001/* 002 * CDDL HEADER START 003 * 004 * The contents of this file are subject to the terms of the 005 * Common Development and Distribution License, Version 1.0 only 006 * (the "License"). You may not use this file except in compliance 007 * with the License. 008 * 009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt 010 * or http://forgerock.org/license/CDDLv1.0.html. 011 * See the License for the specific language governing permissions 012 * and limitations under the License. 013 * 014 * When distributing Covered Code, include this CDDL HEADER in each 015 * file and include the License file at legal-notices/CDDLv1_0.txt. 016 * If applicable, add the following below this CDDL HEADER, with the 017 * fields enclosed by brackets "[]" replaced with your own identifying 018 * information: 019 * Portions Copyright [yyyy] [name of copyright owner] 020 * 021 * CDDL HEADER END 022 * 023 * 024 * Copyright 2006-2010 Sun Microsystems, Inc. 025 * Portions copyright 2011-2015 ForgeRock AS. 026 */ 027package org.opends.server.core; 028 029import java.util.Collection; 030import java.util.List; 031import java.util.Set; 032import java.util.SortedSet; 033 034import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn.*; 035import org.opends.server.api.*; 036import org.opends.server.types.AttributeType; 037import org.opends.server.types.DN; 038import org.opends.server.types.DirectoryException; 039import org.opends.server.types.Entry; 040 041/** 042 * This class defines a data structure that holds information about a Directory 043 * Server password policy. 044 */ 045public abstract class PasswordPolicy extends AuthenticationPolicy 046{ 047 048 /** Creates a new password policy. */ 049 protected PasswordPolicy() 050 { 051 // Nothing to do. 052 } 053 054 055 056 /** {@inheritDoc} */ 057 public abstract DN getDN(); 058 059 060 061 /** 062 * Indicates whether the associated password attribute uses the auth password 063 * syntax. 064 * 065 * @return <CODE>true</CODE> if the associated password attribute uses the 066 * auth password syntax, or <CODE>false</CODE> if not. 067 */ 068 public abstract boolean isAuthPasswordSyntax(); 069 070 071 072 /** 073 * Retrieves the default set of password storage schemes that will be used for 074 * this password policy. The returned set should not be modified by the 075 * caller. 076 * 077 * @return The default set of password storage schemes that will be used for 078 * this password policy. 079 */ 080 public abstract List<PasswordStorageScheme<?>> 081 getDefaultPasswordStorageSchemes(); 082 083 084 085 /** 086 * Gets the "deprecated-password-storage-scheme" property. 087 * <p> 088 * Specifies the names of the password storage schemes that are considered 089 * deprecated for this password policy. 090 * <p> 091 * If a user with this password policy authenticates to the server and 092 * his/her password is encoded with a deprecated scheme, those values are 093 * removed and replaced with values encoded using the default password 094 * storage scheme(s). 095 * 096 * @return Returns an unmodifiable set containing the values of the 097 * "deprecated-password-storage-scheme" property. 098 */ 099 public abstract Set<String> getDeprecatedPasswordStorageSchemes(); 100 101 102 103 /** 104 * Indicates whether the specified storage scheme is a default scheme for this 105 * password policy. 106 * 107 * @param name 108 * The name of the password storage scheme for which to make the 109 * determination. 110 * @return <CODE>true</CODE> if the storage scheme is a default scheme for 111 * this password policy, or <CODE>false</CODE> if not. 112 */ 113 public abstract boolean isDefaultPasswordStorageScheme(String name); 114 115 116 117 /** 118 * Indicates whether the specified storage scheme is deprecated. 119 * 120 * @param name 121 * The name of the password storage scheme for which to make the 122 * determination. 123 * @return <CODE>true</CODE> if the storage scheme is deprecated, or 124 * <CODE>false</CODE> if not. 125 */ 126 public abstract boolean isDeprecatedPasswordStorageScheme(String name); 127 128 129 130 /** 131 * Retrieves the set of password validators for this password policy. The 132 * returned list should not be altered by the caller. 133 * 134 * @return The set of password validators for this password policy. 