001 /*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License"). You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at
010 * trunk/opends/resource/legal-notices/OpenDS.LICENSE
011 * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
012 * See the License for the specific language governing permissions
013 * and limitations under the License.
014 *
015 * When distributing Covered Code, include this CDDL HEADER in each
016 * file and include the License file at
017 * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
018 * add the following below this CDDL HEADER, with the fields enclosed
019 * by brackets "[]" replaced with your own identifying information:
020 * Portions Copyright [yyyy] [name of copyright owner]
021 *
022 * CDDL HEADER END
023 *
024 *
025 * Copyright 2008 Sun Microsystems, Inc.
026 */
027 package org.opends.server.admin.std.client;
028
029
030
031 import java.util.Collection;
032 import java.util.SortedSet;
033 import org.opends.server.admin.ConfigurationClient;
034 import org.opends.server.admin.IllegalPropertyValueException;
035 import org.opends.server.admin.ManagedObjectDefinition;
036 import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn.StateUpdateFailurePolicy;
037 import org.opends.server.admin.std.server.PasswordPolicyCfg;
038 import org.opends.server.types.AttributeType;
039
040
041
042 /**
043 * A client-side interface for reading and modifying Password Policy
044 * settings.
045 * <p>
046 * Password Policies define a number of password management rules, as
047 * well as requirements for authentication processing.
048 */
049 public interface PasswordPolicyCfgClient extends ConfigurationClient {
050
051 /**
052 * Get the configuration definition associated with this Password Policy.
053 *
054 * @return Returns the configuration definition associated with this Password Policy.
055 */
056 ManagedObjectDefinition<? extends PasswordPolicyCfgClient, ? extends PasswordPolicyCfg> definition();
057
058
059
060 /**
061 * Gets the "account-status-notification-handler" property.
062 * <p>
063 * Specifies the names of the account status notification handlers
064 * that are used with the associated password storage scheme.
065 *
066 * @return Returns the values of the "account-status-notification-handler" property.
067 */
068 SortedSet<String> getAccountStatusNotificationHandler();
069
070
071
072 /**
073 * Sets the "account-status-notification-handler" property.
074 * <p>
075 * Specifies the names of the account status notification handlers
076 * that are used with the associated password storage scheme.
077 *
078 * @param values The values of the "account-status-notification-handler" property.
079 * @throws IllegalPropertyValueException
080 * If one or more of the new values are invalid.
081 */
082 void setAccountStatusNotificationHandler(Collection<String> values) throws IllegalPropertyValueException;
083
084
085
086 /**
087 * Gets the "allow-expired-password-changes" property.
088 * <p>
089 * Indicates whether a user whose password is expired is still
090 * allowed to change that password using the password modify extended
091 * operation.
092 *
093 * @return Returns the value of the "allow-expired-password-changes" property.
094 */
095 boolean isAllowExpiredPasswordChanges();
096
097
098
099 /**
100 * Sets the "allow-expired-password-changes" property.
101 * <p>
102 * Indicates whether a user whose password is expired is still
103 * allowed to change that password using the password modify extended
104 * operation.
105 *
106 * @param value The value of the "allow-expired-password-changes" property.
107 * @throws IllegalPropertyValueException
108 * If the new value is invalid.
109 */
110 void setAllowExpiredPasswordChanges(Boolean value) throws IllegalPropertyValueException;
111
112
113
114 /**
115 * Gets the "allow-multiple-password-values" property.
116 * <p>
117 * Indicates whether user entries can have multiple distinct values
118 * for the password attribute.
119 * <p>
120 * This is potentially dangerous because many mechanisms used to
121 * change the password do not work well with such a configuration. If
122 * multiple password values are allowed, then any of them can be used
123 * to authenticate, and they are all subject to the same policy
124 * constraints.
125 *
126 * @return Returns the value of the "allow-multiple-password-values" property.
127 */
128 boolean isAllowMultiplePasswordValues();
129
130
131
132 /**
133 * Sets the "allow-multiple-password-values" property.
134 * <p>
135 * Indicates whether user entries can have multiple distinct values
136 * for the password attribute.
137 * <p>
138 * This is potentially dangerous because many mechanisms used to
139 * change the password do not work well with such a configuration. If
140 * multiple password values are allowed, then any of them can be used
141 * to authenticate, and they are all subject to the same policy
142 * constraints.
143 *
144 * @param value The value of the "allow-multiple-password-values" property.
145 * @throws IllegalPropertyValueException
146 * If the new value is invalid.
147 */
148 void setAllowMultiplePasswordValues(Boolean value) throws IllegalPropertyValueException;
149
150
151
152 /**
153 * Gets the "allow-pre-encoded-passwords" property.
