001 /*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License"). You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at
010 * trunk/opends/resource/legal-notices/OpenDS.LICENSE
011 * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
012 * See the License for the specific language governing permissions
013 * and limitations under the License.
014 *
015 * When distributing Covered Code, include this CDDL HEADER in each
016 * file and include the License file at
017 * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
018 * add the following below this CDDL HEADER, with the fields enclosed
019 * by brackets "[]" replaced with your own identifying information:
020 * Portions Copyright [yyyy] [name of copyright owner]
021 *
022 * CDDL HEADER END
023 *
024 *
025 * Copyright 2008 Sun Microsystems, Inc.
026 */
027 package org.opends.server.admin.std.server;
028
029
030
031 import java.util.SortedSet;
032 import org.opends.server.admin.Configuration;
033 import org.opends.server.admin.server.ConfigurationChangeListener;
034 import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn.StateUpdateFailurePolicy;
035 import org.opends.server.types.AttributeType;
036 import org.opends.server.types.DN;
037
038
039
040 /**
041 * A server-side interface for querying Password Policy settings.
042 * <p>
043 * Password Policies define a number of password management rules, as
044 * well as requirements for authentication processing.
045 */
046 public interface PasswordPolicyCfg extends Configuration {
047
048 /**
049 * Gets the configuration class associated with this Password Policy.
050 *
051 * @return Returns the configuration class associated with this Password Policy.
052 */
053 Class<? extends PasswordPolicyCfg> configurationClass();
054
055
056
057 /**
058 * Register to be notified when this Password Policy is changed.
059 *
060 * @param listener
061 * The Password Policy configuration change listener.
062 */
063 void addChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener);
064
065
066
067 /**
068 * Deregister an existing Password Policy configuration change listener.
069 *
070 * @param listener
071 * The Password Policy configuration change listener.
072 */
073 void removeChangeListener(ConfigurationChangeListener<PasswordPolicyCfg> listener);
074
075
076
077 /**
078 * Gets the "account-status-notification-handler" property.
079 * <p>
080 * Specifies the names of the account status notification handlers
081 * that are used with the associated password storage scheme.
082 *
083 * @return Returns an unmodifiable set containing the values of the "account-status-notification-handler" property.
084 */
085 SortedSet<String> getAccountStatusNotificationHandler();
086
087
088
089 /**
090 * Gets the "account-status-notification-handler" property as a set
091 * of DNs.
092 * <p>
093 * Specifies the names of the account status notification handlers
094 * that are used with the associated password storage scheme.
095 *
096 * @return Returns the DN values of the
097 * "account-status-notification-handler" property.
098 */
099 SortedSet<DN> getAccountStatusNotificationHandlerDNs();
100
101
102
103 /**
104 * Gets the "allow-expired-password-changes" property.
105 * <p>
106 * Indicates whether a user whose password is expired is still
107 * allowed to change that password using the password modify extended
108 * operation.
109 *
110 * @return Returns the value of the "allow-expired-password-changes" property.
111 */
112 boolean isAllowExpiredPasswordChanges();
113
114
115
116 /**
117 * Gets the "allow-multiple-password-values" property.
118 * <p>
119 * Indicates whether user entries can have multiple distinct values
120 * for the password attribute.
121 * <p>
122 * This is potentially dangerous because many mechanisms used to
123 * change the password do not work well with such a configuration. If
124 * multiple password values are allowed, then any of them can be used
125 * to authenticate, and they are all subject to the same policy
126 * constraints.
127 *
128 * @return Returns the value of the "allow-multiple-password-values" property.
129 */
130 boolean isAllowMultiplePasswordValues();
131
132
133
134 /**
135 * Gets the "allow-pre-encoded-passwords" property.
136 * <p>
137 * Indicates whether users can change their passwords by providing a
138 * pre-encoded value.
139 * <p>
140 * This can cause a security risk because the clear-text version of
141 * the password is not known and therefore validation checks cannot
142 * be applied to it.
143 *
144 * @return Returns the value of the "allow-pre-encoded-passwords" property.
