state-update-failure-policy" property. 673 * <p> 674 * Specifies how the server deals with the inability to update 675 * password policy state information during an authentication 676 * attempt. 677 * <p> 678 * In particular, this property can be used to control whether an 679 * otherwise successful bind operation fails if a failure occurs 680 * while attempting to update password policy state information (for 681 * example, to clear a record of previous authentication failures or 682 * to update the last login time). It can also be used to control 683 * whether to reject a bind request if it is known ahead of time that 684 * it will not be possible to update the authentication failure times 685 * in the event of an unsuccessful bind attempt (for example, if the 686 * backend writability mode is disabled). 687 * 688 * @return Returns the value of the "state-update-failure-policy" property. 689 */ 690 StateUpdateFailurePolicy getStateUpdateFailurePolicy(); 691 692 }