Package org.opends.server.core

Class SubentryPasswordPolicy

  • public final class SubentryPasswordPolicy
extends PasswordPolicy
    This class represents subentry password policies either based on the Password Policy for LDAP Directories Internet-Draft, or OpenDJ extended password policies.

    • Constructor Detail

      • SubentryPasswordPolicy

        public SubentryPasswordPolicy​(SubEntry subentry)
                       throws LdapException
        Creates subentry password policy object from the subentry, parsing and evaluating subentry password policy attributes.
        Parameters:
        subentry - password policy subentry.
        Throws:
        LdapException - If a problem occurs while creating subentry password policy instance from given subentry.

    • Method Detail

      • isAllowExpiredPasswordChanges

        public boolean isAllowExpiredPasswordChanges()
        Description copied from class: PasswordPolicy
        Gets the "allow-expired-password-changes" property.

        Indicates whether a user whose password is expired is still allowed to change that password using the password modify extended operation.

        Specified by:
        isAllowExpiredPasswordChanges in class PasswordPolicy
        Returns:
        Returns the value of the "allow-expired-password-changes" property.

      • isAllowMultiplePasswordValues

        public boolean isAllowMultiplePasswordValues()
        Description copied from class: PasswordPolicy
        Gets the "allow-multiple-password-values" property.

        Indicates whether user entries can have multiple distinct values for the password attribute.

        This is potentially dangerous because many mechanisms used to change the password do not work well with such a configuration. If multiple password values are allowed, then any of them can be used to authenticate, and they are all subject to the same policy constraints.

        Specified by:
        isAllowMultiplePasswordValues in class PasswordPolicy
        Returns:
        Returns the value of the "allow-multiple-password-values" property.

      • isAllowPreEncodedPasswords

        public boolean isAllowPreEncodedPasswords()
        Description copied from class: PasswordPolicy
        Gets the "allow-pre-encoded-passwords" property.

        Indicates whether users can change their passwords by providing a pre-encoded value.

        This can cause a security risk because the clear-text version of the password is not known and therefore validation checks cannot be applied to it.

        Specified by:
        isAllowPreEncodedPasswords in class PasswordPolicy
        Returns:
        Returns the value of the "allow-pre-encoded-passwords" property.

      • isAllowUserPasswordChanges

        public boolean isAllowUserPasswordChanges()
        Description copied from class: PasswordPolicy
        Gets the "allow-user-password-changes" property.

        Indicates whether users can change their own passwords.

        This check is made in addition to access control evaluation. Both must allow the password change for it to occur.

        Specified by:
        isAllowUserPasswordChanges in class PasswordPolicy
        Returns:
        Returns the value of the "allow-user-password-changes" property.

      • isExpirePasswordsWithoutWarning

        public boolean isExpirePasswordsWithoutWarning()
        Description copied from class: PasswordPolicy
        Gets the "expire-passwords-without-warning" property.

        Indicates whether the directory server allows a user's password to expire even if that user has never seen an expiration warning notification.

        If this property is true, accounts always expire when the expiration time arrives. If this property is false or disabled, the user always receives at least one warning notification, and the password expiration is set to the warning time plus the warning interval.

        Specified by:
        isExpirePasswordsWithoutWarning in class PasswordPolicy
        Returns:
        Returns the value of the "expire-passwords-without-warning" property.

      • isForceChangeOnAdd

        public boolean isForceChangeOnAdd()
        Description copied from class: PasswordPolicy
        Gets the "force-change-on-add" property.

        Indicates whether users are forced to change their passwords upon first authenticating to the directory server after their account has been created.

        Specified by:
        isForceChangeOnAdd in class PasswordPolicy
        Returns:
        Returns the value of the "force-change-on-add" property.

      • isForceChangeOnReset

        public boolean isForceChangeOnReset()
        Description copied from class: PasswordPolicy
        Gets the "force-change-on-reset" property.

        Indicates whether users are forced to change their passwords if they are reset by an administrator.

        For this purpose, anyone with permission to change a given user's password other than that user is considered an administrator.

        Specified by:
        isForceChangeOnReset in class PasswordPolicy
        Returns:
        Returns the value of the "force-change-on-reset" property.

      • getGraceLoginCount

        public int getGraceLoginCount()
        Description copied from class: PasswordPolicy
        Gets the "grace-login-count" property.

        Specifies the number of grace logins that a user is allowed after the account has expired to allow that user to choose a new password.

        A value of 0 indicates that no grace logins are allowed.

        Specified by:
        getGraceLoginCount in class PasswordPolicy
        Returns:
        Returns the value of the "grace-login-count" property.

