001/*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License").  You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
010 * or http://forgerock.org/license/CDDLv1.0.html.
011 * See the License for the specific language governing permissions
012 * and limitations under the License.
013 *
014 * When distributing Covered Code, include this CDDL HEADER in each
015 * file and include the License file at legal-notices/CDDLv1_0.txt.
016 * If applicable, add the following below this CDDL HEADER, with the
017 * fields enclosed by brackets "[]" replaced with your own identifying
018 * information:
019 *      Portions Copyright [yyyy] [name of copyright owner]
020 *
021 * CDDL HEADER END
022 *
023 *
024 *      Copyright 2008 Sun Microsystems, Inc.
025 */
026package org.opends.server.admin.std.server;
027
028
029
030import java.util.SortedSet;
031import org.opends.server.admin.server.ConfigurationChangeListener;
032import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn.StateUpdateFailurePolicy;
033import org.opends.server.types.AttributeType;
034import org.opends.server.types.DN;
035
036
037
038/**
039 * A server-side interface for querying Password Policy settings.
040 * <p>
041 * Password Policies define a number of password management rules, as
042 * well as requirements for authentication processing.
043 */
044public interface PasswordPolicyCfg extends AuthenticationPolicyCfg {
045
046  /**
047   * Gets the configuration class associated with this Password Policy.
048   *
049   * @return Returns the configuration class associated with this Password Policy.
050   */
051  Class<? extends PasswordPolicyCfg> configurationClass();
052
053
054
055  /**
056   * Register to be notified when this Password Policy is changed.
057   *
058   * @param listener
059   *          The Password Policy configuration change listener.
060   */
061  void addPasswordPolicyChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener);
062
063
064
065  /**
066   * Deregister an existing Password Policy configuration change listener.
067   *
068   * @param listener
069   *          The Password Policy configuration change listener.
070   */
071  void removePasswordPolicyChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener);
072
073
074
075  /**
076   * Gets the "account-status-notification-handler" property.
077   * <p>
078   * Specifies the names of the account status notification handlers
079   * that are used with the associated password storage scheme.
080   *
081   * @return Returns an unmodifiable set containing the values of the "account-status-notification-handler" property.
082   */
083  SortedSet<String> getAccountStatusNotificationHandler();
084
085
086
087  /**
088   * Gets the "account-status-notification-handler" property as a set
089   * of DNs.
090   * <p>
091   * Specifies the names of the account status notification handlers
092   * that are used with the associated password storage scheme.
093   *
094   * @return Returns the DN values of the
095   *         "account-status-notification-handler" property.
096   */
097  SortedSet<DN> getAccountStatusNotificationHandlerDNs();
098
099
100
101  /**
102   * Gets the "allow-expired-password-changes" property.
103   * <p>
104   * Indicates whether a user whose password is expired is still
105   * allowed to change that password using the password modify extended
106   * operation.
107   *
108   * @return Returns the value of the "allow-expired-password-changes" property.
109   */
110  boolean isAllowExpiredPasswordChanges();
111
112
113
114  /**
115   * Gets the "allow-multiple-password-values" property.
116   * <p>
117   * Indicates whether user entries can have multiple distinct values
118   * for the password attribute.
119   * <p>
120   * This is potentially dangerous because many mechanisms used to
121   * change the password do not work well with such a configuration. If
122   * multiple password values are allowed, then any of them can be used
123   * to authenticate, and they are all subject to the same policy
124   * constraints.
125   *
126   * @return Returns the value of the "allow-multiple-password-values" property.
127   */
128  boolean isAllowMultiplePasswordValues();
129
130
131
132  /**
133   * Gets the "allow-pre-encoded-passwords" property.
134   * <p>
135   * Indicates whether users can change their passwords by providing a
136   * pre-encoded value.
137   * <p>
138   * This can cause a security risk because the clear-text version of
139   * the password is not known and therefore validation checks cannot
140   * be applied to it.
141   *
142   * @return Returns the value of the "allow-pre-encoded-passwords" property.
143   */
144  boolean isAllowPreEncodedPasswords();
145
146
147
148  /**
149   * Gets the "allow-user-password-changes" property.
