001/* 002 * CDDL HEADER START 003 * 004 * The contents of this file are subject to the terms of the 005 * Common Development and Distribution License, Version 1.0 only 006 * (the "License"). You may not use this file except in compliance 007 * with the License. 008 * 009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt 010 * or http://forgerock.org/license/CDDLv1.0.html. 011 * See the License for the specific language governing permissions 012 * and limitations under the License. 013 * 014 * When distributing Covered Code, include this CDDL HEADER in each 015 * file and include the License file at legal-notices/CDDLv1_0.txt. 016 * If applicable, add the following below this CDDL HEADER, with the 017 * fields enclosed by brackets "[]" replaced with your own identifying 018 * information: 019 * Portions Copyright [yyyy] [name of copyright owner] 020 * 021 * CDDL HEADER END 022 * 023 * 024 * Copyright 2008 Sun Microsystems, Inc. 025 */ 026package org.opends.server.admin.std.server; 027 028 029 030import java.util.SortedSet; 031import org.opends.server.admin.server.ConfigurationChangeListener; 032import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn.StateUpdateFailurePolicy; 033import org.opends.server.types.AttributeType; 034import org.opends.server.types.DN; 035 036 037 038/** 039 * A server-side interface for querying Password Policy settings. 040 * <p> 041 * Password Policies define a number of password management rules, as 042 * well as requirements for authentication processing. 043 */ 044public interface PasswordPolicyCfg extends AuthenticationPolicyCfg { 045 046 /** 047 * Gets the configuration class associated with this Password Policy. 048 * 049 * @return Returns the configuration class associated with this Password Policy. 050 */ 051 Class<? extends PasswordPolicyCfg> configurationClass(); 052 053 054 055 /** 056 * Register to be notified when this Password Policy is changed. 057 * 058 * @param listener 059 * The Password Policy configuration change listener. 060 */ 061 void addPasswordPolicyChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener); 062 063 064 065 /** 066 * Deregister an existing Password Policy configuration change listener. 067 * 068 * @param listener 069 * The Password Policy configuration change listener. 070 */ 071 void removePasswordPolicyChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener); 072 073 074 075 /** 076 * Gets the "account-status-notification-handler" property. 077 * <p> 078 * Specifies the names of the account status notification handlers 079 * that are used with the associated password storage scheme. 080 * 081 * @return Returns an unmodifiable set containing the values of the "account-status-notification-handler" property. 082 */ 083 SortedSet<String> getAccountStatusNotificationHandler(); 084 085 086 087 /** 088 * Gets the "account-status-notification-handler" property as a set 089 * of DNs. 090 * <p> 091 * Specifies the names of the account status notification handlers 092 * that are used with the associated password storage scheme. 093 * 094 * @return Returns the DN values of the 095 * "account-status-notification-handler" property. 096 */ 097 SortedSet<DN> getAccountStatusNotificationHandlerDNs(); 098 099 100 101 /** 102 * Gets the "allow-expired-password-changes" property. 103 * <p> 104 * Indicates whether a user whose password is expired is still 105 * allowed to change that password using the password modify extended 106 * operation. 107 * 108 * @return Returns the value of the "allow-expired-password-changes" property. 109 */ 110 boolean isAllowExpiredPasswordChanges(); 111 112 113 114 /** 115 * Gets the "allow-multiple-password-values" property. 116 * <p> 117 * Indicates whether user entries can have multiple distinct values 118 * for the password attribute. 119 * <p> 120 * This is potentially dangerous because many mechanisms used to 121 * change the password do not work well with such a configuration. If 122 * multiple password values are allowed, then any of them can be used 123 * to authenticate, and they are all subject to the same policy 124 * constraints. 125 * 126 * @return Returns the value of the "allow-multiple-password-values" property. 127 */ 128 boolean isAllowMultiplePasswordValues(); 129 130 131 132 /** 133 * Gets the "allow-pre-encoded-passwords" property. 134 * <p> 135 * Indicates whether users can change their passwords by providing a 136 * pre-encoded value. 137 * <p> 138 * This can cause a security risk because the clear-text version of 139 * the password is not known and therefore validation checks cannot 140 * be applied to it. 141 * 142 * @return Returns the value of the "allow-pre-encoded-passwords" property. 