001    /*
002     * CDDL HEADER START
003     *
004     * The contents of this file are subject to the terms of the
005     * Common Development and Distribution License, Version 1.0 only
006     * (the "License").  You may not use this file except in compliance
007     * with the License.
008     *
009     * You can obtain a copy of the license at
010     * trunk/opends/resource/legal-notices/OpenDS.LICENSE
011     * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
012     * See the License for the specific language governing permissions
013     * and limitations under the License.
014     *
015     * When distributing Covered Code, include this CDDL HEADER in each
016     * file and include the License file at
017     * trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
018     * add the following below this CDDL HEADER, with the fields enclosed
019     * by brackets "[]" replaced with your own identifying information:
020     *      Portions Copyright [yyyy] [name of copyright owner]
021     *
022     * CDDL HEADER END
023     *
024     *
025     *      Copyright 2008 Sun Microsystems, Inc.
026     */
027    package org.opends.server.admin.std.server;
028    
029    
030    
031    import java.util.SortedSet;
032    import org.opends.server.admin.Configuration;
033    import org.opends.server.admin.server.ConfigurationChangeListener;
034    import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn.StateUpdateFailurePolicy;
035    import org.opends.server.types.AttributeType;
036    import org.opends.server.types.DN;
037    
038    
039    
040    /**
041     * A server-side interface for querying Password Policy settings.
042     * <p>
043     * Password Policies define a number of password management rules, as
044     * well as requirements for authentication processing.
045     */
046    public interface PasswordPolicyCfg extends Configuration {
047    
048      /**
049       * Gets the configuration class associated with this Password Policy.
050       *
051       * @return Returns the configuration class associated with this Password Policy.
052       */
053      Class<? extends PasswordPolicyCfg> configurationClass();
054    
055    
056    
057      /**
058       * Register to be notified when this Password Policy is changed.
059       *
060       * @param listener
061       *          The Password Policy configuration change listener.
062       */
063      void addChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener);
064    
065    
066    
067      /**
068       * Deregister an existing Password Policy configuration change listener.
069       *
070       * @param listener
071       *          The Password Policy configuration change listener.
072       */
073      void removeChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener);
074    
075    
076    
077      /**
078       * Gets the "account-status-notification-handler" property.
079       * <p>
080       * Specifies the names of the account status notification handlers
081       * that are used with the associated password storage scheme.
082       *
083       * @return Returns an unmodifiable set containing the values of the "account-status-notification-handler" property.
084       */
085      SortedSet<String> getAccountStatusNotificationHandler();
086    
087    
088    
089      /**
090       * Gets the "account-status-notification-handler" property as a set
091       * of DNs.
092       * <p>
093       * Specifies the names of the account status notification handlers
094       * that are used with the associated password storage scheme.
095       *
096       * @return Returns the DN values of the
097       *         "account-status-notification-handler" property.
098       */
099      SortedSet<DN> getAccountStatusNotificationHandlerDNs();
100    
101    
102    
103      /**
104       * Gets the "allow-expired-password-changes" property.
105       * <p>
106       * Indicates whether a user whose password is expired is still
107       * allowed to change that password using the password modify extended
108       * operation.
109       *
110       * @return Returns the value of the "allow-expired-password-changes" property.
111       */
112      boolean isAllowExpiredPasswordChanges();
113    
114    
115    
116      /**
117       * Gets the "allow-multiple-password-values" property.
118       * <p>
119       * Indicates whether user entries can have multiple distinct values
120       * for the password attribute.
121       * <p>
122       * This is potentially dangerous because many mechanisms used to
123       * change the password do not work well with such a configuration. If
124       * multiple password values are allowed, then any of them can be used
125       * to authenticate, and they are all subject to the same policy
126       * constraints.
127       *
128       * @return Returns the value of the "allow-multiple-password-values" property.
129       */
130      boolean isAllowMultiplePasswordValues();
131    
132    
133    
134      /**
135       * Gets the "allow-pre-encoded-passwords" property.
136       * <p>
137       * Indicates whether users can change their passwords by providing a
138       * pre-encoded value.
139       * <p>
140       * This can cause a security risk because the clear-text version of
141       * the password is not known and therefore validation checks cannot
142       * be applied to it.