150   * <p>
151   * Indicates whether users can change their own passwords.
152   * <p>
153   * This check is made in addition to access control evaluation. Both
154   * must allow the password change for it to occur.
155   *
156   * @return Returns the value of the "allow-user-password-changes" property.
157   */
158  boolean isAllowUserPasswordChanges();
159
160
161
162  /**
163   * Gets the "default-password-storage-scheme" property.
164   * <p>
165   * Specifies the names of the password storage schemes that are used
166   * to encode clear-text passwords for this password policy.
167   *
168   * @return Returns an unmodifiable set containing the values of the "default-password-storage-scheme" property.
169   */
170  SortedSet<String> getDefaultPasswordStorageScheme();
171
172
173
174  /**
175   * Gets the "default-password-storage-scheme" property as a set of
176   * DNs.
177   * <p>
178   * Specifies the names of the password storage schemes that are used
179   * to encode clear-text passwords for this password policy.
180   *
181   * @return Returns the DN values of the
182   *         "default-password-storage-scheme" property.
183   */
184  SortedSet<DN> getDefaultPasswordStorageSchemeDNs();
185
186
187
188  /**
189   * Gets the "deprecated-password-storage-scheme" property.
190   * <p>
191   * Specifies the names of the password storage schemes that are
192   * considered deprecated for this password policy.
193   * <p>
194   * If a user with this password policy authenticates to the server
195   * and his/her password is encoded with a deprecated scheme, those
196   * values are removed and replaced with values encoded using the
197   * default password storage scheme(s).
198   *
199   * @return Returns an unmodifiable set containing the values of the "deprecated-password-storage-scheme" property.
200   */
201  SortedSet<String> getDeprecatedPasswordStorageScheme();
202
203
204
205  /**
206   * Gets the "deprecated-password-storage-scheme" property as a set
207   * of DNs.
208   * <p>
209   * Specifies the names of the password storage schemes that are
210   * considered deprecated for this password policy.
211   * <p>
212   * If a user with this password policy authenticates to the server
213   * and his/her password is encoded with a deprecated scheme, those
214   * values are removed and replaced with values encoded using the
215   * default password storage scheme(s).
216   *
217   * @return Returns the DN values of the
218   *         "deprecated-password-storage-scheme" property.
219   */
220  SortedSet<DN> getDeprecatedPasswordStorageSchemeDNs();
221
222
223
224  /**
225   * Gets the "expire-passwords-without-warning" property.
226   * <p>
227   * Indicates whether the directory server allows a user's password
228   * to expire even if that user has never seen an expiration warning
229   * notification.
230   * <p>
231   * If this property is true, accounts always expire when the
232   * expiration time arrives. If this property is false or disabled,
233   * the user always receives at least one warning notification, and
234   * the password expiration is set to the warning time plus the
235   * warning interval.
236   *
237   * @return Returns the value of the "expire-passwords-without-warning" property.
238   */
239  boolean isExpirePasswordsWithoutWarning();
240
241
242
243  /**
244   * Gets the "force-change-on-add" property.
245   * <p>
246   * Indicates whether users are forced to change their passwords upon
247   * first authenticating to the directory server after their account
248   * has been created.
249   *
250   * @return Returns the value of the "force-change-on-add" property.
251   */
252  boolean isForceChangeOnAdd();
253
254
255
256  /**
257   * Gets the "force-change-on-reset" property.
258   * <p>
259   * Indicates whether users are forced to change their passwords if
260   * they are reset by an administrator.
261   * <p>
262   * For this purpose, anyone with permission to change a given user's
263   * password other than that user is considered an administrator.
264   *
265   * @return Returns the value of the "force-change-on-reset" property.
266   */
267  boolean isForceChangeOnReset();
268
269
270
271  /**
272   * Gets the "grace-login-count" property.
273   * <p>
274   * Specifies the number of grace logins that a user is allowed after
275   * the account has expired to allow that user to choose a new
276   * password.
277   * <p>
278   * A value of 0 indicates that no grace logins are allowed.
279   *
280   * @return Returns the value of the "grace-login-count" property.