154 * <p>
155 * Indicates whether users can change their passwords by providing a
156 * pre-encoded value.
157 * <p>
158 * This can cause a security risk because the clear-text version of
159 * the password is not known and therefore validation checks cannot
160 * be applied to it.
161 *
162 * @return Returns the value of the "allow-pre-encoded-passwords" property.
163 */
164 boolean isAllowPreEncodedPasswords();
165
166
167
168 /**
169 * Sets the "allow-pre-encoded-passwords" property.
170 * <p>
171 * Indicates whether users can change their passwords by providing a
172 * pre-encoded value.
173 * <p>
174 * This can cause a security risk because the clear-text version of
175 * the password is not known and therefore validation checks cannot
176 * be applied to it.
177 *
178 * @param value The value of the "allow-pre-encoded-passwords" property.
179 * @throws IllegalPropertyValueException
180 * If the new value is invalid.
181 */
182 void setAllowPreEncodedPasswords(Boolean value) throws IllegalPropertyValueException;
183
184
185
186 /**
187 * Gets the "allow-user-password-changes" property.
188 * <p>
189 * Indicates whether users can change their own passwords.
190 * <p>
191 * This check is made in addition to access control evaluation. Both
192 * must allow the password change for it to occur.
193 *
194 * @return Returns the value of the "allow-user-password-changes" property.
195 */
196 boolean isAllowUserPasswordChanges();
197
198
199
200 /**
201 * Sets the "allow-user-password-changes" property.
202 * <p>
203 * Indicates whether users can change their own passwords.
204 * <p>
205 * This check is made in addition to access control evaluation. Both
206 * must allow the password change for it to occur.
207 *
208 * @param value The value of the "allow-user-password-changes" property.
209 * @throws IllegalPropertyValueException
210 * If the new value is invalid.
211 */
212 void setAllowUserPasswordChanges(Boolean value) throws IllegalPropertyValueException;
213
214
215
216 /**
217 * Gets the "default-password-storage-scheme" property.
218 * <p>
219 * Specifies the names of the password storage schemes that are used
220 * to encode clear-text passwords for this password policy.
221 *
222 * @return Returns the values of the "default-password-storage-scheme" property.
223 */
224 SortedSet<String> getDefaultPasswordStorageScheme();
225
226
227
228 /**
229 * Sets the "default-password-storage-scheme" property.
230 * <p>
231 * Specifies the names of the password storage schemes that are used
232 * to encode clear-text passwords for this password policy.
233 *
234 * @param values The values of the "default-password-storage-scheme" property.
235 * @throws IllegalPropertyValueException
236 * If one or more of the new values are invalid.
237 */
238 void setDefaultPasswordStorageScheme(Collection<String> values) throws IllegalPropertyValueException;
239
240
241
242 /**
243 * Gets the "deprecated-password-storage-scheme" property.
244 * <p>
245 * Specifies the names of the password storage schemes that are
246 * considered deprecated for this password policy.
247 * <p>
248 * If a user with this password policy authenticates to the server
249 * and his/her password is encoded with a deprecated scheme, those
250 * values are removed and replaced with values encoded using the
251 * default password storage scheme(s).
252 *
253 * @return Returns the values of the "deprecated-password-storage-scheme" property.
254 */
255 SortedSet<String> getDeprecatedPasswordStorageScheme();
256
257
258
259 /**
260 * Sets the "deprecated-password-storage-scheme" property.
261 * <p>
262 * Specifies the names of the password storage schemes that are
263 * considered deprecated for this password policy.
264 * <p>
265 * If a user with this password policy authenticates to the server
266 * and his/her password is encoded with a deprecated scheme, those
267 * values are removed and replaced with values encoded using the
268 * default password storage scheme(s).
269 *
270 * @param values The values of the "deprecated-password-storage-scheme" property.
271 * @throws IllegalPropertyValueException
272 * If one or more of the new values are invalid.
273 */
274 void setDeprecatedPasswordStorageScheme(Collection<String> values) throws IllegalPropertyValueException;
275
276
277
278 /**
279 * Gets the "expire-passwords-without-warning" property.
280 * <p>
281 * Indicates whether the Directory Server allows a user's password
282 * to expire even if that user has never seen an expiration warning
283 * notification.
284 * <p>
285 * If this property is true, accounts always expire when the
286 * expiration time arrives. If this property is false disabled, the
287 * user always receives at least one warning notification, and the
288 * password expiration is set to the warning time plus the warning
289 * interval.
290 *
291 * @return Returns the value of the "expire-passwords-without-warning" property.
292 */
293 boolean isExpirePasswordsWithoutWarning();
294
295
296
297 /**
298 * Sets the "expire-passwords-without-warning" property.
