org.opends.server.core

Class PasswordPolicyState

java.lang.Object

org.opends.server.api.AuthenticationPolicyState

org.opends.server.core.PasswordPolicyState

public final class PasswordPolicyState
extends AuthenticationPolicyState

This class provides a data structure for holding password policy state information for a user account.

Field Summary

Fields inherited from class org.opends.server.api.AuthenticationPolicyState

isDisabled, userEntry

Method Summary

Modifier and Type	Method and Description
void	clearAccountExpirationTime() Clears the user's account expiration time.
void	clearFailureLockout() Updates the user account to remove any record of a previous lockout due to failed authentications.
void	clearGraceLoginTimes() Updates the user entry to remove any record of previous grace logins.
void	clearLastLoginTime() Clears the last login time from the user's entry.
void	clearPasswordChangedTime() Removes the password changed time value from the user's entry.
void	clearPasswordHistory() Clears the password history state information for the user.
void	clearRequiredChangeTime() Updates the user entry to remove any timestamp indicating that the password has been changed in accordance with the required change time.
void	clearWarnedTime() Updates the user entry to clear the warned time.
List<ByteString>	encodePassword(ByteString password) Encodes the provided password using the default storage schemes (using the appropriate syntax for the password attribute).
void	finalizeStateAfterBind() Performs any finalization required after a bind operation has completed.
void	generateAccountStatusNotification(AccountStatusNotificationType notificationType, Entry userEntry, LocalizableMessage message, Map<AccountStatusNotificationProperty,List<String>> notificationProperties) Generates an account status notification for this user.
ByteString	generatePassword() Generates a new password for the user.
long	getAccountExpirationTime() Retrieves the time at which the user's account will expire.
PasswordPolicy	getAuthenticationPolicy() Returns the authentication policy associated with this state.
List<Long>	getAuthFailureTimes() Retrieves the set of times of failed authentication attempts for the user.
List<ByteString>	getClearPasswords() Retrieves a list of the clear-text passwords for the user.
long	getCurrentTime() Retrieves the time that this password policy state object was created.
int	getGraceLoginsRemaining() Retrieves the number of grace logins that the user has left.
List<Long>	getGraceLoginTimes() Retrieves the times that the user has authenticated to the server using a grace login.
long	getLastLoginTime() Retrieves the time that the user last authenticated to the Directory Server.
List<Modification>	getModifications() Retrieves the set of modifications that correspond to changes made in password policy processing that may need to be applied to the user entry.
long	getPasswordChangedTime() Retrieves the time that the password was last changed.
long	getPasswordExpirationTime() Retrieves the time that the user's password should expire (if the expiration is in the future) or did expire (if the expiration was in the past).
List<String>	getPasswordHistoryValues() Retrieves the password history state values for the user.
Collection<ByteString>	getPasswordValues() Retrieves the unmodifiable set of values for the password attribute from the user entry.
long	getRequiredChangeTime() Retrieves the timestamp for the last required change time that the user complied with.
int	getSecondsUntilExpiration() Retrieves the length of time in seconds until the user's password expires.
int	getSecondsUntilUnlock() Retrieves the length of time in seconds until the user's account is automatically unlocked.
long	getWarnedTime() Retrieves the time that the user was first warned about an upcoming expiration.
void	handleDeprecatedStorageSchemes(ByteString password) Performs any processing that may be necessary to remove deprecated storage schemes from the user's entry that match the provided password and re-encodes them using the default schemes.
boolean	isAccountExpired() Indicates whether the user's account is currently expired.
boolean	isFirstWarning() Indicates whether the warning that the user should receive would be the first warning for the user.
boolean	isLocked() Returns whether the account was locked for any reason.
boolean	isPasswordExpired() Indicates whether the user's password is currently expired.
boolean	isPasswordInHistory(ByteString password) Indicates whether the provided password is equal to any of the current passwords, or any of the passwords in the history.
boolean	isWithinMinimumAge() Indicates whether the user's last password change was within the minimum password age.
boolean	lockedDueToFailures() Indicates whether the associated user should be considered locked out as a result of too many authentication failures.
boolean	lockedDueToIdleInterval() Indicates whether the user's account is currently locked because it has been idle for too long.
boolean	lockedDueToMaximumResetAge() Indicates whether the user's account is locked because the password has been reset by an administrator but the user did not change the password in a timely manner.
boolean	maintainHistory() Indicates whether password history information should be maintained for this user.
boolean	mayUseGraceLogin() Indicates whether the user may use a grace login if the password is expired and there is at least one grace login remaining.
boolean	mustChangePassword() Indicates whether the user's password must be changed before any other operation can be performed.
boolean	passwordIsAcceptable(Operation operation, Entry userEntry, ByteString newPassword, Set<ByteString> currentPasswords, LocalizableMessageBuilder invalidReason) Indicates whether the provided password appears to be acceptable according to the password validators.
boolean	passwordIsPreEncoded(ByteString passwordValue) Indicates whether the provided password value is pre-encoded.
boolean	passwordMatches(ByteString password) Returns true if the provided password value matches any of the user's passwords.
boolean	passwordMatches(ByteString password, Entry entry) Returns true if the provided password value matches any of the user's passwords in the given entry.
void	setAccountExpirationTime(long accountExpirationTime) Sets the user's account expiration time to the specified value.
void	setAuthFailureTimes(List<Long> authFailureTimes) Explicitly specifies the auth failure times for the associated user.
void	setDisabled(boolean isDisabled) Updates the user entry to indicate whether user account has been administratively disabled.
void	setGraceLoginTimes(List<Long> graceLoginTimes) Specifies the set of grace login use times for the associated user.
void	setLastLoginTime() Updates the user entry to set the current time as the last login time.
void	setLastLoginTime(long lastLoginTime) Updates the user entry to use the specified last login time.
void	setMustChangePassword(boolean mustChangePassword) Updates the user entry to indicate whether the user's password must be changed.
void	setPasswordChangedTime() Sets a new value for the password changed time equal to the current time.
void	setPasswordChangedTime(long passwordChangedTime) Sets a new value for the password changed time equal to the specified time.
void	setRequiredChangeTime() Updates the user entry with a timestamp indicating that the password has been changed in accordance with the require change time.
void	setRequiredChangeTime(long requiredChangeTime) Updates the user entry with a timestamp indicating that the password has been changed in accordance with the require change time.
void	setWarnedTime() Updates the user entry to set the warned time to the current time.
void	setWarnedTime(long warnedTime) Updates the user entry to set the warned time to the specified time.
boolean	shouldWarn() Indicates whether the user should receive a warning notification that the password is about to expire.
void	updateAuthFailureTimes() Updates the set of authentication failure times to include the current time.
void	updateGraceLoginTimes() Updates the set of grace login times for the user to include the current time.
void	updatePasswordHistory() Updates the password history information for this user by adding one of the passwords to it.