135 */ 136 public abstract Collection<PasswordValidator<?>> getPasswordValidators(); 137 138 139 140 /** 141 * Retrieves the set of account status notification handlers that should be 142 * used with this password policy. The returned list should not be altered by 143 * the caller. 144 * 145 * @return The set of account status notification handlers that should be used 146 * with this password policy. 147 */ 148 public abstract Collection<AccountStatusNotificationHandler<?>> 149 getAccountStatusNotificationHandlers(); 150 151 152 153 /** 154 * Retrieves the password generator that will be used with this password 155 * policy. 156 * 157 * @return The password generator that will be used with this password policy, 158 * or <CODE>null</CODE> if there is none. 159 */ 160 public abstract PasswordGenerator<?> getPasswordGenerator(); 161 162 163 164 /** 165 * Retrieves the time by which all users will be required to change their 166 * passwords, expressed in the number of milliseconds since midnight of 167 * January 1, 1970 (i.e., the zero time for 168 * <CODE>System.currentTimeMillis()</CODE>). Any passwords not changed before 169 * this time will automatically enter a state in which they must be changed 170 * before any other operation will be allowed. 171 * 172 * @return The time by which all users will be required to change their 173 * passwords, or zero if no such constraint is in effect. 174 */ 175 public abstract long getRequireChangeByTime(); 176 177 178 179 /** 180 * Gets the "allow-expired-password-changes" property. 181 * <p> 182 * Indicates whether a user whose password is expired is still allowed to 183 * change that password using the password modify extended operation. 184 * 185 * @return Returns the value of the "allow-expired-password-changes" property. 186 */ 187 public abstract boolean isAllowExpiredPasswordChanges(); 188 189 190 191 /** 192 * Gets the "allow-multiple-password-values" property. 193 * <p> 194 * Indicates whether user entries can have multiple distinct values for the 195 * password attribute. 196 * <p> 197 * This is potentially dangerous because many mechanisms used to change the 198 * password do not work well with such a configuration. If multiple password 199 * values are allowed, then any of them can be used to authenticate, and they 200 * are all subject to the same policy constraints. 201 * 202 * @return Returns the value of the "allow-multiple-password-values" property. 203 */ 204 public abstract boolean isAllowMultiplePasswordValues(); 205 206 207 208 /** 209 * Gets the "allow-pre-encoded-passwords" property. 210 * <p> 211 * Indicates whether users can change their passwords by providing a 212 * pre-encoded value. 213 * <p> 214 * This can cause a security risk because the clear-text version of the 215 * password is not known and therefore validation checks cannot be applied to 216 * it. 217 * 218 * @return Returns the value of the "allow-pre-encoded-passwords" property. 219 */ 220 public abstract boolean isAllowPreEncodedPasswords(); 221 222 223 224 /** 225 * Gets the "allow-user-password-changes" property. 226 * <p> 227 * Indicates whether users can change their own passwords. 228 * <p> 229 * This check is made in addition to access control evaluation. Both must 230 * allow the password change for it to occur. 231 * 232 * @return Returns the value of the "allow-user-password-changes" property. 233 */ 234 public abstract boolean isAllowUserPasswordChanges(); 235 236 237 238 /** 239 * Gets the "expire-passwords-without-warning" property. 240 * <p> 241 * Indicates whether the directory server allows a user's password to expire 242 * even if that user has never seen an expiration warning notification. 243 * <p> 244 * If this property is true, accounts always expire when the expiration time 245 * arrives. If this property is false or disabled, the user always receives at 246 * least one warning notification, and the password expiration is set to the 247 * warning time plus the warning interval. 248 * 249 * @return Returns the value of the "expire-passwords-without-warning" 250 * property. 251 */ 252 public abstract boolean isExpirePasswordsWithoutWarning(); 253 254 255 256 /** 257 * Gets the "force-change-on-add" property. 258 * <p> 259 * Indicates whether users are forced to change their passwords upon first 260 * authenticating to the directory server after their account has been 261 * created. 