      • getIdleLockoutInterval

        public long getIdleLockoutInterval()
        Description copied from class: PasswordPolicy
        Gets the "idle-lockout-interval" property in seconds.

        Specifies the maximum length of time that an account may remain idle (that is, the associated user does not authenticate to the server) before that user is locked out.

        0 indicates that idle accounts should not be automatically locked out. This feature is available only if the last login time is maintained.

        Specified by:
        getIdleLockoutInterval in class PasswordPolicy
        Returns:
        Returns the value of the "idle-lockout-interval" property in seconds.

      • getLastLoginTimeAttribute

        public AttributeType getLastLoginTimeAttribute()
        Description copied from class: PasswordPolicy
        Gets the "last-login-time-attribute" property.

        Specifies the name or OID of the attribute type that is used to hold the last login time for users with the associated password policy.

        This attribute type must be defined in the directory server schema and must either be defined as an operational attribute or must be allowed by the set of objectClasses for all users with the associated password policy.

        Specified by:
        getLastLoginTimeAttribute in class PasswordPolicy
        Returns:
        Returns the value of the "last-login-time-attribute" property.

      • getLastLoginTimeFormat

        public String getLastLoginTimeFormat()
        Description copied from class: PasswordPolicy
        Gets the "last-login-time-format" property.

        Specifies the format string that is used to generate the last login time value for users with the associated password policy.

        This format string conforms to the syntax described in the API documentation for the java.text.SimpleDateFormat class.

        Specified by:
        getLastLoginTimeFormat in class PasswordPolicy
        Returns:
        Returns the value of the "last-login-time-format" property.

      • getLockoutDuration

        public long getLockoutDuration()
        Description copied from class: PasswordPolicy
        Gets the "lockout-duration" property in seconds.

        Specifies the length of time that an account is locked after too many authentication failures.

        0 indicates that the account must remain locked until an administrator resets the password.

        Specified by:
        getLockoutDuration in class PasswordPolicy
        Returns:
        Returns the value of the "lockout-duration" property in seconds.

      • getLockoutFailureCount

        public int getLockoutFailureCount()
        Description copied from class: PasswordPolicy
        Gets the "lockout-failure-count" property.

        Specifies the maximum number of authentication failures that a user is allowed before the account is locked out.

        A value of 0 indicates that accounts are never locked out due to failed attempts.

        Specified by:
        getLockoutFailureCount in class PasswordPolicy
        Returns:
        Returns the value of the "lockout-failure-count" property.

      • getLockoutFailureExpirationInterval

        public long getLockoutFailureExpirationInterval()
        Description copied from class: PasswordPolicy
        Gets the "lockout-failure-expiration-interval" property in seconds.

        Specifies the length of time before an authentication failure is no longer counted against a user for the purposes of account lockout.

        0 indicates that the authentication failures must never expire. The failure count is always cleared upon a successful authentication.

        Specified by:
        getLockoutFailureExpirationInterval in class PasswordPolicy
        Returns:
        Returns the value of the "lockout-failure-expiration-interval" property in seconds.

      • getMaxPasswordAge

        public long getMaxPasswordAge()
        Description copied from class: PasswordPolicy
        Gets the "max-password-age" property in seconds.

        Specifies the maximum length of time that a user can continue using the same password before it must be changed (that is, the password expiration interval).

        0 indicates that passwords should never expire.

        Specified by:
        getMaxPasswordAge in class PasswordPolicy
        Returns:
        Returns the value of the "max-password-age" property in seconds.

      • getMaxPasswordResetAge

        public long getMaxPasswordResetAge()
        Description copied from class: PasswordPolicy
        Gets the "max-password-reset-age" property in seconds.

        Specifies the maximum length of time that users have to change passwords after they have been reset by an administrator before they become locked.

        0 indicates that this feature must be disabled.

        Specified by:
        getMaxPasswordResetAge in class PasswordPolicy
        Returns:
        Returns the value of the "max-password-reset-age" property in seconds.

      • getMinPasswordAge

        public long getMinPasswordAge()
        Description copied from class: PasswordPolicy
        Gets the "min-password-age" property in seconds.

        Specifies the minimum length of time after a password change before the user is allowed to change the password again.

        This setting can be used to prevent users from changing their passwords repeatedly over a short period of time to flush an old password from the history so that it can be re-used.

        Specified by:
        getMinPasswordAge in class PasswordPolicy
        Returns:
        Returns the value of the "min-password-age" property in seconds.