299 * <p>
300 * Indicates whether the Directory Server allows a user's password
301 * to expire even if that user has never seen an expiration warning
302 * notification.
303 * <p>
304 * If this property is true, accounts always expire when the
305 * expiration time arrives. If this property is false disabled, the
306 * user always receives at least one warning notification, and the
307 * password expiration is set to the warning time plus the warning
308 * interval.
309 *
310 * @param value The value of the "expire-passwords-without-warning" property.
311 * @throws IllegalPropertyValueException
312 * If the new value is invalid.
313 */
314 void setExpirePasswordsWithoutWarning(Boolean value) throws IllegalPropertyValueException;
315
316
317
318 /**
319 * Gets the "force-change-on-add" property.
320 * <p>
321 * Indicates whether users are forced to change their passwords upon
322 * first authenticating to the Directory Server after their account
323 * has been created.
324 *
325 * @return Returns the value of the "force-change-on-add" property.
326 */
327 boolean isForceChangeOnAdd();
328
329
330
331 /**
332 * Sets the "force-change-on-add" property.
333 * <p>
334 * Indicates whether users are forced to change their passwords upon
335 * first authenticating to the Directory Server after their account
336 * has been created.
337 *
338 * @param value The value of the "force-change-on-add" property.
339 * @throws IllegalPropertyValueException
340 * If the new value is invalid.
341 */
342 void setForceChangeOnAdd(Boolean value) throws IllegalPropertyValueException;
343
344
345
346 /**
347 * Gets the "force-change-on-reset" property.
348 * <p>
349 * Indicates whether users are forced to change their passwords if
350 * they are reset by an administrator.
351 * <p>
352 * For this purpose, anyone with permission to change a given user's
353 * password other than that user is considered an administrator.
354 *
355 * @return Returns the value of the "force-change-on-reset" property.
356 */
357 boolean isForceChangeOnReset();
358
359
360
361 /**
362 * Sets the "force-change-on-reset" property.
363 * <p>
364 * Indicates whether users are forced to change their passwords if
365 * they are reset by an administrator.
366 * <p>
367 * For this purpose, anyone with permission to change a given user's
368 * password other than that user is considered an administrator.
369 *
370 * @param value The value of the "force-change-on-reset" property.
371 * @throws IllegalPropertyValueException
372 * If the new value is invalid.
373 */
374 void setForceChangeOnReset(Boolean value) throws IllegalPropertyValueException;
375
376
377
378 /**
379 * Gets the "grace-login-count" property.
380 * <p>
381 * Specifies the number of grace logins that a user is allowed after
382 * the account has expired to allow that user to choose a new
383 * password.
384 * <p>
385 * A value of 0 indicates that no grace logins are allowed.
386 *
387 * @return Returns the value of the "grace-login-count" property.
388 */
389 int getGraceLoginCount();
390
391
392
393 /**
394 * Sets the "grace-login-count" property.
395 * <p>
396 * Specifies the number of grace logins that a user is allowed after
397 * the account has expired to allow that user to choose a new
398 * password.
399 * <p>
400 * A value of 0 indicates that no grace logins are allowed.
401 *
402 * @param value The value of the "grace-login-count" property.
403 * @throws IllegalPropertyValueException
404 * If the new value is invalid.
405 */
406 void setGraceLoginCount(Integer value) throws IllegalPropertyValueException;
407
408
409
410 /**
411 * Gets the "idle-lockout-interval" property.
412 * <p>
413 * Specifies the maximum length of time that an account may remain
414 * idle (that is, the associated user does not authenticate to the
415 * server) before that user is locked out.
416 * <p>
417 * The value of this attribute is an integer followed by a unit of
418 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
419 * indicates that idle accounts are not automatically locked out.
420 * This feature is available only if the last login time is
421 * maintained.
422 *
423 * @return Returns the value of the "idle-lockout-interval" property.
424 */
425 long getIdleLockoutInterval();
426
427
428
429 /**
430 * Sets the "idle-lockout-interval" property.
431 * <p>
432 * Specifies the maximum length of time that an account may remain
433 * idle (that is, the associated user does not authenticate to the
434 * server) before that user is locked out.
435 * <p>
436 * The value of this attribute is an integer followed by a unit of
437 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
438 * indicates that idle accounts are not automatically locked out.
439 * This feature is available only if the last login time is
440 * maintained.
441 *
442 * @param value The value of the "idle-lockout-interval" property.
443 * @throws IllegalPropertyValueException
444 * If the new value is invalid.
445 */
446 void setIdleLockoutInterval(Long value) throws IllegalPropertyValueException;
447
448
449
450 /**
451 * Gets the "last-login-time-attribute" property.
452 * <p>
453 * Specifies the name or OID of the attribute type that is used to
454 * hold the last login time for users with the associated password
455 * policy.
