org.opends.server.core
Class PasswordPolicy

java.lang.Object
  extended by org.opends.server.core.PasswordPolicy

public class PasswordPolicy
extends java.lang.Object

This class defines a data structure that holds information about a Directory Server password policy.


Constructor Summary
PasswordPolicy(PasswordPolicyCfg configuration)
          Creates a new password policy based on the configuration contained in the provided configuration entry.
 
Method Summary
 boolean allowExpiredPasswordChanges()
          Indicates whether a user will be allowed to change their password after it expires and they have no remaining grace logins (and will not be allowed to perform any other operation until the password is changed).
 boolean allowMultiplePasswordValues()
          Indicates whether user entries will be allowed to have multiple distinct values in the password attribute.
 boolean allowPreEncodedPasswords()
          Indicates whether clients will be allowed to set pre-encoded passwords that are already hashed and therefore cannot be validated for correctness.
 boolean allowUserPasswordChanges()
          Indicates whether end users will be allowed to change their own passwords (subject to access control restrictions).
 boolean expirePasswordsWithoutWarning()
          Indicates whether user passwords will be allowed to expire without the user receiving at least one notification during the warning period.
 boolean forceChangeOnAdd()
          Indicates whether users will be required to change their passwords as soon as they authenticate after their accounts have been created.
 boolean forceChangeOnReset()
          Indicates whether a user will be required to change their password after it has been reset by an administrator.
 java.util.concurrent.ConcurrentHashMap<DN,AccountStatusNotificationHandler> getAccountStatusNotificationHandlers()
          Retrieves the set of account status notification handlers that should be used with this password policy.
 DN getConfigEntryDN()
          Retrieves the DN of the configuration entry to which this password policy corresponds.
 java.util.concurrent.CopyOnWriteArrayList<PasswordStorageScheme> getDefaultStorageSchemes()
          Retrieves the default set of password storage schemes that will be used for this password policy.
 java.util.concurrent.CopyOnWriteArraySet<java.lang.String> getDeprecatedStorageSchemes()
          Retrieves the names of the password storage schemes that have been deprecated.
 int getGraceLoginCount()
          Retrieves the maximum number of grace logins that a user will be allowed after their password has expired before they are completely locked out.
 int getIdleLockoutInterval()
          Retrieves the maximum length of time in seconds that an account will be allowed to remain idle (no authentications performed as the user) before it will be locked out.
 AttributeType getLastLoginTimeAttribute()
          Retrieves the attribute type used to store the last login time.
 java.lang.String getLastLoginTimeFormat()
          Retrieves the format string that should be used for the last login time.
 int getLockoutDuration()
          Retrieves the maximum length of time in seconds that an account will be locked out due to too many failed authentication attempts.
 int getLockoutFailureCount()
          Retrieves the maximum number of authentication failures that will be allowed before an account is locked out.
 int getLockoutFailureExpirationInterval()
          Retrieves the maximum length of time in seconds that an authentication failure will be held against a user before it is removed from the failed login count.
 int getMaximumPasswordAge()
          Retrieves the maximum length of time in seconds that will be allowed to pass between password changes before the password is expired.
 int getMaximumPasswordResetAge()
          Retrieves the maximum length of time in seconds that will be allowed to pass after an administrative password reset before that password is expired.
 int getMinimumPasswordAge()
          Retrieves the minimum password age, which is the minimum length of time in seconds that must elapse between user password changes.
 AttributeType getPasswordAttribute()
          Retrieves the attribute type used to store the password.
 PasswordGenerator getPasswordGenerator()
          Retrieves the password generator that will be used with this password policy.
 DN getPasswordGeneratorDN()
          Retrieves the DN of the password validator configuration entry.
 int getPasswordHistoryCount()
          Retrieves the maximum number of previous passwords to maintain in the password history.
 int getPasswordHistoryDuration()
          Retrieves the maximum length of time in seconds that previous passwords should remain in the password history.
 java.util.concurrent.ConcurrentHashMap<DN,PasswordValidator<? extends PasswordValidatorCfg>> getPasswordValidators()
          Retrieves the set of password validators for this password policy.
 java.util.concurrent.CopyOnWriteArrayList<java.lang.String> getPreviousLastLoginTimeFormats()
          Retrieves the list of previous last login time formats that might have been used for users associated with this password policy.
 long getRequireChangeByTime()
          Retrieves the time by which all users will be required to change their passwords, expressed in the number of milliseconds since midnight of January 1, 1970 (i.e., the zero time for System.currentTimeMillis()).
 PasswordPolicyCfgDefn.StateUpdateFailurePolicy getStateUpdateFailurePolicy()
          Retrieves the state update failure policy for this password policy.
 int getWarningInterval()
          Retrieves the maximum length of time in seconds before the password will expire that the user should start receiving warning notifications.
 boolean isDefaultStorageScheme(java.lang.String name)
          Indicates whether the specified storage scheme is a default scheme for this password policy.
 boolean isDeprecatedStorageScheme(java.lang.String name)
          Indicates whether the specified storage scheme is deprecated.
 boolean requireCurrentPassword()
          Indicates whether the end user must provide their current password (via the password modify extended operation) in order to set a new password.
 boolean requireSecureAuthentication()
          Indicates whether users with this password policy will be required to authenticate in a secure manner that does not expose their password.
 boolean requireSecurePasswordChanges()
          Indicates whether users with this password policy will be required to change their passwords in a secure manner that does not expose the new password.
 boolean skipValidationForAdministrators()
          Indicates whether operations by administrators that specify a new password for a user (e.g., add, modify, or password modify) will be allowed to bypass the password validation process that will be required for user password changes.
 java.lang.String toString()
          Retrieves a string representation of this password policy.
 void toString(java.lang.StringBuilder buffer)
          Appends a string representation of this password policy to the provided buffer.
 boolean usesAuthPasswordSyntax()
          Indicates whether the associated password attribute uses the auth password syntax.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Constructor Detail