      • getPasswordAttribute

        public AttributeType getPasswordAttribute()
        Description copied from class: PasswordPolicy
        Gets the "password-attribute" property.

        Specifies the attribute type used to hold user passwords.

        This attribute type must be defined in the server schema, and it must have either the user password or auth password syntax.

        Specified by:
        getPasswordAttribute in class PasswordPolicy
        Returns:
        Returns the value of the "password-attribute" property.

      • isPasswordChangeRequiresCurrentPassword

        public boolean isPasswordChangeRequiresCurrentPassword()
        Description copied from class: PasswordPolicy
        Gets the "password-change-requires-current-password" property.

        Indicates whether user password changes must use the password modify extended operation and must include the user's current password before the change is allowed.

        Specified by:
        isPasswordChangeRequiresCurrentPassword in class PasswordPolicy
        Returns:
        Returns the value of the "password-change-requires-current-password" property.

      • getPasswordExpirationWarningInterval

        public long getPasswordExpirationWarningInterval()
        Description copied from class: PasswordPolicy
        Gets the "password-expiration-warning-interval" property in seconds.

        Specifies the maximum length of time before a user's password actually expires that the server begins to include warning notifications in bind responses for that user.

        0 indicates that warning interval must be disabled.

        Specified by:
        getPasswordExpirationWarningInterval in class PasswordPolicy
        Returns:
        Returns the value of the "password-expiration-warning-interval" property in seconds.

      • getPasswordHistoryCount

        public int getPasswordHistoryCount()
        Description copied from class: PasswordPolicy
        Gets the "password-history-count" property.

        Specifies the maximum number of former passwords to maintain in the password history.

        When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero indicates that either no password history is to be maintained (if the password history duration has a value of zero seconds), or that there is no maximum number of passwords to maintain in the history (if the password history duration has a value greater than zero seconds).

        Specified by:
        getPasswordHistoryCount in class PasswordPolicy
        Returns:
        Returns the value of the "password-history-count" property.

      • getPasswordHistoryDuration

        public long getPasswordHistoryDuration()
        Description copied from class: PasswordPolicy
        Gets the "password-history-duration" property in seconds.

        Specifies the maximum length of time that passwords remain in the password history.

        When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. 0 indicates that either no password history is to be maintained (if the password history count has a value of zero), or that there is no maximum duration for passwords in the history (if the password history count has a value greater than zero).

        Specified by:
        getPasswordHistoryDuration in class PasswordPolicy
        Returns:
        Returns the value of the "password-history-duration" property in seconds.

      • getPreviousLastLoginTimeFormats

        public SortedSet<String> getPreviousLastLoginTimeFormats()
        Description copied from class: PasswordPolicy
        Gets the "previous-last-login-time-format" property.

        Specifies the format string(s) that might have been used with the last login time at any point in the past for users associated with the password policy.

        These values are used to make it possible to parse previous values, but are not used to set new values. The format strings conform to the syntax described in the API documentation for the java.text.SimpleDateFormat class.

        Specified by:
        getPreviousLastLoginTimeFormats in class PasswordPolicy
        Returns:
        Returns an unmodifiable set containing the values of the "previous-last-login-time-format" property.

      • getRequireChangeByTime

        public long getRequireChangeByTime()
        Description copied from class: PasswordPolicy
        Retrieves the time by which all users will be required to change their passwords, expressed in the number of milliseconds since midnight of January 1, 1970 (i.e., the zero time for System.currentTimeMillis()). Any passwords not changed before this time will automatically enter a state in which they must be changed before any other operation will be allowed.
        Specified by:
        getRequireChangeByTime in class PasswordPolicy
        Returns:
        The time by which all users will be required to change their passwords, or zero if no such constraint is in effect.

      • isRequireSecureAuthentication

        public boolean isRequireSecureAuthentication()
        Description copied from class: PasswordPolicy
        Gets the "require-secure-authentication" property.

        Indicates whether users with the associated password policy are required to authenticate in a secure manner.

        This might mean either using a secure communication channel between the client and the server, or using a SASL mechanism that does not expose the credentials.

        Specified by:
        isRequireSecureAuthentication in class PasswordPolicy
        Returns:
        Returns the value of the "require-secure-authentication" property.

      • isRequireSecurePasswordChanges

        public boolean isRequireSecurePasswordChanges()
        Description copied from class: PasswordPolicy
        Gets the "require-secure-password-changes" property.

        Indicates whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials.

        Specified by:
        isRequireSecurePasswordChanges in class PasswordPolicy
        Returns:
        Returns the value of the "require-secure-password-changes" property.