143       *
144       * @return Returns the value of the "allow-pre-encoded-passwords" property.
145       */
146      boolean isAllowPreEncodedPasswords();
147    
148    
149    
150      /**
151       * Gets the "allow-user-password-changes" property.
152       * <p>
153       * Indicates whether users can change their own passwords.
154       * <p>
155       * This check is made in addition to access control evaluation. Both
156       * must allow the password change for it to occur.
157       *
158       * @return Returns the value of the "allow-user-password-changes" property.
159       */
160      boolean isAllowUserPasswordChanges();
161    
162    
163    
164      /**
165       * Gets the "default-password-storage-scheme" property.
166       * <p>
167       * Specifies the names of the password storage schemes that are used
168       * to encode clear-text passwords for this password policy.
169       *
170       * @return Returns an unmodifiable set containing the values of the "default-password-storage-scheme" property.
171       */
172      SortedSet<String> getDefaultPasswordStorageScheme();
173    
174    
175    
176      /**
177       * Gets the "default-password-storage-scheme" property as a set of
178       * DNs.
179       * <p>
180       * Specifies the names of the password storage schemes that are used
181       * to encode clear-text passwords for this password policy.
182       *
183       * @return Returns the DN values of the
184       *         "default-password-storage-scheme" property.
185       */
186      SortedSet<DN> getDefaultPasswordStorageSchemeDNs();
187    
188    
189    
190      /**
191       * Gets the "deprecated-password-storage-scheme" property.
192       * <p>
193       * Specifies the names of the password storage schemes that are
194       * considered deprecated for this password policy.
195       * <p>
196       * If a user with this password policy authenticates to the server
197       * and his/her password is encoded with a deprecated scheme, those
198       * values are removed and replaced with values encoded using the
199       * default password storage scheme(s).
200       *
201       * @return Returns an unmodifiable set containing the values of the "deprecated-password-storage-scheme" property.
202       */
203      SortedSet<String> getDeprecatedPasswordStorageScheme();
204    
205    
206    
207      /**
208       * Gets the "deprecated-password-storage-scheme" property as a set
209       * of DNs.
210       * <p>
211       * Specifies the names of the password storage schemes that are
212       * considered deprecated for this password policy.
213       * <p>
214       * If a user with this password policy authenticates to the server
215       * and his/her password is encoded with a deprecated scheme, those
216       * values are removed and replaced with values encoded using the
217       * default password storage scheme(s).
218       *
219       * @return Returns the DN values of the
220       *         "deprecated-password-storage-scheme" property.
221       */
222      SortedSet<DN> getDeprecatedPasswordStorageSchemeDNs();
223    
224    
225    
226      /**
227       * Gets the "expire-passwords-without-warning" property.
228       * <p>
229       * Indicates whether the Directory Server allows a user's password
230       * to expire even if that user has never seen an expiration warning
231       * notification.
232       * <p>
233       * If this property is true, accounts always expire when the
234       * expiration time arrives. If this property is false disabled, the
235       * user always receives at least one warning notification, and the
236       * password expiration is set to the warning time plus the warning
237       * interval.
238       *
239       * @return Returns the value of the "expire-passwords-without-warning" property.
240       */
241      boolean isExpirePasswordsWithoutWarning();
242    
243    
244    
245      /**
246       * Gets the "force-change-on-add" property.
247       * <p>
248       * Indicates whether users are forced to change their passwords upon
249       * first authenticating to the Directory Server after their account
250       * has been created.
251       *
252       * @return Returns the value of the "force-change-on-add" property.
253       */
254      boolean isForceChangeOnAdd();
255    
256    
257    
258      /**
259       * Gets the "force-change-on-reset" property.
260       * <p>
261       * Indicates whether users are forced to change their passwords if
262       * they are reset by an administrator.
263       * <p>
264       * For this purpose, anyone with permission to change a given user's
265       * password other than that user is considered an administrator.
266       *
267       * @return Returns the value of the "force-change-on-reset" property.
268       */
269      boolean isForceChangeOnReset();
270    
271    
272    
273      /**
274       * Gets the "grace-login-count" property.