145 */
146 boolean isAllowPreEncodedPasswords();
147
148
149
150 /**
151 * Gets the "allow-user-password-changes" property.
152 * <p>
153 * Indicates whether users can change their own passwords.
154 * <p>
155 * This check is made in addition to access control evaluation. Both
156 * must allow the password change for it to occur.
157 *
158 * @return Returns the value of the "allow-user-password-changes" property.
159 */
160 boolean isAllowUserPasswordChanges();
161
162
163
164 /**
165 * Gets the "default-password-storage-scheme" property.
166 * <p>
167 * Specifies the names of the password storage schemes that are used
168 * to encode clear-text passwords for this password policy.
169 *
170 * @return Returns an unmodifiable set containing the values of the "default-password-storage-scheme" property.
171 */
172 SortedSet<String> getDefaultPasswordStorageScheme();
173
174
175
176 /**
177 * Gets the "default-password-storage-scheme" property as a set of
178 * DNs.
179 * <p>
180 * Specifies the names of the password storage schemes that are used
181 * to encode clear-text passwords for this password policy.
182 *
183 * @return Returns the DN values of the
184 * "default-password-storage-scheme" property.
185 */
186 SortedSet<DN> getDefaultPasswordStorageSchemeDNs();
187
188
189
190 /**
191 * Gets the "deprecated-password-storage-scheme" property.
192 * <p>
193 * Specifies the names of the password storage schemes that are
194 * considered deprecated for this password policy.
195 * <p>
196 * If a user with this password policy authenticates to the server
197 * and his/her password is encoded with a deprecated scheme, those
198 * values are removed and replaced with values encoded using the
199 * default password storage scheme(s).
200 *
201 * @return Returns an unmodifiable set containing the values of the "deprecated-password-storage-scheme" property.
202 */
203 SortedSet<String> getDeprecatedPasswordStorageScheme();
204
205
206
207 /**
208 * Gets the "deprecated-password-storage-scheme" property as a set
209 * of DNs.
210 * <p>
211 * Specifies the names of the password storage schemes that are
212 * considered deprecated for this password policy.
213 * <p>
214 * If a user with this password policy authenticates to the server
215 * and his/her password is encoded with a deprecated scheme, those
216 * values are removed and replaced with values encoded using the
217 * default password storage scheme(s).
218 *
219 * @return Returns the DN values of the
220 * "deprecated-password-storage-scheme" property.
221 */
222 SortedSet<DN> getDeprecatedPasswordStorageSchemeDNs();
223
224
225
226 /**
227 * Gets the "expire-passwords-without-warning" property.
228 * <p>
229 * Indicates whether the Directory Server allows a user's password
230 * to expire even if that user has never seen an expiration warning
231 * notification.
232 * <p>
233 * If this property is true, accounts always expire when the
234 * expiration time arrives. If this property is false disabled, the
235 * user always receives at least one warning notification, and the
236 * password expiration is set to the warning time plus the warning
237 * interval.
238 *
239 * @return Returns the value of the "expire-passwords-without-warning" property.
240 */
241 boolean isExpirePasswordsWithoutWarning();
242
243
244
245 /**
246 * Gets the "force-change-on-add" property.
247 * <p>
248 * Indicates whether users are forced to change their passwords upon
249 * first authenticating to the Directory Server after their account
250 * has been created.
251 *
252 * @return Returns the value of the "force-change-on-add" property.
253 */
254 boolean isForceChangeOnAdd();
255
256
257
258 /**
259 * Gets the "force-change-on-reset" property.
260 * <p>
261 * Indicates whether users are forced to change their passwords if
262 * they are reset by an administrator.
263 * <p>
264 * For this purpose, anyone with permission to change a given user's
265 * password other than that user is considered an administrator.
266 *
267 * @return Returns the value of the "force-change-on-reset" property.
268 */
269 boolean isForceChangeOnReset();
270
271
272
273 /**
274 * Gets the "grace-login-count" property.
275 * <p>
276 * Specifies the number of grace logins that a user is allowed after
277 * the account has expired to allow that user to choose a new
278 * password.