262 * 263 * @return Returns the value of the "force-change-on-add" property. 264 */ 265 public abstract boolean isForceChangeOnAdd(); 266 267 268 269 /** 270 * Gets the "force-change-on-reset" property. 271 * <p> 272 * Indicates whether users are forced to change their passwords if they are 273 * reset by an administrator. 274 * <p> 275 * For this purpose, anyone with permission to change a given user's password 276 * other than that user is considered an administrator. 277 * 278 * @return Returns the value of the "force-change-on-reset" property. 279 */ 280 public abstract boolean isForceChangeOnReset(); 281 282 283 284 /** 285 * Gets the "grace-login-count" property. 286 * <p> 287 * Specifies the number of grace logins that a user is allowed after the 288 * account has expired to allow that user to choose a new password. 289 * <p> 290 * A value of 0 indicates that no grace logins are allowed. 291 * 292 * @return Returns the value of the "grace-login-count" property. 293 */ 294 public abstract int getGraceLoginCount(); 295 296 297 298 /** 299 * Gets the "idle-lockout-interval" property. 300 * <p> 301 * Specifies the maximum length of time that an account may remain idle (that 302 * is, the associated user does not authenticate to the server) before that 303 * user is locked out. 304 * <p> 305 * The value of this attribute is an integer followed by a unit of seconds, 306 * minutes, hours, days, or weeks. A value of 0 seconds indicates that idle 307 * accounts are not automatically locked out. This feature is available only 308 * if the last login time is maintained. 309 * 310 * @return Returns the value of the "idle-lockout-interval" property. 311 */ 312 public abstract long getIdleLockoutInterval(); 313 314 315 316 /** 317 * Gets the "last-login-time-attribute" property. 318 * <p> 319 * Specifies the name or OID of the attribute type that is used to hold the 320 * last login time for users with the associated password policy. 321 * <p> 322 * This attribute type must be defined in the directory server schema and must 323 * either be defined as an operational attribute or must be allowed by the set 324 * of objectClasses for all users with the associated password policy. 325 * 326 * @return Returns the value of the "last-login-time-attribute" property. 327 */ 328 public abstract AttributeType getLastLoginTimeAttribute(); 329 330 331 332 /** 333 * Gets the "last-login-time-format" property. 334 * <p> 335 * Specifies the format string that is used to generate the last login time 336 * value for users with the associated password policy. 337 * <p> 338 * This format string conforms to the syntax described in the API 339 * documentation for the java.text.SimpleDateFormat class. 340 * 341 * @return Returns the value of the "last-login-time-format" property. 342 */ 343 public abstract String getLastLoginTimeFormat(); 344 345 346 347 /** 348 * Gets the "lockout-duration" property. 349 * <p> 350 * Specifies the length of time that an account is locked after too many 351 * authentication failures. 352 * <p> 353 * The value of this attribute is an integer followed by a unit of seconds, 354 * minutes, hours, days, or weeks. A value of 0 seconds indicates that the 355 * account must remain locked until an administrator resets the password. 356 * 357 * @return Returns the value of the "lockout-duration" property. 358 */ 359 public abstract long getLockoutDuration(); 360 361 362 363 /** 364 * Gets the "lockout-failure-count" property. 365 * <p> 366 * Specifies the maximum number of authentication failures that a user is 367 * allowed before the account is locked out. 368 * <p> 369 * A value of 0 indicates that accounts are never locked out due to failed 370 * attempts. 371 * 372 * @return Returns the value of the "lockout-failure-count" property. 373 */ 374 public abstract int getLockoutFailureCount(); 375 376 377 378 /** 379 * Gets the "lockout-failure-expiration-interval" property. 380 * <p> 381 * Specifies the length of time before an authentication failure is no longer 382 * counted against a user for the purposes of account lockout. 383 * <p> 384 * The value of this attribute is an integer followed by a unit of seconds, 385 * minutes, hours, days, or weeks. A value of 0 seconds indicates that the 386 * authentication failures must never expire. The failure count is always 387 * cleared upon a successful authentication. 