Methods inherited from class org.opends.server.api.AuthenticationPolicyState

forUser, getBoolean, getGeneralizedTime, isDisabled, isPasswordPolicy

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

getAuthenticationPolicy

public PasswordPolicy getAuthenticationPolicy()

Description copied from class: AuthenticationPolicyState

Returns the authentication policy associated with this state.

Specified by:

getAuthenticationPolicy in class AuthenticationPolicyState

Returns:

The authentication policy associated with this state.

getPasswordChangedTime

public long getPasswordChangedTime()

Retrieves the time that the password was last changed.

Returns:

The time that the password was last changed.

getCurrentTime

public long getCurrentTime()

Retrieves the time that this password policy state object was created.

Returns:

The time that this password policy state object was created.

getPasswordValues

public Collection<ByteString> getPasswordValues()

Retrieves the unmodifiable set of values for the password attribute from the user entry.

Returns:

The unmodifiable set of values for the password attribute from the user entry.

setPasswordChangedTime

public void setPasswordChangedTime()

Sets a new value for the password changed time equal to the current time.

setPasswordChangedTime

public void setPasswordChangedTime(long passwordChangedTime)

Sets a new value for the password changed time equal to the specified time. This method should generally only be used for testing purposes, since the variant that uses the current time is preferred almost everywhere else.

Parameters:

passwordChangedTime - The time to use

clearPasswordChangedTime

public void clearPasswordChangedTime()

Removes the password changed time value from the user's entry. This should only be used for testing purposes, as it can really mess things up if you don't know what you're doing.

setDisabled

public void setDisabled(boolean isDisabled)

Updates the user entry to indicate whether user account has been administratively disabled.

Parameters:

isDisabled - Indicates whether the user account has been administratively disabled.

isAccountExpired

public boolean isAccountExpired()

Indicates whether the user's account is currently expired.