143 */ 144 boolean isAllowPreEncodedPasswords(); 145 146 147 148 /** 149 * Gets the "allow-user-password-changes" property. 150 * <p> 151 * Indicates whether users can change their own passwords. 152 * <p> 153 * This check is made in addition to access control evaluation. Both 154 * must allow the password change for it to occur. 155 * 156 * @return Returns the value of the "allow-user-password-changes" property. 157 */ 158 boolean isAllowUserPasswordChanges(); 159 160 161 162 /** 163 * Gets the "default-password-storage-scheme" property. 164 * <p> 165 * Specifies the names of the password storage schemes that are used 166 * to encode clear-text passwords for this password policy. 167 * 168 * @return Returns an unmodifiable set containing the values of the "default-password-storage-scheme" property. 169 */ 170 SortedSet<String> getDefaultPasswordStorageScheme(); 171 172 173 174 /** 175 * Gets the "default-password-storage-scheme" property as a set of 176 * DNs. 177 * <p> 178 * Specifies the names of the password storage schemes that are used 179 * to encode clear-text passwords for this password policy. 180 * 181 * @return Returns the DN values of the 182 * "default-password-storage-scheme" property. 183 */ 184 SortedSet<DN> getDefaultPasswordStorageSchemeDNs(); 185 186 187 188 /** 189 * Gets the "deprecated-password-storage-scheme" property. 190 * <p> 191 * Specifies the names of the password storage schemes that are 192 * considered deprecated for this password policy. 193 * <p> 194 * If a user with this password policy authenticates to the server 195 * and his/her password is encoded with a deprecated scheme, those 196 * values are removed and replaced with values encoded using the 197 * default password storage scheme(s). 198 * 199 * @return Returns an unmodifiable set containing the values of the "deprecated-password-storage-scheme" property. 200 */ 201 SortedSet<String> getDeprecatedPasswordStorageScheme(); 202 203 204 205 /** 206 * Gets the "deprecated-password-storage-scheme" property as a set 207 * of DNs. 208 * <p> 209 * Specifies the names of the password storage schemes that are 210 * considered deprecated for this password policy. 211 * <p> 212 * If a user with this password policy authenticates to the server 213 * and his/her password is encoded with a deprecated scheme, those 214 * values are removed and replaced with values encoded using the 215 * default password storage scheme(s). 216 * 217 * @return Returns the DN values of the 218 * "deprecated-password-storage-scheme" property. 219 */ 220 SortedSet<DN> getDeprecatedPasswordStorageSchemeDNs(); 221 222 223 224 /** 225 * Gets the "expire-passwords-without-warning" property. 226 * <p> 227 * Indicates whether the directory server allows a user's password 228 * to expire even if that user has never seen an expiration warning 229 * notification. 230 * <p> 231 * If this property is true, accounts always expire when the 232 * expiration time arrives. If this property is false or disabled, 233 * the user always receives at least one warning notification, and 234 * the password expiration is set to the warning time plus the 235 * warning interval. 236 * 237 * @return Returns the value of the "expire-passwords-without-warning" property. 238 */ 239 boolean isExpirePasswordsWithoutWarning(); 240 241 242 243 /** 244 * Gets the "force-change-on-add" property. 245 * <p> 246 * Indicates whether users are forced to change their passwords upon 247 * first authenticating to the directory server after their account 248 * has been created. 249 * 250 * @return Returns the value of the "force-change-on-add" property. 251 */ 252 boolean isForceChangeOnAdd(); 253 254 255 256 /** 257 * Gets the "force-change-on-reset" property. 258 * <p> 259 * Indicates whether users are forced to change their passwords if 260 * they are reset by an administrator. 261 * <p> 262 * For this purpose, anyone with permission to change a given user's 263 * password other than that user is considered an administrator. 264 * 265 * @return Returns the value of the "force-change-on-reset" property. 266 */ 267 boolean isForceChangeOnReset(); 268 269 270 271 /** 272 * Gets the "grace-login-count" property. 273 * <p> 274 * Specifies the number of grace logins that a user is allowed after 275 * the account has expired to allow that user to choose a new 276 * password. 277 * <p> 278 * A value of 0 indicates that no grace logins are allowed. 279 * 280 * @return Returns the value of the "grace-login-count" property. 281 */ 282 int getGraceLoginCount(); 283 284 285 286 /** 287 * Gets the "idle-lockout-interval" property. 