281   */
282  int getGraceLoginCount();
283
284
285
286  /**
287   * Gets the "idle-lockout-interval" property.
288   * <p>
289   * Specifies the maximum length of time that an account may remain
290   * idle (that is, the associated user does not authenticate to the
291   * server) before that user is locked out.
292   * <p>
293   * The value of this attribute is an integer followed by a unit of
294   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
295   * indicates that idle accounts are not automatically locked out.
296   * This feature is available only if the last login time is
297   * maintained.
298   *
299   * @return Returns the value of the "idle-lockout-interval" property.
300   */
301  long getIdleLockoutInterval();
302
303
304
305  /**
306   * Gets the "java-class" property.
307   * <p>
308   * Specifies the fully-qualified name of the Java class which
309   * provides the Password Policy implementation.
310   *
311   * @return Returns the value of the "java-class" property.
312   */
313  String getJavaClass();
314
315
316
317  /**
318   * Gets the "last-login-time-attribute" property.
319   * <p>
320   * Specifies the name or OID of the attribute type that is used to
321   * hold the last login time for users with the associated password
322   * policy.
323   * <p>
324   * This attribute type must be defined in the directory server
325   * schema and must either be defined as an operational attribute or
326   * must be allowed by the set of objectClasses for all users with the
327   * associated password policy.
328   *
329   * @return Returns the value of the "last-login-time-attribute" property.
330   */
331  AttributeType getLastLoginTimeAttribute();
332
333
334
335  /**
336   * Gets the "last-login-time-format" property.
337   * <p>
338   * Specifies the format string that is used to generate the last
339   * login time value for users with the associated password policy.
340   * <p>
341   * This format string conforms to the syntax described in the API
342   * documentation for the java.text.SimpleDateFormat class.
343   *
344   * @return Returns the value of the "last-login-time-format" property.
345   */
346  String getLastLoginTimeFormat();
347
348
349
350  /**
351   * Gets the "lockout-duration" property.
352   * <p>
353   * Specifies the length of time that an account is locked after too
354   * many authentication failures.
355   * <p>
356   * The value of this attribute is an integer followed by a unit of
357   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
358   * indicates that the account must remain locked until an
359   * administrator resets the password.
360   *
361   * @return Returns the value of the "lockout-duration" property.
362   */
363  long getLockoutDuration();
364
365
366
367  /**
368   * Gets the "lockout-failure-count" property.
369   * <p>
370   * Specifies the maximum number of authentication failures that a
371   * user is allowed before the account is locked out.
372   * <p>
373   * A value of 0 indicates that accounts are never locked out due to
374   * failed attempts.
375   *
376   * @return Returns the value of the "lockout-failure-count" property.
377   */
378  int getLockoutFailureCount();
379
380
381
382  /**
383   * Gets the "lockout-failure-expiration-interval" property.
384   * <p>
385   * Specifies the length of time before an authentication failure is
386   * no longer counted against a user for the purposes of account
387   * lockout.
388   * <p>
389   * The value of this attribute is an integer followed by a unit of
390   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
391   * indicates that the authentication failures must never expire. The
392   * failure count is always cleared upon a successful authentication.
393   *
394   * @return Returns the value of the "lockout-failure-expiration-interval" property.
395   */
396  long getLockoutFailureExpirationInterval();
397
398
399
400  /**
401   * Gets the "max-password-age" property.
402   * <p>
403   * Specifies the maximum length of time that a user can continue
404   * using the same password before it must be changed (that is, the
405   * password expiration interval).
406   * <p>
407   * The value of this attribute is an integer followed by a unit of
408   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
409   * disables password expiration.
410   *
411   * @return Returns the value of the "max-password-age" property.
412   */
413  long getMaxPasswordAge();
414
415
416
417  /**
418   * Gets the "max-password-reset-age" property.
419   * <p>
420   * Specifies the maximum length of time that users have to change
421   * passwords after they have been reset by an administrator before
422   * they become locked.
423   * <p>
424   * The value of this attribute is an integer followed by a unit of
425   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
426   * disables this feature.
427   *
428   * @return Returns the value of the "max-password-reset-age" property.