456 * <p>
457 * This attribute type must be defined in the Directory Server
458 * schema and must either be defined as an operational attribute or
459 * must be allowed by the set of objectClasses for all users with the
460 * associated password policy.
461 *
462 * @return Returns the value of the "last-login-time-attribute" property.
463 */
464 AttributeType getLastLoginTimeAttribute();
465
466
467
468 /**
469 * Sets the "last-login-time-attribute" property.
470 * <p>
471 * Specifies the name or OID of the attribute type that is used to
472 * hold the last login time for users with the associated password
473 * policy.
474 * <p>
475 * This attribute type must be defined in the Directory Server
476 * schema and must either be defined as an operational attribute or
477 * must be allowed by the set of objectClasses for all users with the
478 * associated password policy.
479 *
480 * @param value The value of the "last-login-time-attribute" property.
481 * @throws IllegalPropertyValueException
482 * If the new value is invalid.
483 */
484 void setLastLoginTimeAttribute(AttributeType value) throws IllegalPropertyValueException;
485
486
487
488 /**
489 * Gets the "last-login-time-format" property.
490 * <p>
491 * Specifies the format string that is used to generate the last
492 * login time value for users with the associated password policy.
493 * <p>
494 * This format string conforms to the syntax described in the API
495 * documentation for the java.text.SimpleDateFormat class.
496 *
497 * @return Returns the value of the "last-login-time-format" property.
498 */
499 String getLastLoginTimeFormat();
500
501
502
503 /**
504 * Sets the "last-login-time-format" property.
505 * <p>
506 * Specifies the format string that is used to generate the last
507 * login time value for users with the associated password policy.
508 * <p>
509 * This format string conforms to the syntax described in the API
510 * documentation for the java.text.SimpleDateFormat class.
511 *
512 * @param value The value of the "last-login-time-format" property.
513 * @throws IllegalPropertyValueException
514 * If the new value is invalid.
515 */
516 void setLastLoginTimeFormat(String value) throws IllegalPropertyValueException;
517
518
519
520 /**
521 * Gets the "lockout-duration" property.
522 * <p>
523 * Specifies the length of time that an account is locked after too
524 * many authentication failures.
525 * <p>
526 * The value of this attribute is an integer followed by a unit of
527 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
528 * indicates that the account must remain locked until an
529 * administrator resets the password.
530 *
531 * @return Returns the value of the "lockout-duration" property.
532 */
533 long getLockoutDuration();
534
535
536
537 /**
538 * Sets the "lockout-duration" property.
539 * <p>
540 * Specifies the length of time that an account is locked after too
541 * many authentication failures.
542 * <p>
543 * The value of this attribute is an integer followed by a unit of
544 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
545 * indicates that the account must remain locked until an
546 * administrator resets the password.
547 *
548 * @param value The value of the "lockout-duration" property.
549 * @throws IllegalPropertyValueException
550 * If the new value is invalid.
551 */
552 void setLockoutDuration(Long value) throws IllegalPropertyValueException;
553
554
555
556 /**
557 * Gets the "lockout-failure-count" property.
558 * <p>
559 * Specifies the maximum number of authentication failures that a
560 * user is allowed before the account is locked out.
561 * <p>
562 * A value of 0 indicates that accounts are never locked out due to
563 * failed attempts.
564 *
565 * @return Returns the value of the "lockout-failure-count" property.
566 */
567 int getLockoutFailureCount();
568
569
570
571 /**
572 * Sets the "lockout-failure-count" property.
573 * <p>
574 * Specifies the maximum number of authentication failures that a
575 * user is allowed before the account is locked out.
576 * <p>
577 * A value of 0 indicates that accounts are never locked out due to
578 * failed attempts.
579 *
580 * @param value The value of the "lockout-failure-count" property.
581 * @throws IllegalPropertyValueException
582 * If the new value is invalid.
583 */
584 void setLockoutFailureCount(Integer value) throws IllegalPropertyValueException;
585
586
587
588 /**
589 * Gets the "lockout-failure-expiration-interval" property.
590 * <p>
591 * Specifies the length of time before an authentication failure is
592 * no longer counted against a user for the purposes of account
593 * lockout.
594 * <p>
595 * The value of this attribute is an integer followed by a unit of
596 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
597 * indicates that the authentication failures must never expire. The
598 * failure count is always cleared upon a successful authentication.
599 *
600 * @return Returns the value of the "lockout-failure-expiration-interval" property.
601 */
602 long getLockoutFailureExpirationInterval();
603
604
605
606 /**
607 * Sets the "lockout-failure-expiration-interval" property.
608 * <p>
609 * Specifies the length of time before an authentication failure is
610 * no longer counted against a user for the purposes of account
611 * lockout.