288 * <p> 289 * Specifies the maximum length of time that an account may remain 290 * idle (that is, the associated user does not authenticate to the 291 * server) before that user is locked out. 292 * <p> 293 * The value of this attribute is an integer followed by a unit of 294 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 295 * indicates that idle accounts are not automatically locked out. 296 * This feature is available only if the last login time is 297 * maintained. 298 * 299 * @return Returns the value of the "idle-lockout-interval" property. 300 */ 301 long getIdleLockoutInterval(); 302 303 304 305 /** 306 * Gets the "java-class" property. 307 * <p> 308 * Specifies the fully-qualified name of the Java class which 309 * provides the Password Policy implementation. 310 * 311 * @return Returns the value of the "java-class" property. 312 */ 313 String getJavaClass(); 314 315 316 317 /** 318 * Gets the "last-login-time-attribute" property. 319 * <p> 320 * Specifies the name or OID of the attribute type that is used to 321 * hold the last login time for users with the associated password 322 * policy. 323 * <p> 324 * This attribute type must be defined in the directory server 325 * schema and must either be defined as an operational attribute or 326 * must be allowed by the set of objectClasses for all users with the 327 * associated password policy. 328 * 329 * @return Returns the value of the "last-login-time-attribute" property. 330 */ 331 AttributeType getLastLoginTimeAttribute(); 332 333 334 335 /** 336 * Gets the "last-login-time-format" property. 337 * <p> 338 * Specifies the format string that is used to generate the last 339 * login time value for users with the associated password policy. 340 * <p> 341 * This format string conforms to the syntax described in the API 342 * documentation for the java.text.SimpleDateFormat class. 343 * 344 * @return Returns the value of the "last-login-time-format" property. 345 */ 346 String getLastLoginTimeFormat(); 347 348 349 350 /** 351 * Gets the "lockout-duration" property. 352 * <p> 353 * Specifies the length of time that an account is locked after too 354 * many authentication failures. 355 * <p> 356 * The value of this attribute is an integer followed by a unit of 357 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 358 * indicates that the account must remain locked until an 359 * administrator resets the password. 360 * 361 * @return Returns the value of the "lockout-duration" property. 362 */ 363 long getLockoutDuration(); 364 365 366 367 /** 368 * Gets the "lockout-failure-count" property. 369 * <p> 370 * Specifies the maximum number of authentication failures that a 371 * user is allowed before the account is locked out. 372 * <p> 373 * A value of 0 indicates that accounts are never locked out due to 374 * failed attempts. 375 * 376 * @return Returns the value of the "lockout-failure-count" property. 377 */ 378 int getLockoutFailureCount(); 379 380 381 382 /** 383 * Gets the "lockout-failure-expiration-interval" property. 384 * <p> 385 * Specifies the length of time before an authentication failure is 386 * no longer counted against a user for the purposes of account 387 * lockout. 388 * <p> 389 * The value of this attribute is an integer followed by a unit of 390 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 391 * indicates that the authentication failures must never expire. The 392 * failure count is always cleared upon a successful authentication. 393 * 394 * @return Returns the value of the "lockout-failure-expiration-interval" property. 395 */ 396 long getLockoutFailureExpirationInterval(); 397 398 399 400 /** 401 * Gets the "max-password-age" property. 402 * <p> 403 * Specifies the maximum length of time that a user can continue 404 * using the same password before it must be changed (that is, the 405 * password expiration interval). 406 * <p> 407 * The value of this attribute is an integer followed by a unit of 408 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 409 * disables password expiration. 410 * 411 * @return Returns the value of the "max-password-age" property. 412 */ 413 long getMaxPasswordAge(); 414 415 416 417 /** 418 * Gets the "max-password-reset-age" property. 419 * <p> 420 * Specifies the maximum length of time that users have to change 421 * passwords after they have been reset by an administrator before 422 * they become locked. 423 * <p> 424 * The value of this attribute is an integer followed by a unit of 425 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 426 * disables this feature. 427 * 428 * @return Returns the value of the "max-password-reset-age" property. 429 */ 430 long getMaxPasswordResetAge(); 431 432 433 434 /** 435 * Gets the "min-password-age" property. 