Returns:

true if the user's account is expired, or false if not.

getAccountExpirationTime

public long getAccountExpirationTime()

Retrieves the time at which the user's account will expire.

Returns:

The time at which the user's account will expire, or -1 if it is not configured with an expiration time.

setAccountExpirationTime

public void setAccountExpirationTime(long accountExpirationTime)

Sets the user's account expiration time to the specified value.

Parameters:

accountExpirationTime - The time that the user's account should expire.

clearAccountExpirationTime

public void clearAccountExpirationTime()

Clears the user's account expiration time.

getAuthFailureTimes

public List<Long> getAuthFailureTimes()

Retrieves the set of times of failed authentication attempts for the user. If authentication failure time expiration is enabled, and there are expired times in the entry, these times are removed from the instance field and an update is provided to delete those values from the entry.

Returns:

The set of times of failed authentication attempts for the user, which will be an empty list in the case of no valid (unexpired) times in the entry.

updateAuthFailureTimes

public void updateAuthFailureTimes()

Updates the set of authentication failure times to include the current time. If the number of failures reaches the policy configuration limit, lock the account.

setAuthFailureTimes

public void setAuthFailureTimes(List<Long> authFailureTimes)

Explicitly specifies the auth failure times for the associated user. This should generally only be used for testing purposes. Note that it will also set or clear the locked time as appropriate.

Parameters:

authFailureTimes - The set of auth failure times to use for the account. An empty list or null will clear the account of any existing failures.

lockedDueToFailures

public boolean lockedDueToFailures()

Indicates whether the associated user should be considered locked out as a result of too many authentication failures. In the case of an expired lock-out, this routine produces the update to clear the lock-out attribute and the authentication failure timestamps. In case the failure lockout time is absent from the entry, but sufficient authentication failure timestamps are present in the entry, this routine produces the update to set the lock-out attribute.

Returns:

true if the user is currently locked out due to too many authentication failures, or false if not.

getSecondsUntilUnlock

public int getSecondsUntilUnlock()

Retrieves the length of time in seconds until the user's account is automatically unlocked. This should only be called after calling lockedDueToFailures.

Returns:

The length of time in seconds until the user's account is automatically unlocked, or -1 if the account is not locked or the lockout requires administrative action to clear.

clearFailureLockout

public void clearFailureLockout()

Updates the user account to remove any record of a previous lockout due to failed authentications.

getLastLoginTime

public long getLastLoginTime()

Retrieves the time that the user last authenticated to the Directory Server.

Returns:

The time that the user last authenticated to the Directory Server, or -1 if it cannot be determined.

setLastLoginTime

public void setLastLoginTime()

Updates the user entry to set the current time as the last login time.

setLastLoginTime

public void setLastLoginTime(long lastLoginTime)

Updates the user entry to use the specified last login time. This should be used primarily for testing purposes, as the variant that uses the current time should be used most of the time.

Parameters:

lastLoginTime - The last login time to set in the user entry.

clearLastLoginTime

public void clearLastLoginTime()

Clears the last login time from the user's entry. This should generally be used only for testing purposes.

lockedDueToIdleInterval

public boolean lockedDueToIdleInterval()

Indicates whether the user's account is currently locked because it has been idle for too long.

Returns:

true if the user's account is locked because it has been idle for too long, or false if not.

mustChangePassword

public boolean mustChangePassword()

Indicates whether the user's password must be changed before any other operation can be performed.

Returns:

true if the user's password must be changed before any other operation can be performed.

setMustChangePassword

public void setMustChangePassword(boolean mustChangePassword)

Updates the user entry to indicate whether the user's password must be changed.

Parameters:

mustChangePassword - Indicates whether the user's password must be changed.

lockedDueToMaximumResetAge

public boolean lockedDueToMaximumResetAge()

Indicates whether the user's account is locked because the password has been reset by an administrator but the user did not change the password in a timely manner.

Returns:

true if the user's account is locked because of the maximum reset age, or >false if not.

isLocked

public boolean isLocked()

Returns whether the account was locked for any reason.

Returns:

true if the account is locked, false otherwise

getPasswordExpirationTime

public long getPasswordExpirationTime()

Retrieves the time that the user's password should expire (if the expiration is in the future) or did expire (if the expiration was in the past). Note that this method should be called after the lockedDueToMaximumResetAge method because grace logins will not be allowed in the case that the maximum reset age has passed whereas they may be used for expiration due to maximum password age or forced change time.