279 * <p>
280 * A value of 0 indicates that no grace logins are allowed.
281 *
282 * @return Returns the value of the "grace-login-count" property.
283 */
284 int getGraceLoginCount();
285
286
287
288 /**
289 * Gets the "idle-lockout-interval" property.
290 * <p>
291 * Specifies the maximum length of time that an account may remain
292 * idle (that is, the associated user does not authenticate to the
293 * server) before that user is locked out.
294 * <p>
295 * The value of this attribute is an integer followed by a unit of
296 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
297 * indicates that idle accounts are not automatically locked out.
298 * This feature is available only if the last login time is
299 * maintained.
300 *
301 * @return Returns the value of the "idle-lockout-interval" property.
302 */
303 long getIdleLockoutInterval();
304
305
306
307 /**
308 * Gets the "last-login-time-attribute" property.
309 * <p>
310 * Specifies the name or OID of the attribute type that is used to
311 * hold the last login time for users with the associated password
312 * policy.
313 * <p>
314 * This attribute type must be defined in the Directory Server
315 * schema and must either be defined as an operational attribute or
316 * must be allowed by the set of objectClasses for all users with the
317 * associated password policy.
318 *
319 * @return Returns the value of the "last-login-time-attribute" property.
320 */
321 AttributeType getLastLoginTimeAttribute();
322
323
324
325 /**
326 * Gets the "last-login-time-format" property.
327 * <p>
328 * Specifies the format string that is used to generate the last
329 * login time value for users with the associated password policy.
330 * <p>
331 * This format string conforms to the syntax described in the API
332 * documentation for the java.text.SimpleDateFormat class.
333 *
334 * @return Returns the value of the "last-login-time-format" property.
335 */
336 String getLastLoginTimeFormat();
337
338
339
340 /**
341 * Gets the "lockout-duration" property.
342 * <p>
343 * Specifies the length of time that an account is locked after too
344 * many authentication failures.
345 * <p>
346 * The value of this attribute is an integer followed by a unit of
347 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
348 * indicates that the account must remain locked until an
349 * administrator resets the password.
350 *
351 * @return Returns the value of the "lockout-duration" property.
352 */
353 long getLockoutDuration();
354
355
356
357 /**
358 * Gets the "lockout-failure-count" property.
359 * <p>
360 * Specifies the maximum number of authentication failures that a
361 * user is allowed before the account is locked out.
362 * <p>
363 * A value of 0 indicates that accounts are never locked out due to
364 * failed attempts.
365 *
366 * @return Returns the value of the "lockout-failure-count" property.
367 */
368 int getLockoutFailureCount();
369
370
371
372 /**
373 * Gets the "lockout-failure-expiration-interval" property.
374 * <p>
375 * Specifies the length of time before an authentication failure is
376 * no longer counted against a user for the purposes of account
377 * lockout.
378 * <p>
379 * The value of this attribute is an integer followed by a unit of
380 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
381 * indicates that the authentication failures must never expire. The
382 * failure count is always cleared upon a successful authentication.
383 *
384 * @return Returns the value of the "lockout-failure-expiration-interval" property.
385 */
386 long getLockoutFailureExpirationInterval();
387
388
389
390 /**
391 * Gets the "max-password-age" property.
392 * <p>
393 * Specifies the maximum length of time that a user can continue
394 * using the same password before it must be changed (that is, the
395 * password expiration interval).
396 * <p>
397 * The value of this attribute is an integer followed by a unit of
398 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
399 * disables password expiration.
400 *
401 * @return Returns the value of the "max-password-age" property.
402 */
403 long getMaxPasswordAge();
404
405
406
407 /**
408 * Gets the "max-password-reset-age" property.
409 * <p>
410 * Specifies the maximum length of time that users have to change
411 * passwords after they have been reset by an administrator before
412 * they become locked.
413 * <p>
414 * The value of this attribute is an integer followed by a unit of
415 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
416 * disables this feature.
417 *
418 * @return Returns the value of the "max-password-reset-age" property.
419 */
420 long getMaxPasswordResetAge();
421
422
423
424 /**
425 * Gets the "min-password-age" property.