275       * <p>
276       * Specifies the number of grace logins that a user is allowed after
277       * the account has expired to allow that user to choose a new
278       * password.
279       * <p>
280       * A value of 0 indicates that no grace logins are allowed.
281       *
282       * @return Returns the value of the "grace-login-count" property.
283       */
284      int getGraceLoginCount();
285    
286    
287    
288      /**
289       * Gets the "idle-lockout-interval" property.
290       * <p>
291       * Specifies the maximum length of time that an account may remain
292       * idle (that is, the associated user does not authenticate to the
293       * server) before that user is locked out.
294       * <p>
295       * The value of this attribute is an integer followed by a unit of
296       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
297       * indicates that idle accounts are not automatically locked out.
298       * This feature is available only if the last login time is
299       * maintained.
300       *
301       * @return Returns the value of the "idle-lockout-interval" property.
302       */
303      long getIdleLockoutInterval();
304    
305    
306    
307      /**
308       * Gets the "last-login-time-attribute" property.
309       * <p>
310       * Specifies the name or OID of the attribute type that is used to
311       * hold the last login time for users with the associated password
312       * policy.
313       * <p>
314       * This attribute type must be defined in the Directory Server
315       * schema and must either be defined as an operational attribute or
316       * must be allowed by the set of objectClasses for all users with the
317       * associated password policy.
318       *
319       * @return Returns the value of the "last-login-time-attribute" property.
320       */
321      AttributeType getLastLoginTimeAttribute();
322    
323    
324    
325      /**
326       * Gets the "last-login-time-format" property.
327       * <p>
328       * Specifies the format string that is used to generate the last
329       * login time value for users with the associated password policy.
330       * <p>
331       * This format string conforms to the syntax described in the API
332       * documentation for the java.text.SimpleDateFormat class.
333       *
334       * @return Returns the value of the "last-login-time-format" property.
335       */
336      String getLastLoginTimeFormat();
337    
338    
339    
340      /**
341       * Gets the "lockout-duration" property.
342       * <p>
343       * Specifies the length of time that an account is locked after too
344       * many authentication failures.
345       * <p>
346       * The value of this attribute is an integer followed by a unit of
347       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
348       * indicates that the account must remain locked until an
349       * administrator resets the password.
350       *
351       * @return Returns the value of the "lockout-duration" property.
352       */
353      long getLockoutDuration();
354    
355    
356    
357      /**
358       * Gets the "lockout-failure-count" property.
359       * <p>
360       * Specifies the maximum number of authentication failures that a
361       * user is allowed before the account is locked out.
362       * <p>
363       * A value of 0 indicates that accounts are never locked out due to
364       * failed attempts.
365       *
366       * @return Returns the value of the "lockout-failure-count" property.
367       */
368      int getLockoutFailureCount();
369    
370    
371    
372      /**
373       * Gets the "lockout-failure-expiration-interval" property.
374       * <p>
375       * Specifies the length of time before an authentication failure is
376       * no longer counted against a user for the purposes of account
377       * lockout.
378       * <p>
379       * The value of this attribute is an integer followed by a unit of
380       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
381       * indicates that the authentication failures must never expire. The
382       * failure count is always cleared upon a successful authentication.
383       *
384       * @return Returns the value of the "lockout-failure-expiration-interval" property.
385       */
386      long getLockoutFailureExpirationInterval();
387    
388    
389    
390      /**
391       * Gets the "max-password-age" property.
392       * <p>
393       * Specifies the maximum length of time that a user can continue
394       * using the same password before it must be changed (that is, the
395       * password expiration interval).
396       * <p>
397       * The value of this attribute is an integer followed by a unit of
398       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
399       * disables password expiration.
400       *
401       * @return Returns the value of the "max-password-age" property.
402       */
403      long getMaxPasswordAge();
404    
405    
406    
407      /**
408       * Gets the "max-password-reset-age" property.
409       * <p>
410       * Specifies the maximum length of time that users have to change
411       * passwords after they have been reset by an administrator before
412       * they become locked.
413       * <p>
414       * The value of this attribute is an integer followed by a unit of
415       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
416       * disables this feature.
417       *
418       * @return Returns the value of the "max-password-reset-age" property.