Returns:

The time that the user's password should/did expire, or -1 if it should not expire.

isPasswordExpired

public boolean isPasswordExpired()

Indicates whether the user's password is currently expired.

Returns:

true if the user's password is currently expired, or false if not.

isWithinMinimumAge

public boolean isWithinMinimumAge()

Indicates whether the user's last password change was within the minimum password age.

Returns:

true if the password minimum age is nonzero, the account is not in force-change mode, and the last password change was within the minimum age, or false otherwise.

mayUseGraceLogin

public boolean mayUseGraceLogin()

Indicates whether the user may use a grace login if the password is expired and there is at least one grace login remaining. Note that this does not check to see if the user's password is expired, does not verify that there are any remaining grace logins, and does not update the set of grace login times.

Returns:

true if the user may use a grace login if the password is expired and there is at least one grace login remaining, or false if the user may not use a grace login for some reason.

shouldWarn

public boolean shouldWarn()

Indicates whether the user should receive a warning notification that the password is about to expire.

Returns:

true if the user should receive a warning notification that the password is about to expire, or false if not.

isFirstWarning

public boolean isFirstWarning()

Indicates whether the warning that the user should receive would be the first warning for the user.

Returns:

true if the warning that should be sent to the user would be the first warning, or false if not.

getSecondsUntilExpiration

public int getSecondsUntilExpiration()

Retrieves the length of time in seconds until the user's password expires.

Returns:

The length of time in seconds until the user's password expires, 0 if the password is currently expired, or -1 if the password should not expire.

getRequiredChangeTime

public long getRequiredChangeTime()

Retrieves the timestamp for the last required change time that the user complied with.

Returns:

The timestamp for the last required change time that the user complied with, or -1 if the user's password has not been changed in compliance with this configuration.

setRequiredChangeTime

public void setRequiredChangeTime()

Updates the user entry with a timestamp indicating that the password has been changed in accordance with the require change time.

setRequiredChangeTime

public void setRequiredChangeTime(long requiredChangeTime)

Updates the user entry with a timestamp indicating that the password has been changed in accordance with the require change time.

Parameters:

requiredChangeTime - The timestamp to use for the required change time value.

clearRequiredChangeTime

public void clearRequiredChangeTime()

Updates the user entry to remove any timestamp indicating that the password has been changed in accordance with the required change time.

getWarnedTime

public long getWarnedTime()

Retrieves the time that the user was first warned about an upcoming expiration.

Returns:

The time that the user was first warned about an upcoming expiration, or -1 if the user has not been warned.

setWarnedTime

public void setWarnedTime()

Updates the user entry to set the warned time to the current time.

setWarnedTime

public void setWarnedTime(long warnedTime)

Updates the user entry to set the warned time to the specified time. This method should generally only be used for testing purposes, since the variant that uses the current time is preferred almost everywhere else.

Parameters:

warnedTime - The value to use for the warned time.

clearWarnedTime

public void clearWarnedTime()

Updates the user entry to clear the warned time.

getGraceLoginTimes

public List<Long> getGraceLoginTimes()

Retrieves the times that the user has authenticated to the server using a grace login.

Returns:

The times that the user has authenticated to the server using a grace login.

getGraceLoginsRemaining

public int getGraceLoginsRemaining()

Retrieves the number of grace logins that the user has left.

Returns:

The number of grace logins that the user has left, or -1 if grace logins are not allowed.

updateGraceLoginTimes

public void updateGraceLoginTimes()

Updates the set of grace login times for the user to include the current time.

setGraceLoginTimes

public void setGraceLoginTimes(List<Long> graceLoginTimes)

Specifies the set of grace login use times for the associated user. If the provided list is empty or null, then the set will be cleared.

Parameters:

graceLoginTimes - The grace login use times for the associated user.

clearGraceLoginTimes

public void clearGraceLoginTimes()

Updates the user entry to remove any record of previous grace logins.

getClearPasswords

public List<ByteString> getClearPasswords()

Retrieves a list of the clear-text passwords for the user. If the user does not have any passwords in the clear, then the list will be empty.

Returns:

A list of the clear-text passwords for the user.

passwordMatches

public boolean passwordMatches(ByteString password)

Description copied from class: AuthenticationPolicyState

Returns true if the provided password value matches any of the user's passwords.