429   */
430  long getMaxPasswordResetAge();
431
432
433
434  /**
435   * Gets the "min-password-age" property.
436   * <p>
437   * Specifies the minimum length of time after a password change
438   * before the user is allowed to change the password again.
439   * <p>
440   * The value of this attribute is an integer followed by a unit of
441   * seconds, minutes, hours, days, or weeks. This setting can be used
442   * to prevent users from changing their passwords repeatedly over a
443   * short period of time to flush an old password from the history so
444   * that it can be re-used.
445   *
446   * @return Returns the value of the "min-password-age" property.
447   */
448  long getMinPasswordAge();
449
450
451
452  /**
453   * Gets the "password-attribute" property.
454   * <p>
455   * Specifies the attribute type used to hold user passwords.
456   * <p>
457   * This attribute type must be defined in the server schema, and it
458   * must have either the user password or auth password syntax.
459   *
460   * @return Returns the value of the "password-attribute" property.
461   */
462  AttributeType getPasswordAttribute();
463
464
465
466  /**
467   * Gets the "password-change-requires-current-password" property.
468   * <p>
469   * Indicates whether user password changes must use the password
470   * modify extended operation and must include the user's current
471   * password before the change is allowed.
472   *
473   * @return Returns the value of the "password-change-requires-current-password" property.
474   */
475  boolean isPasswordChangeRequiresCurrentPassword();
476
477
478
479  /**
480   * Gets the "password-expiration-warning-interval" property.
481   * <p>
482   * Specifies the maximum length of time before a user's password
483   * actually expires that the server begins to include warning
484   * notifications in bind responses for that user.
485   * <p>
486   * The value of this attribute is an integer followed by a unit of
487   * seconds, minutes, hours, days, or weeks. A value of 0 seconds
488   * disables the warning interval.
489   *
490   * @return Returns the value of the "password-expiration-warning-interval" property.
491   */
492  long getPasswordExpirationWarningInterval();
493
494
495
496  /**
497   * Gets the "password-generator" property.
498   * <p>
499   * Specifies the name of the password generator that is used with
500   * the associated password policy.
501   * <p>
502   * This is used in conjunction with the password modify extended
503   * operation to generate a new password for a user when none was
504   * provided in the request.
505   *
506   * @return Returns the value of the "password-generator" property.
507   */
508  String getPasswordGenerator();
509
510
511
512  /**
513   * Gets the "password-generator" property as a DN.
514   * <p>
515   * Specifies the name of the password generator that is used with
516   * the associated password policy.
517   * <p>
518   * This is used in conjunction with the password modify extended
519   * operation to generate a new password for a user when none was
520   * provided in the request.
521   *
522   * @return Returns the DN value of the "password-generator"
523   *         property.
524   */
525  DN getPasswordGeneratorDN();
526
527
528
529  /**
530   * Gets the "password-history-count" property.
531   * <p>
532   * Specifies the maximum number of former passwords to maintain in
533   * the password history.
534   * <p>
535   * When choosing a new password, the proposed password is checked to
536   * ensure that it does not match the current password, nor any other
537   * password in the history list. A value of zero indicates that
538   * either no password history is to be maintained (if the password
539   * history duration has a value of zero seconds), or that there is no
540   * maximum number of passwords to maintain in the history (if the
541   * password history duration has a value greater than zero seconds).
542   *
543   * @return Returns the value of the "password-history-count" property.
544   */
545  int getPasswordHistoryCount();
546
547
548
549  /**
550   * Gets the "password-history-duration" property.
551   * <p>
552   * Specifies the maximum length of time that passwords remain in the
553   * password history.
554   * <p>
555   * When choosing a new password, the proposed password is checked to
556   * ensure that it does not match the current password, nor any other
557   * password in the history list. A value of zero seconds indicates
558   * that either no password history is to be maintained (if the
559   * password history count has a value of zero), or that there is no
560   * maximum duration for passwords in the history (if the password
561   * history count has a value greater than zero).
562   *
563   * @return Returns the value of the "password-history-duration" property.
564   */
565  long getPasswordHistoryDuration();
566
567
568
569  /**
570   * Gets the "password-validator" property.