419       */
420      long getMaxPasswordResetAge();
421    
422    
423    
424      /**
425       * Gets the "min-password-age" property.
426       * <p>
427       * Specifies the minimum length of time after a password change
428       * before the user is allowed to change the password again.
429       * <p>
430       * The value of this attribute is an integer followed by a unit of
431       * seconds, minutes, hours, days, or weeks. This setting can be used
432       * to prevent users from changing their passwords repeatedly over a
433       * short period of time to flush an old password from the history so
434       * that it can be re-used.
435       *
436       * @return Returns the value of the "min-password-age" property.
437       */
438      long getMinPasswordAge();
439    
440    
441    
442      /**
443       * Gets the "password-attribute" property.
444       * <p>
445       * Specifies the attribute type used to hold user passwords.
446       * <p>
447       * This attribute type must be defined in the server schema, and it
448       * must have either the user password or auth password syntax.
449       *
450       * @return Returns the value of the "password-attribute" property.
451       */
452      AttributeType getPasswordAttribute();
453    
454    
455    
456      /**
457       * Gets the "password-change-requires-current-password" property.
458       * <p>
459       * Indicates whether user password changes must use the password
460       * modify extended operation and must include the user's current
461       * password before the change is allowed.
462       *
463       * @return Returns the value of the "password-change-requires-current-password" property.
464       */
465      boolean isPasswordChangeRequiresCurrentPassword();
466    
467    
468    
469      /**
470       * Gets the "password-expiration-warning-interval" property.
471       * <p>
472       * Specifies the maximum length of time before a user's password
473       * actually expires that the server begins to include warning
474       * notifications in bind responses for that user.
475       * <p>
476       * The value of this attribute is an integer followed by a unit of
477       * seconds, minutes, hours, days, or weeks. A value of 0 seconds
478       * disables the warning interval.
479       *
480       * @return Returns the value of the "password-expiration-warning-interval" property.
481       */
482      long getPasswordExpirationWarningInterval();
483    
484    
485    
486      /**
487       * Gets the "password-generator" property.
488       * <p>
489       * Specifies the name of the password generator that is used with
490       * the associated password policy.
491       * <p>
492       * This is used in conjunction with the password modify extended
493       * operation to generate a new password for a user when none was
494       * provided in the request.
495       *
496       * @return Returns the value of the "password-generator" property.
497       */
498      String getPasswordGenerator();
499    
500    
501    
502      /**
503       * Gets the "password-generator" property as a DN.
504       * <p>
505       * Specifies the name of the password generator that is used with
506       * the associated password policy.
507       * <p>
508       * This is used in conjunction with the password modify extended
509       * operation to generate a new password for a user when none was
510       * provided in the request.
511       *
512       * @return Returns the DN value of the "password-generator"
513       *         property.
514       */
515      DN getPasswordGeneratorDN();
516    
517    
518    
519      /**
520       * Gets the "password-history-count" property.
521       * <p>
522       * Specifies the maximum number of former passwords to maintain in
523       * the password history.
524       * <p>
525       * When choosing a new password, the proposed password is checked to
526       * ensure that it does not match the current password, nor any other
527       * password in the history list. A value of zero indicates that
528       * either no password history is to be maintained (if the password
529       * history duration has a value of zero seconds), or that there is no
530       * maximum number of passwords to maintain in the history (if the
531       * password history duration has a value greater than zero seconds).
532       *
533       * @return Returns the value of the "password-history-count" property.
534       */
535      int getPasswordHistoryCount();
536    
537    
538    
539      /**
540       * Gets the "password-history-duration" property.
541       * <p>
542       * Specifies the maximum length of time that passwords remain in the
543       * password history.
544       * <p>
545       * When choosing a new password, the proposed password is checked to
546       * ensure that it does not match the current password, nor any other
547       * password in the history list. A value of zero seconds indicates
548       * that either no password history is to be maintained (if the
549       * password history count has a value of zero), or that there is no
550       * maximum duration for passwords in the history (if the password
551       * history count has a value greater than zero).
552       *
553       * @return Returns the value of the "password-history-duration" property.
554       */
555      long getPasswordHistoryDuration();
556    
557    
558    
559      /**
560       * Gets the "password-validator" property.