388 * 389 * @return Returns the value of the "lockout-failure-expiration-interval" 390 * property. 391 */ 392 public abstract long getLockoutFailureExpirationInterval(); 393 394 395 396 /** 397 * Gets the "max-password-age" property. 398 * <p> 399 * Specifies the maximum length of time that a user can continue using the 400 * same password before it must be changed (that is, the password expiration 401 * interval). 402 * <p> 403 * The value of this attribute is an integer followed by a unit of seconds, 404 * minutes, hours, days, or weeks. A value of 0 seconds disables password 405 * expiration. 406 * 407 * @return Returns the value of the "max-password-age" property. 408 */ 409 public abstract long getMaxPasswordAge(); 410 411 412 413 /** 414 * Gets the "max-password-reset-age" property. 415 * <p> 416 * Specifies the maximum length of time that users have to change passwords 417 * after they have been reset by an administrator before they become locked. 418 * <p> 419 * The value of this attribute is an integer followed by a unit of seconds, 420 * minutes, hours, days, or weeks. A value of 0 seconds disables this feature. 421 * 422 * @return Returns the value of the "max-password-reset-age" property. 423 */ 424 public abstract long getMaxPasswordResetAge(); 425 426 427 428 /** 429 * Gets the "min-password-age" property. 430 * <p> 431 * Specifies the minimum length of time after a password change before the 432 * user is allowed to change the password again. 433 * <p> 434 * The value of this attribute is an integer followed by a unit of seconds, 435 * minutes, hours, days, or weeks. This setting can be used to prevent users 436 * from changing their passwords repeatedly over a short period of time to 437 * flush an old password from the history so that it can be re-used. 438 * 439 * @return Returns the value of the "min-password-age" property. 440 */ 441 public abstract long getMinPasswordAge(); 442 443 444 445 /** 446 * Gets the "password-attribute" property. 447 * <p> 448 * Specifies the attribute type used to hold user passwords. 449 * <p> 450 * This attribute type must be defined in the server schema, and it must have 451 * either the user password or auth password syntax. 452 * 453 * @return Returns the value of the "password-attribute" property. 454 */ 455 public abstract AttributeType getPasswordAttribute(); 456 457 458 459 /** 460 * Gets the "password-change-requires-current-password" property. 461 * <p> 462 * Indicates whether user password changes must use the password modify 463 * extended operation and must include the user's current password before the 464 * change is allowed. 465 * 466 * @return Returns the value of the 467 * "password-change-requires-current-password" property. 468 */ 469 public abstract boolean isPasswordChangeRequiresCurrentPassword(); 470 471 472 473 /** 474 * Gets the "password-expiration-warning-interval" property. 475 * <p> 476 * Specifies the maximum length of time before a user's password actually 477 * expires that the server begins to include warning notifications in bind 478 * responses for that user. 479 * <p> 480 * The value of this attribute is an integer followed by a unit of seconds, 481 * minutes, hours, days, or weeks. A value of 0 seconds disables the warning 482 * interval. 483 * 484 * @return Returns the value of the "password-expiration-warning-interval" 485 * property. 486 */ 487 public abstract long getPasswordExpirationWarningInterval(); 488 489 490 491 /** 492 * Gets the "password-history-count" property. 493 * <p> 494 * Specifies the maximum number of former passwords to maintain in the 495 * password history. 496 * <p> 497 * When choosing a new password, the proposed password is checked to ensure 498 * that it does not match the current password, nor any other password in the 499 * history list. A value of zero indicates that either no password history is 500 * to be maintained (if the password history duration has a value of zero 501 * seconds), or that there is no maximum number of passwords to maintain in 502 * the history (if the password history duration has a value greater than zero 503 * seconds). 504 * 505 * @return Returns the value of the "password-history-count" property. 