612 * <p>
613 * The value of this attribute is an integer followed by a unit of
614 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
615 * indicates that the authentication failures must never expire. The
616 * failure count is always cleared upon a successful authentication.
617 *
618 * @param value The value of the "lockout-failure-expiration-interval" property.
619 * @throws IllegalPropertyValueException
620 * If the new value is invalid.
621 */
622 void setLockoutFailureExpirationInterval(Long value) throws IllegalPropertyValueException;
623
624
625
626 /**
627 * Gets the "max-password-age" property.
628 * <p>
629 * Specifies the maximum length of time that a user can continue
630 * using the same password before it must be changed (that is, the
631 * password expiration interval).
632 * <p>
633 * The value of this attribute is an integer followed by a unit of
634 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
635 * disables password expiration.
636 *
637 * @return Returns the value of the "max-password-age" property.
638 */
639 long getMaxPasswordAge();
640
641
642
643 /**
644 * Sets the "max-password-age" property.
645 * <p>
646 * Specifies the maximum length of time that a user can continue
647 * using the same password before it must be changed (that is, the
648 * password expiration interval).
649 * <p>
650 * The value of this attribute is an integer followed by a unit of
651 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
652 * disables password expiration.
653 *
654 * @param value The value of the "max-password-age" property.
655 * @throws IllegalPropertyValueException
656 * If the new value is invalid.
657 */
658 void setMaxPasswordAge(Long value) throws IllegalPropertyValueException;
659
660
661
662 /**
663 * Gets the "max-password-reset-age" property.
664 * <p>
665 * Specifies the maximum length of time that users have to change
666 * passwords after they have been reset by an administrator before
667 * they become locked.
668 * <p>
669 * The value of this attribute is an integer followed by a unit of
670 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
671 * disables this feature.
672 *
673 * @return Returns the value of the "max-password-reset-age" property.
674 */
675 long getMaxPasswordResetAge();
676
677
678
679 /**
680 * Sets the "max-password-reset-age" property.
681 * <p>
682 * Specifies the maximum length of time that users have to change
683 * passwords after they have been reset by an administrator before
684 * they become locked.
685 * <p>
686 * The value of this attribute is an integer followed by a unit of
687 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
688 * disables this feature.
689 *
690 * @param value The value of the "max-password-reset-age" property.
691 * @throws IllegalPropertyValueException
692 * If the new value is invalid.
693 */
694 void setMaxPasswordResetAge(Long value) throws IllegalPropertyValueException;
695
696
697
698 /**
699 * Gets the "min-password-age" property.
700 * <p>
701 * Specifies the minimum length of time after a password change
702 * before the user is allowed to change the password again.
703 * <p>
704 * The value of this attribute is an integer followed by a unit of
705 * seconds, minutes, hours, days, or weeks. This setting can be used
706 * to prevent users from changing their passwords repeatedly over a
707 * short period of time to flush an old password from the history so
708 * that it can be re-used.
709 *
710 * @return Returns the value of the "min-password-age" property.
711 */
712 long getMinPasswordAge();
713
714
715
716 /**
717 * Sets the "min-password-age" property.
718 * <p>
719 * Specifies the minimum length of time after a password change
720 * before the user is allowed to change the password again.
721 * <p>
722 * The value of this attribute is an integer followed by a unit of
723 * seconds, minutes, hours, days, or weeks. This setting can be used
724 * to prevent users from changing their passwords repeatedly over a
725 * short period of time to flush an old password from the history so
726 * that it can be re-used.
727 *
728 * @param value The value of the "min-password-age" property.
729 * @throws IllegalPropertyValueException
730 * If the new value is invalid.
731 */
732 void setMinPasswordAge(Long value) throws IllegalPropertyValueException;
733
734
735
736 /**
737 * Gets the "password-attribute" property.
738 * <p>
739 * Specifies the attribute type used to hold user passwords.
740 * <p>
741 * This attribute type must be defined in the server schema, and it
742 * must have either the user password or auth password syntax.
743 *
744 * @return Returns the value of the "password-attribute" property.
745 */
746 AttributeType getPasswordAttribute();
747
748
749
750 /**
751 * Sets the "password-attribute" property.
752 * <p>
753 * Specifies the attribute type used to hold user passwords.
754 * <p>
755 * This attribute type must be defined in the server schema, and it
756 * must have either the user password or auth password syntax.
757 *
758 * @param value The value of the "password-attribute" property.
759 * @throws IllegalPropertyValueException
760 * If the new value is invalid.
761 */
762 void setPasswordAttribute(AttributeType value) throws IllegalPropertyValueException;
763
764
765
766 /**
767 * Gets the "password-change-requires-current-password" property.