571   * <p>
572   * Specifies the names of the password validators that are used with
573   * the associated password storage scheme.
574   * <p>
575   * The password validators are invoked when a user attempts to
576   * provide a new password, to determine whether the new password is
577   * acceptable.
578   *
579   * @return Returns an unmodifiable set containing the values of the "password-validator" property.
580   */
581  SortedSet<String> getPasswordValidator();
582
583
584
585  /**
586   * Gets the "password-validator" property as a set of DNs.
587   * <p>
588   * Specifies the names of the password validators that are used with
589   * the associated password storage scheme.
590   * <p>
591   * The password validators are invoked when a user attempts to
592   * provide a new password, to determine whether the new password is
593   * acceptable.
594   *
595   * @return Returns the DN values of the "password-validator"
596   *         property.
597   */
598  SortedSet<DN> getPasswordValidatorDNs();
599
600
601
602  /**
603   * Gets the "previous-last-login-time-format" property.
604   * <p>
605   * Specifies the format string(s) that might have been used with the
606   * last login time at any point in the past for users associated with
607   * the password policy.
608   * <p>
609   * These values are used to make it possible to parse previous
610   * values, but are not used to set new values. The format strings
611   * conform to the syntax described in the API documentation for the
612   * java.text.SimpleDateFormat class.
613   *
614   * @return Returns an unmodifiable set containing the values of the "previous-last-login-time-format" property.
615   */
616  SortedSet<String> getPreviousLastLoginTimeFormat();
617
618
619
620  /**
621   * Gets the "require-change-by-time" property.
622   * <p>
623   * Specifies the time by which all users with the associated
624   * password policy must change their passwords.
625   * <p>
626   * The value is expressed in a generalized time format. If this time
627   * is equal to the current time or is in the past, then all users are
628   * required to change their passwords immediately. The behavior of
629   * the server in this mode is identical to the behavior observed when
630   * users are forced to change their passwords after an administrative
631   * reset.
632   *
633   * @return Returns the value of the "require-change-by-time" property.
634   */
635  String getRequireChangeByTime();
636
637
638
639  /**
640   * Gets the "require-secure-authentication" property.
641   * <p>
642   * Indicates whether users with the associated password policy are
643   * required to authenticate in a secure manner.
644   * <p>
645   * This might mean either using a secure communication channel
646   * between the client and the server, or using a SASL mechanism that
647   * does not expose the credentials.
648   *
649   * @return Returns the value of the "require-secure-authentication" property.
650   */
651  boolean isRequireSecureAuthentication();
652
653
654
655  /**
656   * Gets the "require-secure-password-changes" property.
657   * <p>
658   * Indicates whether users with the associated password policy are
659   * required to change their password in a secure manner that does not
660   * expose the credentials.
661   *
662   * @return Returns the value of the "require-secure-password-changes" property.
663   */
664  boolean isRequireSecurePasswordChanges();
665
666
667
668  /**
669   * Gets the "skip-validation-for-administrators" property.
670   * <p>
671   * Indicates whether passwords set by administrators are allowed to
672   * bypass the password validation process that is required for user
673   * password changes.
674   *
675   * @return Returns the value of the "skip-validation-for-administrators" property.
676   */
677  boolean isSkipValidationForAdministrators();
678
679
680
681  /**
682   * Gets the "state-update-failure-policy" property.
683   * <p>
684   * Specifies how the server deals with the inability to update
685   * password policy state information during an authentication
686   * attempt.
687   * <p>
688   * In particular, this property can be used to control whether an
689   * otherwise successful bind operation fails if a failure occurs
690   * while attempting to update password policy state information (for
691   * example, to clear a record of previous authentication failures or
692   * to update the last login time). It can also be used to control
693   * whether to reject a bind request if it is known ahead of time that
694   * it will not be possible to update the authentication failure times
695   * in the event of an unsuccessful bind attempt (for example, if the
696   * backend writability mode is disabled).
697   *
698   * @return Returns the value of the "state-update-failure-policy" property.
699   */
700  StateUpdateFailurePolicy getStateUpdateFailurePolicy();
701
702}