506 */ 507 public abstract int getPasswordHistoryCount(); 508 509 510 511 /** 512 * Gets the "password-history-duration" property. 513 * <p> 514 * Specifies the maximum length of time that passwords remain in the password 515 * history. 516 * <p> 517 * When choosing a new password, the proposed password is checked to ensure 518 * that it does not match the current password, nor any other password in the 519 * history list. A value of zero seconds indicates that either no password 520 * history is to be maintained (if the password history count has a value of 521 * zero), or that there is no maximum duration for passwords in the history 522 * (if the password history count has a value greater than zero). 523 * 524 * @return Returns the value of the "password-history-duration" property. 525 */ 526 public abstract long getPasswordHistoryDuration(); 527 528 529 530 /** 531 * Gets the "previous-last-login-time-format" property. 532 * <p> 533 * Specifies the format string(s) that might have been used with the last 534 * login time at any point in the past for users associated with the password 535 * policy. 536 * <p> 537 * These values are used to make it possible to parse previous values, but are 538 * not used to set new values. The format strings conform to the syntax 539 * described in the API documentation for the java.text.SimpleDateFormat 540 * class. 541 * 542 * @return Returns an unmodifiable set containing the values of the 543 * "previous-last-login-time-format" property. 544 */ 545 public abstract SortedSet<String> getPreviousLastLoginTimeFormats(); 546 547 548 549 /** 550 * Gets the "require-secure-authentication" property. 551 * <p> 552 * Indicates whether users with the associated password policy are required to 553 * authenticate in a secure manner. 554 * <p> 555 * This might mean either using a secure communication channel between the 556 * client and the server, or using a SASL mechanism that does not expose the 557 * credentials. 558 * 559 * @return Returns the value of the "require-secure-authentication" property. 560 */ 561 public abstract boolean isRequireSecureAuthentication(); 562 563 564 565 /** 566 * Gets the "require-secure-password-changes" property. 567 * <p> 568 * Indicates whether users with the associated password policy are required to 569 * change their password in a secure manner that does not expose the 570 * credentials. 571 * 572 * @return Returns the value of the "require-secure-password-changes" 573 * property. 574 */ 575 public abstract boolean isRequireSecurePasswordChanges(); 576 577 578 579 /** 580 * Gets the "skip-validation-for-administrators" property. 581 * <p> 582 * Indicates whether passwords set by administrators are allowed to bypass the 583 * password validation process that is required for user password changes. 584 * 585 * @return Returns the value of the "skip-validation-for-administrators" 586 * property. 587 */ 588 public abstract boolean isSkipValidationForAdministrators(); 589 590 591 592 /** 593 * Gets the "state-update-failure-policy" property. 594 * <p> 595 * Specifies how the server deals with the inability to update password policy 596 * state information during an authentication attempt. 597 * <p> 598 * In particular, this property can be used to control whether an otherwise 599 * successful bind operation fails if a failure occurs while attempting to 600 * update password policy state information (for example, to clear a record of 601 * previous authentication failures or to update the last login time). It can 602 * also be used to control whether to reject a bind request if it is known 603 * ahead of time that it will not be possible to update the authentication 604 * failure times in the event of an unsuccessful bind attempt (for example, if 605 * the backend writability mode is disabled). 606 * 607 * @return Returns the value of the "state-update-failure-policy" property. 608 */ 609 public abstract StateUpdateFailurePolicy getStateUpdateFailurePolicy(); 610 611 612 613 /** {@inheritDoc} */ 614 public boolean isPasswordPolicy() 615 { 616 return true; 617 } 618 619 620 621 /** {@inheritDoc} */ 622 public PasswordPolicyState createAuthenticationPolicyState(Entry userEntry, 623 long time) throws DirectoryException 624 { 625 return new PasswordPolicyState(this, userEntry, time); 626 } 627}