Specified by:

passwordMatches in class AuthenticationPolicyState

Parameters:

password - The user-provided password to verify.

Returns:

true if the provided password value matches any of the user's passwords.

passwordMatches

public boolean passwordMatches(ByteString password,
                               Entry entry)

Returns true if the provided password value matches any of the user's passwords in the given entry.

Parameters:

password - The user-provided password to verify.

entry - The user's entry.

Returns:

true if the provided password value matches any of the user's passwords.

passwordIsPreEncoded

public boolean passwordIsPreEncoded(ByteString passwordValue)

Indicates whether the provided password value is pre-encoded.

Parameters:

passwordValue - The value for which to make the determination.

Returns:

true if the provided password value is pre-encoded, or false if it is not.

encodePassword

public List<ByteString> encodePassword(ByteString password)
                                throws LdapException

Encodes the provided password using the default storage schemes (using the appropriate syntax for the password attribute).

Parameters:

password - The password to be encoded.

Returns:

The password encoded using the default schemes.

Throws:

LdapException - If a problem occurs while attempting to encode the password.

passwordIsAcceptable

public boolean passwordIsAcceptable(Operation operation,
                                    Entry userEntry,
                                    ByteString newPassword,
                                    Set<ByteString> currentPasswords,
                                    LocalizableMessageBuilder invalidReason)

Indicates whether the provided password appears to be acceptable according to the password validators.

Parameters:

operation - The operation that provided the password.

userEntry - The user entry in which the password is used.

newPassword - The password to be validated.

currentPasswords - The set of clear-text current passwords for the user (this may be a subset if not all of them are available in the clear, or empty if none of them are available in the clear).

invalidReason - A buffer that may be used to hold the invalid reason if the password is rejected.

Returns:

true if the password is acceptable for use, or false if it is not.

handleDeprecatedStorageSchemes

public void handleDeprecatedStorageSchemes(ByteString password)

Performs any processing that may be necessary to remove deprecated storage schemes from the user's entry that match the provided password and re-encodes them using the default schemes.

Parameters:

password - The clear-text password provided by the user.

maintainHistory

public boolean maintainHistory()

Indicates whether password history information should be maintained for this user.

Returns:

true if password history information should be maintained for this user, or false if not.

isPasswordInHistory

public boolean isPasswordInHistory(ByteString password)

Indicates whether the provided password is equal to any of the current passwords, or any of the passwords in the history.

Parameters:

password - The password for which to make the determination.

Returns:

true if the provided password is equal to any of the current passwords or any of the passwords in the history, or false if not.

updatePasswordHistory

public void updatePasswordHistory()

Updates the password history information for this user by adding one of the passwords to it. It will choose the first password encoded using a secure storage scheme, and will fall back to a password encoded using an insecure storage scheme if necessary.

getPasswordHistoryValues

public List<String> getPasswordHistoryValues()

Retrieves the password history state values for the user. This is only intended for testing purposes.

Returns:

The password history state values for the user.

clearPasswordHistory

public void clearPasswordHistory()

Clears the password history state information for the user. This is only intended for testing purposes.

generatePassword

public ByteString generatePassword()
                            throws LdapException

Generates a new password for the user.

Returns:

The new password that has been generated, or null if no password generator has been defined.

Throws:

LdapException - If an error occurs while attempting to generate the new password.

generateAccountStatusNotification

public void generateAccountStatusNotification(AccountStatusNotificationType notificationType,
                                              Entry userEntry,
                                              LocalizableMessage message,
                                              Map<AccountStatusNotificationProperty,List<String>> notificationProperties)

Generates an account status notification for this user.

Parameters:

notificationType - The type for the account status notification.

userEntry - The entry for the user to which this notification applies.

message - The human-readable message for the notification.

notificationProperties - The set of properties for the notification.

getModifications

public List<Modification> getModifications()

Retrieves the set of modifications that correspond to changes made in password policy processing that may need to be applied to the user entry.

Returns:

The set of modifications that correspond to changes made in password policy processing that may need to be applied to the user entry.

finalizeStateAfterBind

public void finalizeStateAfterBind()
                            throws LdapException

Description copied from class: AuthenticationPolicyState

Performs any finalization required after a bind operation has completed. Implementations may perform internal operations in order to persist internal state to the user's entry if needed.

Overrides:

finalizeStateAfterBind in class AuthenticationPolicyState

Throws:

LdapException - If a problem occurs during finalization.