426 * <p>
427 * Specifies the minimum length of time after a password change
428 * before the user is allowed to change the password again.
429 * <p>
430 * The value of this attribute is an integer followed by a unit of
431 * seconds, minutes, hours, days, or weeks. This setting can be used
432 * to prevent users from changing their passwords repeatedly over a
433 * short period of time to flush an old password from the history so
434 * that it can be re-used.
435 *
436 * @return Returns the value of the "min-password-age" property.
437 */
438 long getMinPasswordAge();
439
440
441
442 /**
443 * Gets the "password-attribute" property.
444 * <p>
445 * Specifies the attribute type used to hold user passwords.
446 * <p>
447 * This attribute type must be defined in the server schema, and it
448 * must have either the user password or auth password syntax.
449 *
450 * @return Returns the value of the "password-attribute" property.
451 */
452 AttributeType getPasswordAttribute();
453
454
455
456 /**
457 * Gets the "password-change-requires-current-password" property.
458 * <p>
459 * Indicates whether user password changes must use the password
460 * modify extended operation and must include the user's current
461 * password before the change is allowed.
462 *
463 * @return Returns the value of the "password-change-requires-current-password" property.
464 */
465 boolean isPasswordChangeRequiresCurrentPassword();
466
467
468
469 /**
470 * Gets the "password-expiration-warning-interval" property.
471 * <p>
472 * Specifies the maximum length of time before a user's password
473 * actually expires that the server begins to include warning
474 * notifications in bind responses for that user.
475 * <p>
476 * The value of this attribute is an integer followed by a unit of
477 * seconds, minutes, hours, days, or weeks. A value of 0 seconds
478 * disables the warning interval.
479 *
480 * @return Returns the value of the "password-expiration-warning-interval" property.
481 */
482 long getPasswordExpirationWarningInterval();
483
484
485
486 /**
487 * Gets the "password-generator" property.
488 * <p>
489 * Specifies the name of the password generator that is used with
490 * the associated password policy.
491 * <p>
492 * This is used in conjunction with the password modify extended
493 * operation to generate a new password for a user when none was
494 * provided in the request.
495 *
496 * @return Returns the value of the "password-generator" property.
497 */
498 String getPasswordGenerator();
499
500
501
502 /**
503 * Gets the "password-generator" property as a DN.
504 * <p>
505 * Specifies the name of the password generator that is used with
506 * the associated password policy.
507 * <p>
508 * This is used in conjunction with the password modify extended
509 * operation to generate a new password for a user when none was
510 * provided in the request.
511 *
512 * @return Returns the DN value of the "password-generator"
513 * property.
514 */
515 DN getPasswordGeneratorDN();
516
517
518
519 /**
520 * Gets the "password-history-count" property.
521 * <p>
522 * Specifies the maximum number of former passwords to maintain in
523 * the password history.
524 * <p>
525 * When choosing a new password, the proposed password is checked to
526 * ensure that it does not match the current password, nor any other
527 * password in the history list. A value of zero indicates that
528 * either no password history is to be maintained (if the password
529 * history duration has a value of zero seconds), or that there is no
530 * maximum number of passwords to maintain in the history (if the
531 * password history duration has a value greater than zero seconds).
532 *
533 * @return Returns the value of the "password-history-count" property.
534 */
535 int getPasswordHistoryCount();
536
537
538
539 /**
540 * Gets the "password-history-duration" property.
541 * <p>
542 * Specifies the maximum length of time that passwords remain in the
543 * password history.
544 * <p>
545 * When choosing a new password, the proposed password is checked to
546 * ensure that it does not match the current password, nor any other
547 * password in the history list. A value of zero seconds indicates
548 * that either no password history is to be maintained (if the
549 * password history count has a value of zero), or that there is no
550 * maximum duration for passwords in the history (if the password
551 * history count has a value greater than zero).
552 *
553 * @return Returns the value of the "password-history-duration" property.
554 */
555 long getPasswordHistoryDuration();
556
557
558
559 /**
560 * Gets the "password-validator" property.