PasswordPolicy

public PasswordPolicy(PasswordPolicyCfg configuration)
               throws ConfigException,
                      InitializationException
Creates a new password policy based on the configuration contained in the provided configuration entry. Any parameters not included in the provided configuration entry will be assigned server-wide default values.

Parameters:
configuration - The configuration with the information to use to initialize this password policy.
Throws:
ConfigException - If the provided entry does not contain a valid password policy configuration.
InitializationException - If an error occurs while initializing the password policy that is not related to the server configuration.
Method Detail

getConfigEntryDN

public DN getConfigEntryDN()
Retrieves the DN of the configuration entry to which this password policy corresponds.

Returns:
The DN of the configuration entry.

getPasswordAttribute

public AttributeType getPasswordAttribute()
Retrieves the attribute type used to store the password.

Returns:
The attribute type used to store the password.

usesAuthPasswordSyntax

public boolean usesAuthPasswordSyntax()
Indicates whether the associated password attribute uses the auth password syntax.

Returns:
true if the associated password attribute uses the auth password syntax, or false if not.

getDefaultStorageSchemes

public java.util.concurrent.CopyOnWriteArrayList<PasswordStorageScheme> getDefaultStorageSchemes()
Retrieves the default set of password storage schemes that will be used for this password policy. The returned set should not be modified by the caller.

Returns:
The default set of password storage schemes that will be used for this password policy.

isDefaultStorageScheme

public boolean isDefaultStorageScheme(java.lang.String name)
Indicates whether the specified storage scheme is a default scheme for this password policy.

Parameters:
name - The name of the password storage scheme for which to make the determination.
Returns:
true if the storage scheme is a default scheme for this password policy, or false if not.

getDeprecatedStorageSchemes

public java.util.concurrent.CopyOnWriteArraySet<java.lang.String> getDeprecatedStorageSchemes()
Retrieves the names of the password storage schemes that have been deprecated. If an authenticating user has one or more of these deprecated storage schemes in use in their entry, then they will be removed and replaced with the passwords encoded in the default storage scheme(s). The returned list should not be altered by the caller.

Returns:
The names of the password storage schemes that have been deprecated.

isDeprecatedStorageScheme

public boolean isDeprecatedStorageScheme(java.lang.String name)
Indicates whether the specified storage scheme is deprecated.

Parameters:
name - The name of the password storage scheme for which to make the determination.
Returns:
true if the storage scheme is deprecated, or false if not.

getPasswordValidators

public java.util.concurrent.ConcurrentHashMap<DN,PasswordValidator<? extends PasswordValidatorCfg>> getPasswordValidators()
Retrieves the set of password validators for this password policy. The returned list should not be altered by the caller.