768 * <p>
769 * Indicates whether user password changes must use the password
770 * modify extended operation and must include the user's current
771 * password before the change is allowed.
772 *
773 * @return Returns the value of the "password-change-requires-current-password" property.
774 */
775 boolean isPasswordChangeRequiresCurrentPassword();
776
777
778
779 /**
780 * Sets the "password-change-requires-current-password" property.
781 * <p>
782 * Indicates whether user password changes must use the password
783 * modify extended operation and must include the user's current
784 * password before the change is allowed.
785 *
786 * @param value The value of the "password-change-requires-current-password" property.
787 * @throws IllegalPropertyValueException
788 * If the new value is invalid.
789 */
790 void setPasswordChangeRequiresCurrentPassword(Boolean value) throws IllegalPropertyValueException;
791
792
793
794 /**
795 * Gets the "password-expiration-warning-interval" property.
796 * <p>
797 * Specifies the maximum length of time before a user's password
798 * actually expires that the server begins to include warning
799 * notifications in bind responses for that user.
800 * <p>
801 * The value of this attribute is an integer followed by a unit of
802 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
803 * disables the warning interval.
804 *
805 * @return Returns the value of the "password-expiration-warning-interval" property.
806 */
807 long getPasswordExpirationWarningInterval();
808
809
810
811 /**
812 * Sets the "password-expiration-warning-interval" property.
813 * <p>
814 * Specifies the maximum length of time before a user's password
815 * actually expires that the server begins to include warning
816 * notifications in bind responses for that user.
817 * <p>
818 * The value of this attribute is an integer followed by a unit of
819 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
820 * disables the warning interval.
821 *
822 * @param value The value of the "password-expiration-warning-interval" property.
823 * @throws IllegalPropertyValueException
824 * If the new value is invalid.
825 */
826 void setPasswordExpirationWarningInterval(Long value) throws IllegalPropertyValueException;
827
828
829
830 /**
831 * Gets the "password-generator" property.
832 * <p>
833 * Specifies the name of the password generator that is used with
834 * the associated password policy.
835 * <p>
836 * This is used in conjunction with the password modify extended
837 * operation to generate a new password for a user when none was
838 * provided in the request.
839 *
840 * @return Returns the value of the "password-generator" property.
841 */
842 String getPasswordGenerator();
843
844
845
846 /**
847 * Sets the "password-generator" property.
848 * <p>
849 * Specifies the name of the password generator that is used with
850 * the associated password policy.
851 * <p>
852 * This is used in conjunction with the password modify extended
853 * operation to generate a new password for a user when none was
854 * provided in the request.
855 *
856 * @param value The value of the "password-generator" property.
857 * @throws IllegalPropertyValueException
858 * If the new value is invalid.
859 */
860 void setPasswordGenerator(String value) throws IllegalPropertyValueException;
861
862
863
864 /**
865 * Gets the "password-history-count" property.
866 * <p>
867 * Specifies the maximum number of former passwords to maintain in
868 * the password history.
869 * <p>
870 * When choosing a new password, the proposed password is checked to
871 * ensure that it does not match the current password, nor any other
872 * password in the history list. A value of zero indicates that
873 * either no password history is to be maintained (if the password
874 * history duration has a value of zero seconds), or that there is no
875 * maximum number of passwords to maintain in the history (if the
876 * password history duration has a value greater than zero seconds).
877 *
878 * @return Returns the value of the "password-history-count" property.
879 */
880 int getPasswordHistoryCount();
881
882
883
884 /**
885 * Sets the "password-history-count" property.
886 * <p>
887 * Specifies the maximum number of former passwords to maintain in
888 * the password history.
889 * <p>
890 * When choosing a new password, the proposed password is checked to
891 * ensure that it does not match the current password, nor any other
892 * password in the history list. A value of zero indicates that
893 * either no password history is to be maintained (if the password
894 * history duration has a value of zero seconds), or that there is no
895 * maximum number of passwords to maintain in the history (if the
896 * password history duration has a value greater than zero seconds).
897 *
898 * @param value The value of the "password-history-count" property.
899 * @throws IllegalPropertyValueException
900 * If the new value is invalid.
901 */
902 void setPasswordHistoryCount(Integer value) throws IllegalPropertyValueException;
903
904
905
906 /**
907 * Gets the "password-history-duration" property.
908 * <p>
909 * Specifies the maximum length of time that passwords remain in the
910 * password history.
911 * <p>
912 * When choosing a new password, the proposed password is checked to
913 * ensure that it does not match the current password, nor any other
914 * password in the history list. A value of zero seconds indicates
915 * that either no password history is to be maintained (if the
916 * password history count has a value of zero), or that there is no
917 * maximum duration for passwords in the history (if the password
918 * history count has a value greater than zero).