561       * <p>
562       * Specifies the names of the password validators that are used with
563       * the associated password storage scheme.
564       * <p>
565       * The password validators are invoked when a user attempts to
566       * provide a new password, to determine whether the new password is
567       * acceptable.
568       *
569       * @return Returns an unmodifiable set containing the values of the "password-validator" property.
570       */
571      SortedSet<String> getPasswordValidator();
572    
573    
574    
575      /**
576       * Gets the "password-validator" property as a set of DNs.
577       * <p>
578       * Specifies the names of the password validators that are used with
579       * the associated password storage scheme.
580       * <p>
581       * The password validators are invoked when a user attempts to
582       * provide a new password, to determine whether the new password is
583       * acceptable.
584       *
585       * @return Returns the DN values of the "password-validator"
586       *         property.
587       */
588      SortedSet<DN> getPasswordValidatorDNs();
589    
590    
591    
592      /**
593       * Gets the "previous-last-login-time-format" property.
594       * <p>
595       * Specifies the format string(s) that might have been used with the
596       * last login time at any point in the past for users associated with
597       * the password policy.
598       * <p>
599       * These values are used to make it possible to parse previous
600       * values, but are not used to set new values. The format strings
601       * conform to the syntax described in the API documentation for the
602       * java.text.SimpleDateFormat class.
603       *
604       * @return Returns an unmodifiable set containing the values of the "previous-last-login-time-format" property.
605       */
606      SortedSet<String> getPreviousLastLoginTimeFormat();
607    
608    
609    
610      /**
611       * Gets the "require-change-by-time" property.
612       * <p>
613       * Specifies the time by which all users with the associated
614       * password policy must change their passwords.
615       * <p>
616       * The value is expressed in a generalized time format. If this time
617       * is equal to the current time or is in the past, then all users are
618       * required to change their passwords immediately. The behavior of
619       * the server in this mode is identical to the behavior observed when
620       * users are forced to change their passwords after an administrative
621       * reset.
622       *
623       * @return Returns the value of the "require-change-by-time" property.
624       */
625      String getRequireChangeByTime();
626    
627    
628    
629      /**
630       * Gets the "require-secure-authentication" property.
631       * <p>
632       * Indicates whether users with the associated password policy are
633       * required to authenticate in a secure manner.
634       * <p>
635       * This might mean either using a secure communication channel
636       * between the client and the server, or using a SASL mechanism that
637       * does not expose the credentials.
638       *
639       * @return Returns the value of the "require-secure-authentication" property.
640       */
641      boolean isRequireSecureAuthentication();
642    
643    
644    
645      /**
646       * Gets the "require-secure-password-changes" property.
647       * <p>
648       * Indicates whether users with the associated password policy are
649       * required to change their password in a secure manner that does not
650       * expose the credentials.
651       *
652       * @return Returns the value of the "require-secure-password-changes" property.
653       */
654      boolean isRequireSecurePasswordChanges();
655    
656    
657    
658      /**
659       * Gets the "skip-validation-for-administrators" property.
660       * <p>
661       * Indicates whether passwords set by administrators are allowed to
662       * bypass the password validation process that is required for user
663       * password changes.
664       *
665       * @return Returns the value of the "skip-validation-for-administrators" property.
666       */
667      boolean isSkipValidationForAdministrators();
668    
669    
670    
671      /**
672       * Gets the "state-update-failure-policy" property.
673       * <p>
674       * Specifies how the server deals with the inability to update
675       * password policy state information during an authentication
676       * attempt.
677       * <p>
678       * In particular, this property can be used to control whether an
679       * otherwise successful bind operation fails if a failure occurs
680       * while attempting to update password policy state information (for
681       * example, to clear a record of previous authentication failures or
682       * to update the last login time). It can also be used to control
683       * whether to reject a bind request if it is known ahead of time that
684       * it will not be possible to update the authentication failure times
685       * in the event of an unsuccessful bind attempt (for example, if the
686       * backend writability mode is disabled).
687       *
688       * @return Returns the value of the "state-update-failure-policy" property.
689       */
690      StateUpdateFailurePolicy getStateUpdateFailurePolicy();
691    
692    }