Returns:
The set of password validators for this password policy.

getAccountStatusNotificationHandlers

public java.util.concurrent.ConcurrentHashMap<DN,AccountStatusNotificationHandler> getAccountStatusNotificationHandlers()
Retrieves the set of account status notification handlers that should be used with this password policy. The returned list should not be altered by the caller.

Returns:
The set of account status notification handlers that should be used with this password policy.

allowUserPasswordChanges

public boolean allowUserPasswordChanges()
Indicates whether end users will be allowed to change their own passwords (subject to access control restrictions).

Returns:
true if users will be allowed to change their own passwords, or false if not.

requireCurrentPassword

public boolean requireCurrentPassword()
Indicates whether the end user must provide their current password (via the password modify extended operation) in order to set a new password.

Returns:
true if the end user must provide their current password in order to set a new password, or false if they will not.

forceChangeOnAdd

public boolean forceChangeOnAdd()
Indicates whether users will be required to change their passwords as soon as they authenticate after their accounts have been created.

Returns:
true if users will be required to change their passwords at the initial authentication, or false if not.

forceChangeOnReset

public boolean forceChangeOnReset()
Indicates whether a user will be required to change their password after it has been reset by an administrator.

Returns:
true if a user will be required to change their password after it has been reset by an administrator, or false if they can continue using that password.

skipValidationForAdministrators

public boolean skipValidationForAdministrators()
Indicates whether operations by administrators that specify a new password for a user (e.g., add, modify, or password modify) will be allowed to bypass the password validation process that will be required for user password changes.

Returns:
true if administrators will be allowed to bypass the validation checks, or false if not.

getPasswordGeneratorDN

public DN getPasswordGeneratorDN()
Retrieves the DN of the password validator configuration entry.

Returns:
The DN of the password validator configuration entry.

getPasswordGenerator

public PasswordGenerator getPasswordGenerator()
Retrieves the password generator that will be used with this password policy.

Returns:
The password generator that will be used with this password policy, or null if there is none.

getPasswordHistoryCount

public int getPasswordHistoryCount()
Retrieves the maximum number of previous passwords to maintain in the password history.

Returns:
The maximum number of previous passwords to maintain in the password history.

getPasswordHistoryDuration

public int getPasswordHistoryDuration()
Retrieves the maximum length of time in seconds that previous passwords should remain in the password history.

Returns:
The maximum length of time in seconds that previous passwords should remain in the password history.

requireSecureAuthentication

public boolean requireSecureAuthentication()
Indicates whether users with this password policy will be required to authenticate in a secure manner that does not expose their password.

Returns:
true if users with this password policy will be required to authenticate in a secure manner that does not expose their password, or false if they may authenticate in an insecure manner.

requireSecurePasswordChanges

public boolean requireSecurePasswordChanges()
Indicates whether users with this password policy will be required to change their passwords in a secure manner that does not expose the new password.

Returns:
true if users with this password policy will be required to change their passwords in a secure manner that does not expose the new password, or false if they may change their password in an insecure manner.

allowMultiplePasswordValues

public boolean allowMultiplePasswordValues()
Indicates whether user entries will be allowed to have multiple distinct values in the password attribute.

Returns:
true if clients will be allowed to have multiple distinct password values, or false if not.

allowPreEncodedPasswords

public boolean allowPreEncodedPasswords()
Indicates whether clients will be allowed to set pre-encoded passwords that are already hashed and therefore cannot be validated for correctness.

Returns:
true if clients will be allowed to set pre-encoded passwords that cannot be validated, or false if not.

getMinimumPasswordAge

public int getMinimumPasswordAge()
Retrieves the minimum password age, which is the minimum length of time in seconds that must elapse between user password changes.

Returns:
The minimum password age, which is the minimum length of time in seconds that must elapse between user password changes, or zero if there is no minimum age.

getMaximumPasswordAge

public int getMaximumPasswordAge()
Retrieves the maximum length of time in seconds that will be allowed to pass between password changes before the password is expired.

Returns:
The maximum length of time in seconds that will be allowed to pass between password changes before the password is expired, or zero if password expiration should not be used.

getMaximumPasswordResetAge

public int getMaximumPasswordResetAge()
Retrieves the maximum length of time in seconds that will be allowed to pass after an administrative password reset before that password is expired.