919 *
920 * @return Returns the value of the "password-history-duration" property.
921 */
922 long getPasswordHistoryDuration();
923
924
925
926 /**
927 * Sets the "password-history-duration" property.
928 * <p>
929 * Specifies the maximum length of time that passwords remain in the
930 * password history.
931 * <p>
932 * When choosing a new password, the proposed password is checked to
933 * ensure that it does not match the current password, nor any other
934 * password in the history list. A value of zero seconds indicates
935 * that either no password history is to be maintained (if the
936 * password history count has a value of zero), or that there is no
937 * maximum duration for passwords in the history (if the password
938 * history count has a value greater than zero).
939 *
940 * @param value The value of the "password-history-duration" property.
941 * @throws IllegalPropertyValueException
942 * If the new value is invalid.
943 */
944 void setPasswordHistoryDuration(Long value) throws IllegalPropertyValueException;
945
946
947
948 /**
949 * Gets the "password-validator" property.
950 * <p>
951 * Specifies the names of the password validators that are used with
952 * the associated password storage scheme.
953 * <p>
954 * The password validators are invoked when a user attempts to
955 * provide a new password, to determine whether the new password is
956 * acceptable.
957 *
958 * @return Returns the values of the "password-validator" property.
959 */
960 SortedSet<String> getPasswordValidator();
961
962
963
964 /**
965 * Sets the "password-validator" property.
966 * <p>
967 * Specifies the names of the password validators that are used with
968 * the associated password storage scheme.
969 * <p>
970 * The password validators are invoked when a user attempts to
971 * provide a new password, to determine whether the new password is
972 * acceptable.
973 *
974 * @param values The values of the "password-validator" property.
975 * @throws IllegalPropertyValueException
976 * If one or more of the new values are invalid.
977 */
978 void setPasswordValidator(Collection<String> values) throws IllegalPropertyValueException;
979
980
981
982 /**
983 * Gets the "previous-last-login-time-format" property.
984 * <p>
985 * Specifies the format string(s) that might have been used with the
986 * last login time at any point in the past for users associated with
987 * the password policy.
988 * <p>
989 * These values are used to make it possible to parse previous
990 * values, but are not used to set new values. The format strings
991 * conform to the syntax described in the API documentation for the
992 * java.text.SimpleDateFormat class.
993 *
994 * @return Returns the values of the "previous-last-login-time-format" property.
995 */
996 SortedSet<String> getPreviousLastLoginTimeFormat();
997
998
999
1000 /**
1001 * Sets the "previous-last-login-time-format" property.
1002 * <p>
1003 * Specifies the format string(s) that might have been used with the
1004 * last login time at any point in the past for users associated with
1005 * the password policy.
1006 * <p>
1007 * These values are used to make it possible to parse previous
1008 * values, but are not used to set new values. The format strings
1009 * conform to the syntax described in the API documentation for the
1010 * java.text.SimpleDateFormat class.
1011 *
1012 * @param values The values of the "previous-last-login-time-format" property.
1013 * @throws IllegalPropertyValueException
1014 * If one or more of the new values are invalid.
1015 */
1016 void setPreviousLastLoginTimeFormat(Collection<String> values) throws IllegalPropertyValueException;
1017
1018
1019
1020 /**
1021 * Gets the "require-change-by-time" property.
1022 * <p>
1023 * Specifies the time by which all users with the associated
1024 * password policy must change their passwords.
1025 * <p>
1026 * The value is expressed in a generalized time format. If this time
1027 * is equal to the current time or is in the past, then all users are
1028 * required to change their passwords immediately. The behavior of
1029 * the server in this mode is identical to the behavior observed when
1030 * users are forced to change their passwords after an administrative
1031 * reset.
1032 *
1033 * @return Returns the value of the "require-change-by-time" property.
1034 */
1035 String getRequireChangeByTime();
1036
1037
1038
1039 /**
1040 * Sets the "require-change-by-time" property.
1041 * <p>
1042 * Specifies the time by which all users with the associated
1043 * password policy must change their passwords.
1044 * <p>
1045 * The value is expressed in a generalized time format. If this time
1046 * is equal to the current time or is in the past, then all users are
1047 * required to change their passwords immediately. The behavior of
1048 * the server in this mode is identical to the behavior observed when
1049 * users are forced to change their passwords after an administrative
1050 * reset.
1051 *
1052 * @param value The value of the "require-change-by-time" property.
1053 * @throws IllegalPropertyValueException
1054 * If the new value is invalid.
1055 */
1056 void setRequireChangeByTime(String value) throws IllegalPropertyValueException;
1057
1058
1059
1060 /**
1061 * Gets the "require-secure-authentication" property.