436 * <p> 437 * Specifies the minimum length of time after a password change 438 * before the user is allowed to change the password again. 439 * <p> 440 * The value of this attribute is an integer followed by a unit of 441 * seconds, minutes, hours, days, or weeks. This setting can be used 442 * to prevent users from changing their passwords repeatedly over a 443 * short period of time to flush an old password from the history so 444 * that it can be re-used. 445 * 446 * @return Returns the value of the "min-password-age" property. 447 */ 448 long getMinPasswordAge(); 449 450 451 452 /** 453 * Gets the "password-attribute" property. 454 * <p> 455 * Specifies the attribute type used to hold user passwords. 456 * <p> 457 * This attribute type must be defined in the server schema, and it 458 * must have either the user password or auth password syntax. 459 * 460 * @return Returns the value of the "password-attribute" property. 461 */ 462 AttributeType getPasswordAttribute(); 463 464 465 466 /** 467 * Gets the "password-change-requires-current-password" property. 468 * <p> 469 * Indicates whether user password changes must use the password 470 * modify extended operation and must include the user's current 471 * password before the change is allowed. 472 * 473 * @return Returns the value of the "password-change-requires-current-password" property. 474 */ 475 boolean isPasswordChangeRequiresCurrentPassword(); 476 477 478 479 /** 480 * Gets the "password-expiration-warning-interval" property. 481 * <p> 482 * Specifies the maximum length of time before a user's password 483 * actually expires that the server begins to include warning 484 * notifications in bind responses for that user. 485 * <p> 486 * The value of this attribute is an integer followed by a unit of 487 * seconds, minutes, hours, days, or weeks. A value of 0 seconds 488 * disables the warning interval. 489 * 490 * @return Returns the value of the "password-expiration-warning-interval" property. 491 */ 492 long getPasswordExpirationWarningInterval(); 493 494 495 496 /** 497 * Gets the "password-generator" property. 498 * <p> 499 * Specifies the name of the password generator that is used with 500 * the associated password policy. 501 * <p> 502 * This is used in conjunction with the password modify extended 503 * operation to generate a new password for a user when none was 504 * provided in the request. 505 * 506 * @return Returns the value of the "password-generator" property. 507 */ 508 String getPasswordGenerator(); 509 510 511 512 /** 513 * Gets the "password-generator" property as a DN. 514 * <p> 515 * Specifies the name of the password generator that is used with 516 * the associated password policy. 517 * <p> 518 * This is used in conjunction with the password modify extended 519 * operation to generate a new password for a user when none was 520 * provided in the request. 521 * 522 * @return Returns the DN value of the "password-generator" 523 * property. 524 */ 525 DN getPasswordGeneratorDN(); 526 527 528 529 /** 530 * Gets the "password-history-count" property. 531 * <p> 532 * Specifies the maximum number of former passwords to maintain in 533 * the password history. 534 * <p> 535 * When choosing a new password, the proposed password is checked to 536 * ensure that it does not match the current password, nor any other 537 * password in the history list. A value of zero indicates that 538 * either no password history is to be maintained (if the password 539 * history duration has a value of zero seconds), or that there is no 540 * maximum number of passwords to maintain in the history (if the 541 * password history duration has a value greater than zero seconds). 542 * 543 * @return Returns the value of the "password-history-count" property. 544 */ 545 int getPasswordHistoryCount(); 546 547 548 549 /** 550 * Gets the "password-history-duration" property. 551 * <p> 552 * Specifies the maximum length of time that passwords remain in the 553 * password history. 554 * <p> 555 * When choosing a new password, the proposed password is checked to 556 * ensure that it does not match the current password, nor any other 557 * password in the history list. A value of zero seconds indicates 558 * that either no password history is to be maintained (if the 559 * password history count has a value of zero), or that there is no 560 * maximum duration for passwords in the history (if the password 561 * history count has a value greater than zero). 562 * 563 * @return Returns the value of the "password-history-duration" property. 564 */ 565 long getPasswordHistoryDuration(); 566 567 568 569 /** 570 * Gets the "password-validator" property. 