Returns:
The maximum length of time in seconds that will be allowed to pass after an administrative password reset before that password is expired, or zero if there is no limit.

getWarningInterval

public int getWarningInterval()
Retrieves the maximum length of time in seconds before the password will expire that the user should start receiving warning notifications.

Returns:
The maximum length of time in seconds before the password will expire that the user should start receiving warning notifications, or zero if no warning should be given.

expirePasswordsWithoutWarning

public boolean expirePasswordsWithoutWarning()
Indicates whether user passwords will be allowed to expire without the user receiving at least one notification during the warning period.

Returns:
true if user passwords will be allowed to expire without the user receiving at least one notification during the warning period, or false if the user will always see at least one warning before the password expires.

allowExpiredPasswordChanges

public boolean allowExpiredPasswordChanges()
Indicates whether a user will be allowed to change their password after it expires and they have no remaining grace logins (and will not be allowed to perform any other operation until the password is changed).

Returns:
true if a user will be allowed to change their password after it expires and they have no remaining grace longs, or false if the account will be completely locked and the password must be reset by an administrator.

getGraceLoginCount

public int getGraceLoginCount()
Retrieves the maximum number of grace logins that a user will be allowed after their password has expired before they are completely locked out.

Returns:
The maximum number of grace logins that a user will be allowed after their password has expired before they are completely locked out, or zero if no grace logins will be allowed or the grace login duration will be in effect instead of a fixed number of logins.

getLockoutFailureCount

public int getLockoutFailureCount()
Retrieves the maximum number of authentication failures that will be allowed before an account is locked out.

Returns:
The maximum number of authentication failures that will be allowed before an account is locked out, or zero if no account lockout will be in effect.

getLockoutDuration

public int getLockoutDuration()
Retrieves the maximum length of time in seconds that an account will be locked out due to too many failed authentication attempts.

Returns:
The maximum length of time in seconds that an account will be locked out due to too many failed authentication attempts, or zero if the account will remain locked until explicitly unlocked by an administrator.

getLockoutFailureExpirationInterval

public int getLockoutFailureExpirationInterval()
Retrieves the maximum length of time in seconds that an authentication failure will be held against a user before it is removed from the failed login count.

Returns:
The maximum length of time in seconds that an authentication failure will be held against a user before it is removed from the failed login count, or zero if authentication failures will never expire.

getRequireChangeByTime

public long getRequireChangeByTime()
Retrieves the time by which all users will be required to change their passwords, expressed in the number of milliseconds since midnight of January 1, 1970 (i.e., the zero time for System.currentTimeMillis()). Any passwords not changed before this time will automatically enter a state in which they must be changed before any other operation will be allowed.

Returns:
The time by which all users will be required to change their passwords, or zero if no such constraint is in effect.

getLastLoginTimeAttribute

public AttributeType getLastLoginTimeAttribute()
Retrieves the attribute type used to store the last login time.

Returns:
The attribute type used to store the last login time, or null if the last login time is not to be maintained.

getLastLoginTimeFormat

public java.lang.String getLastLoginTimeFormat()
Retrieves the format string that should be used for the last login time.

Returns:
The format string that should be used to for the last login time, or null if the last login time is not to be maintained.

getPreviousLastLoginTimeFormats

public java.util.concurrent.CopyOnWriteArrayList<java.lang.String> getPreviousLastLoginTimeFormats()
Retrieves the list of previous last login time formats that might have been used for users associated with this password policy.

Returns:
The list of previous last login time formats that might have been used for users associated with this password policy.

getIdleLockoutInterval

public int getIdleLockoutInterval()
Retrieves the maximum length of time in seconds that an account will be allowed to remain idle (no authentications performed as the user) before it will be locked out.

Returns:
The maximum length of time in seconds that an account will be allowed to remain idle before it will be locked out.

getStateUpdateFailurePolicy

public PasswordPolicyCfgDefn.StateUpdateFailurePolicy getStateUpdateFailurePolicy()
Retrieves the state update failure policy for this password policy.

Returns:
The state update failure policy for this password policy.

toString

public java.lang.String toString()
Retrieves a string representation of this password policy.

Overrides:
toString in class java.lang.Object
Returns:
A string representation of this password policy.

toString

public void toString(java.lang.StringBuilder buffer)
Appends a string representation of this password policy to the provided buffer.

Parameters:
buffer - The buffer to which the information should be appended.