      • isSkipValidationForAdministrators

        public boolean isSkipValidationForAdministrators()
        Description copied from class: PasswordPolicy
        Gets the "skip-validation-for-administrators" property.

        Indicates whether passwords set by administrators are allowed to bypass the password validation process that is required for user password changes.

        Specified by:
        isSkipValidationForAdministrators in class PasswordPolicy
        Returns:
        Returns the value of the "skip-validation-for-administrators" property.

      • getStateUpdateFailurePolicy

        public PasswordPolicyCfgDefn.StateUpdateFailurePolicy getStateUpdateFailurePolicy()
        Description copied from class: PasswordPolicy
        Gets the "state-update-failure-policy" property.

        Specifies how the server deals with the inability to update password policy state information during an authentication attempt.

        In particular, this property can be used to control whether an otherwise successful bind operation fails if a failure occurs while attempting to update password policy state information (for example, to clear a record of previous authentication failures or to update the last login time). It can also be used to control whether to reject a bind request if it is known ahead of time that it will not be possible to update the authentication failure times in the event of an unsuccessful bind attempt (for example, if the backend writability mode is disabled).

        Specified by:
        getStateUpdateFailurePolicy in class PasswordPolicy
        Returns:
        Returns the value of the "state-update-failure-policy" property.

      • isAuthPasswordSyntax

        public boolean isAuthPasswordSyntax()
        Description copied from class: PasswordPolicy
        Indicates whether the associated password attribute uses the auth password syntax.
        Specified by:
        isAuthPasswordSyntax in class PasswordPolicy
        Returns:
        true if the associated password attribute uses the auth password syntax, or false if not.

      • getDefaultPasswordStorageSchemes

        public List<PasswordStorageScheme<?>> getDefaultPasswordStorageSchemes()
        Description copied from class: PasswordPolicy
        Retrieves the default set of password storage schemes that will be used for this password policy. The returned set should not be modified by the caller.
        Specified by:
        getDefaultPasswordStorageSchemes in class PasswordPolicy
        Returns:
        The default set of password storage schemes that will be used for this password policy.

      • getDeprecatedPasswordStorageSchemes

        public Set<String> getDeprecatedPasswordStorageSchemes()
        Description copied from class: PasswordPolicy
        Gets the "deprecated-password-storage-scheme" property.

        Specifies the names of the password storage schemes that are considered deprecated for this password policy.

        If a user with this password policy authenticates to the server and his/her password is encoded with a deprecated scheme, those values are removed and replaced with values encoded using the default password storage scheme(s).

        Specified by:
        getDeprecatedPasswordStorageSchemes in class PasswordPolicy
        Returns:
        Returns an unmodifiable set containing the values of the "deprecated-password-storage-scheme" property.

      • getDN

        public Dn getDN()
        Description copied from class: AuthenticationPolicy
        Returns the name of the configuration entry associated with this authentication policy.
        Specified by:
        getDN in class PasswordPolicy
        Returns:
        The name of the configuration entry associated with this authentication policy.

      • isDefaultPasswordStorageScheme

        public boolean isDefaultPasswordStorageScheme​(String name)
        Description copied from class: PasswordPolicy
        Indicates whether the specified storage scheme is a default scheme for this password policy.
        Specified by:
        isDefaultPasswordStorageScheme in class PasswordPolicy
        Parameters:
        name - The name of the password storage scheme for which to make the determination.
        Returns:
        true if the storage scheme is a default scheme for this password policy, or false if not.

      • isDeprecatedPasswordStorageScheme

        public boolean isDeprecatedPasswordStorageScheme​(String name)
        Description copied from class: PasswordPolicy
        Indicates whether the specified storage scheme is deprecated.
        Specified by:
        isDeprecatedPasswordStorageScheme in class PasswordPolicy
        Parameters:
        name - The name of the password storage scheme for which to make the determination.
        Returns:
        true if the storage scheme is deprecated, or false if not.

      • getPasswordValidators

        public Collection<PasswordValidator<?>> getPasswordValidators()
        Description copied from class: PasswordPolicy
        Retrieves the set of password validators for this password policy. The returned list should not be altered by the caller.
        Specified by:
        getPasswordValidators in class PasswordPolicy
        Returns:
        The set of password validators for this password policy.

      • getPasswordGenerator

        public PasswordGenerator<?> getPasswordGenerator()
        Description copied from class: PasswordPolicy
        Retrieves the password generator that will be used with this password policy.
        Specified by:
        getPasswordGenerator in class PasswordPolicy
        Returns:
        The password generator that will be used with this password policy, or null if there is none.