571 * <p> 572 * Specifies the names of the password validators that are used with 573 * the associated password storage scheme. 574 * <p> 575 * The password validators are invoked when a user attempts to 576 * provide a new password, to determine whether the new password is 577 * acceptable. 578 * 579 * @return Returns an unmodifiable set containing the values of the "password-validator" property. 580 */ 581 SortedSet<String> getPasswordValidator(); 582 583 584 585 /** 586 * Gets the "password-validator" property as a set of DNs. 587 * <p> 588 * Specifies the names of the password validators that are used with 589 * the associated password storage scheme. 590 * <p> 591 * The password validators are invoked when a user attempts to 592 * provide a new password, to determine whether the new password is 593 * acceptable. 594 * 595 * @return Returns the DN values of the "password-validator" 596 * property. 597 */ 598 SortedSet<DN> getPasswordValidatorDNs(); 599 600 601 602 /** 603 * Gets the "previous-last-login-time-format" property. 604 * <p> 605 * Specifies the format string(s) that might have been used with the 606 * last login time at any point in the past for users associated with 607 * the password policy. 608 * <p> 609 * These values are used to make it possible to parse previous 610 * values, but are not used to set new values. The format strings 611 * conform to the syntax described in the API documentation for the 612 * java.text.SimpleDateFormat class. 613 * 614 * @return Returns an unmodifiable set containing the values of the "previous-last-login-time-format" property. 615 */ 616 SortedSet<String> getPreviousLastLoginTimeFormat(); 617 618 619 620 /** 621 * Gets the "require-change-by-time" property. 622 * <p> 623 * Specifies the time by which all users with the associated 624 * password policy must change their passwords. 625 * <p> 626 * The value is expressed in a generalized time format. If this time 627 * is equal to the current time or is in the past, then all users are 628 * required to change their passwords immediately. The behavior of 629 * the server in this mode is identical to the behavior observed when 630 * users are forced to change their passwords after an administrative 631 * reset. 632 * 633 * @return Returns the value of the "require-change-by-time" property. 634 */ 635 String getRequireChangeByTime(); 636 637 638 639 /** 640 * Gets the "require-secure-authentication" property. 641 * <p> 642 * Indicates whether users with the associated password policy are 643 * required to authenticate in a secure manner. 644 * <p> 645 * This might mean either using a secure communication channel 646 * between the client and the server, or using a SASL mechanism that 647 * does not expose the credentials. 648 * 649 * @return Returns the value of the "require-secure-authentication" property. 650 */ 651 boolean isRequireSecureAuthentication(); 652 653 654 655 /** 656 * Gets the "require-secure-password-changes" property. 657 * <p> 658 * Indicates whether users with the associated password policy are 659 * required to change their password in a secure manner that does not 660 * expose the credentials. 661 * 662 * @return Returns the value of the "require-secure-password-changes" property. 663 */ 664 boolean isRequireSecurePasswordChanges(); 665 666 667 668 /** 669 * Gets the "skip-validation-for-administrators" property. 670 * <p> 671 * Indicates whether passwords set by administrators are allowed to 672 * bypass the password validation process that is required for user 673 * password changes. 674 * 675 * @return Returns the value of the "skip-validation-for-administrators" property. 676 */ 677 boolean isSkipValidationForAdministrators(); 678 679 680 681 /** 682 * Gets the "state-update-failure-policy" property. 683 * <p> 684 * Specifies how the server deals with the inability to update 685 * password policy state information during an authentication 686 * attempt. 687 * <p> 688 * In particular, this property can be used to control whether an 689 * otherwise successful bind operation fails if a failure occurs 690 * while attempting to update password policy state information (for 691 * example, to clear a record of previous authentication failures or 692 * to update the last login time). It can also be used to control 693 * whether to reject a bind request if it is known ahead of time that 694 * it will not be possible to update the authentication failure times 695 * in the event of an unsuccessful bind attempt (for example, if the 696 * backend writability mode is disabled). 697 * 698 * @return Returns the value of the "state-update-failure-policy" property. 699 */ 700 StateUpdateFailurePolicy getStateUpdateFailurePolicy(); 701 702}