561 * <p>
562 * Specifies the names of the password validators that are used with
563 * the associated password storage scheme.
564 * <p>
565 * The password validators are invoked when a user attempts to
566 * provide a new password, to determine whether the new password is
567 * acceptable.
568 *
569 * @return Returns an unmodifiable set containing the values of the "password-validator" property.
570 */
571 SortedSet<String> getPasswordValidator();
572
573
574
575 /**
576 * Gets the "password-validator" property as a set of DNs.
577 * <p>
578 * Specifies the names of the password validators that are used with
579 * the associated password storage scheme.
580 * <p>
581 * The password validators are invoked when a user attempts to
582 * provide a new password, to determine whether the new password is
583 * acceptable.
584 *
585 * @return Returns the DN values of the "password-validator"
586 * property.
587 */
588 SortedSet<DN> getPasswordValidatorDNs();
589
590
591
592 /**
593 * Gets the "previous-last-login-time-format" property.
594 * <p>
595 * Specifies the format string(s) that might have been used with the
596 * last login time at any point in the past for users associated with
597 * the password policy.
598 * <p>
599 * These values are used to make it possible to parse previous
600 * values, but are not used to set new values. The format strings
601 * conform to the syntax described in the API documentation for the
602 * java.text.SimpleDateFormat class.
603 *
604 * @return Returns an unmodifiable set containing the values of the "previous-last-login-time-format" property.
605 */
606 SortedSet<String> getPreviousLastLoginTimeFormat();
607
608
609
610 /**
611 * Gets the "require-change-by-time" property.
612 * <p>
613 * Specifies the time by which all users with the associated
614 * password policy must change their passwords.
615 * <p>
616 * The value is expressed in a generalized time format. If this time
617 * is equal to the current time or is in the past, then all users are
618 * required to change their passwords immediately. The behavior of
619 * the server in this mode is identical to the behavior observed when
620 * users are forced to change their passwords after an administrative
621 * reset.
622 *
623 * @return Returns the value of the "require-change-by-time" property.
624 */
625 String getRequireChangeByTime();
626
627
628
629 /**
630 * Gets the "require-secure-authentication" property.
631 * <p>
632 * Indicates whether users with the associated password policy are
633 * required to authenticate in a secure manner.
634 * <p>
635 * This might mean either using a secure communication channel
636 * between the client and the server, or using a SASL mechanism that
637 * does not expose the credentials.
638 *
639 * @return Returns the value of the "require-secure-authentication" property.
640 */
641 boolean isRequireSecureAuthentication();
642
643
644
645 /**
646 * Gets the "require-secure-password-changes" property.
647 * <p>
648 * Indicates whether users with the associated password policy are
649 * required to change their password in a secure manner that does not
650 * expose the credentials.
651 *
652 * @return Returns the value of the "require-secure-password-changes" property.
653 */
654 boolean isRequireSecurePasswordChanges();
655
656
657
658 /**
659 * Gets the "skip-validation-for-administrators" property.
660 * <p>
661 * Indicates whether passwords set by administrators are allowed to
662 * bypass the password validation process that is required for user
663 * password changes.
664 *
665 * @return Returns the value of the "skip-validation-for-administrators" property.
666 */
667 boolean isSkipValidationForAdministrators();
668
669
670
671 /**
672 * Gets the "state-update-failure-policy" property.
673 * <p>
674 * Specifies how the server deals with the inability to update
675 * password policy state information during an authentication
676 * attempt.
677 * <p>
678 * In particular, this property can be used to control whether an
679 * otherwise successful bind operation fails if a failure occurs
680 * while attempting to update password policy state information (for
681 * example, to clear a record of previous authentication failures or
682 * to update the last login time). It can also be used to control
683 * whether to reject a bind request if it is known ahead of time that
684 * it will not be possible to update the authentication failure times
685 * in the event of an unsuccessful bind attempt (for example, if the
686 * backend writability mode is disabled).
687 *
688 * @return Returns the value of the "state-update-failure-policy" property.
689 */
690 StateUpdateFailurePolicy getStateUpdateFailurePolicy();
691
692 }