1062 * <p>
1063 * Indicates whether users with the associated password policy are
1064 * required to authenticate in a secure manner.
1065 * <p>
1066 * This might mean either using a secure communication channel
1067 * between the client and the server, or using a SASL mechanism that
1068 * does not expose the credentials.
1069 *
1070 * @return Returns the value of the "require-secure-authentication" property.
1071 */
1072 boolean isRequireSecureAuthentication();
1073
1074
1075
1076 /**
1077 * Sets the "require-secure-authentication" property.
1078 * <p>
1079 * Indicates whether users with the associated password policy are
1080 * required to authenticate in a secure manner.
1081 * <p>
1082 * This might mean either using a secure communication channel
1083 * between the client and the server, or using a SASL mechanism that
1084 * does not expose the credentials.
1085 *
1086 * @param value The value of the "require-secure-authentication" property.
1087 * @throws IllegalPropertyValueException
1088 * If the new value is invalid.
1089 */
1090 void setRequireSecureAuthentication(Boolean value) throws IllegalPropertyValueException;
1091
1092
1093
1094 /**
1095 * Gets the "require-secure-password-changes" property.
1096 * <p>
1097 * Indicates whether users with the associated password policy are
1098 * required to change their password in a secure manner that does not
1099 * expose the credentials.
1100 *
1101 * @return Returns the value of the "require-secure-password-changes" property.
1102 */
1103 boolean isRequireSecurePasswordChanges();
1104
1105
1106
1107 /**
1108 * Sets the "require-secure-password-changes" property.
1109 * <p>
1110 * Indicates whether users with the associated password policy are
1111 * required to change their password in a secure manner that does not
1112 * expose the credentials.
1113 *
1114 * @param value The value of the "require-secure-password-changes" property.
1115 * @throws IllegalPropertyValueException
1116 * If the new value is invalid.
1117 */
1118 void setRequireSecurePasswordChanges(Boolean value) throws IllegalPropertyValueException;
1119
1120
1121
1122 /**
1123 * Gets the "skip-validation-for-administrators" property.
1124 * <p>
1125 * Indicates whether passwords set by administrators are allowed to
1126 * bypass the password validation process that is required for user
1127 * password changes.
1128 *
1129 * @return Returns the value of the "skip-validation-for-administrators" property.
1130 */
1131 boolean isSkipValidationForAdministrators();
1132
1133
1134
1135 /**
1136 * Sets the "skip-validation-for-administrators" property.
1137 * <p>
1138 * Indicates whether passwords set by administrators are allowed to
1139 * bypass the password validation process that is required for user
1140 * password changes.
1141 *
1142 * @param value The value of the "skip-validation-for-administrators" property.
1143 * @throws IllegalPropertyValueException
1144 * If the new value is invalid.
1145 */
1146 void setSkipValidationForAdministrators(Boolean value) throws IllegalPropertyValueException;
1147
1148
1149
1150 /**
1151 * Gets the "state-update-failure-policy" property.
1152 * <p>
1153 * Specifies how the server deals with the inability to update
1154 * password policy state information during an authentication
1155 * attempt.
1156 * <p>
1157 * In particular, this property can be used to control whether an
1158 * otherwise successful bind operation fails if a failure occurs
1159 * while attempting to update password policy state information (for
1160 * example, to clear a record of previous authentication failures or
1161 * to update the last login time). It can also be used to control
1162 * whether to reject a bind request if it is known ahead of time that
1163 * it will not be possible to update the authentication failure times
1164 * in the event of an unsuccessful bind attempt (for example, if the
1165 * backend writability mode is disabled).
1166 *
1167 * @return Returns the value of the "state-update-failure-policy" property.
1168 */
1169 StateUpdateFailurePolicy getStateUpdateFailurePolicy();
1170
1171
1172
1173 /**
1174 * Sets the "state-update-failure-policy" property.
1175 * <p>
1176 * Specifies how the server deals with the inability to update
1177 * password policy state information during an authentication
1178 * attempt.
1179 * <p>
1180 * In particular, this property can be used to control whether an
1181 * otherwise successful bind operation fails if a failure occurs
1182 * while attempting to update password policy state information (for
1183 * example, to clear a record of previous authentication failures or
1184 * to update the last login time). It can also be used to control
1185 * whether to reject a bind request if it is known ahead of time that
1186 * it will not be possible to update the authentication failure times
1187 * in the event of an unsuccessful bind attempt (for example, if the
1188 * backend writability mode is disabled).
1189 *
1190 * @param value The value of the "state-update-failure-policy" property.
1191 * @throws IllegalPropertyValueException
1192 * If the new value is invalid.
1193 */
1194 void setStateUpdateFailurePolicy(StateUpdateFailurePolicy value) throws IllegalPropertyValueException;
1195
1196 }