Interface PwPolicyMgr
-
- All Superinterfaces:
Manageable
- All Known Implementing Classes:
PwPolicyMgrImpl
,PwPolicyMgrRestImpl
public interface PwPolicyMgr extends Manageable
This class is used to perform administrative and review functions on the PWPOLICIES and USERS data sets.Password Policies
OpenLDAP and ApacheDS support the IETF draft Password Policies LDAP directories. Policies may be applied at the user, group or global level.Password enforcement options include:
- A configurable limit on failed authentication attempts.
- A counter to track the number of failed authentication attempts.
- A time frame in which the limit of consecutive failed authentication attempts must happen before action is taken.
- The action to be taken when the limit is reached. The action will either be nothing, or the account will be locked.
- An amount of time the account is locked (if it is to be locked) This can be indefinite.
- Password expiration.
- Expiration warning
- Grace authentications
- Password history
- Password minimum age
- Password minimum length
- Password Change after Reset
- Safe Modification of Password
This interface's implementer will NOT be thread safe if parent instance variables (
Manageable.setContextId(String)
orManageable.setAdmin(org.apache.directory.fortress.core.model.Session)
) are set.- Author:
- Apache Directory Project
-
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description void
add(PwPolicy policy)
This method will add a new policy entry to the POLICIES data set.void
delete(PwPolicy policy)
This method will delete exiting policy entry from the POLICIES data set.void
deletePasswordPolicy(String userId)
This method will remove the pw policy assignment from a user entity.PwPolicy
read(String name)
This method will return the password policy entity to the caller.List<PwPolicy>
search(String searchVal)
This method will return a list of all password policy entities that match a particular search string.void
update(PwPolicy policy)
This method will update an exiting policy entry to the POLICIES data set.void
updateUserPolicy(String userId, String policyName)
This method will associate a user entity with a password policy entity.-
Methods inherited from interface org.apache.directory.fortress.core.Manageable
setAdmin, setContextId
-
-
-
-
Method Detail
-
add
void add(PwPolicy policy) throws SecurityException
This method will add a new policy entry to the POLICIES data set. This command is valid if and only if the policy entry is not already present in the POLICIES data set.required parameters
-
PwPolicy.name
- Maps to name attribute of pwdPolicy object class being added.
optional parameters
-
PwPolicy.minAge
- This attribute holds the number of seconds that must elapse between modifications to the password. If this attribute is not present, 0 seconds is assumed. -
PwPolicy.maxAge
- This attribute holds the number of seconds after which a modified password will expire. If this attribute is not present, or if the value is 0 the password does not expire. If not 0, the value must be greater than or equal to the value of the pwdMinAge. -
PwPolicy.inHistory
- This attribute specifies the maximum number of used passwords stored in the pwdHistory attribute. If this attribute is not present, or if the value is 0, used passwords are not stored in the pwdHistory attribute and thus may be reused. -
PwPolicy.minLength
- When quality checking is enabled, this attribute holds the minimum number of characters that must be used in a password. If this attribute is not present, no minimum password length will be enforced. If the server is unable to check the length (due to a hashed password or otherwise), the server will, depending on the value of the pwdCheckQuality attribute, either accept the password without checking it ('0' or '1') or refuse it ('2'). -
PwPolicy.expireWarning
- This attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user. If this attribute is not present, or if the value is 0 no warnings will be returned. If not 0, the value must be smaller than the value of the pwdMaxAge attribute. -
PwPolicy.graceLoginLimit
- This attribute specifies the number of times an expired password can be used to authenticate. If this attribute is not present or if the value is 0, authentication will fail. -
PwPolicy.lockout
- This attribute indicates, when its value is "TRUE", that the password may not be used to authenticate after a specified number of consecutive failed bind attempts. The maximum number of consecutive failed bind attempts is specified in pwdMaxFailure. If this attribute is not present, or if the value is "FALSE", the password may be used to authenticate when the number of failed bind attempts has been reached. -
PwPolicy.lockoutDuration
- This attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts. If this attribute is not present, or if the value is 0 the password cannot be used to authenticate until reset by a password administrator. -
PwPolicy.maxFailure
- This attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate. If this attribute is not present, or if the value is 0, this policy is not checked, and the value of pwdLockout will be ignored. -
PwPolicy.failureCountInterval
- This attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. If this attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication. -
PwPolicy.mustChange
- This attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator. If this attribute is not present, or if the value is "FALSE", users are not required to change their password upon binding after the password administrator sets or resets the password. This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password. -
PwPolicy.allowUserChange
- This attribute indicates whether users can change their own passwords, although the change operation is still subject to access control. If this attribute is not present, a value of "TRUE" is assumed. This attribute is intended to be used in the absence of an access control mechanism. -
PwPolicy.safeModify
- This attribute specifies whether or not the existing password must be sent along with the new password when being changed. If this attribute is not present, a "FALSE" value is assumed. -
PwPolicy.checkQuality
- This attribute indicates how the password quality will be verified while being modified or added. If this attribute is not present, or if the value is '0', quality checking will not be enforced. A value of '1' indicates that the server will check the quality, and if the server is unable to check it (due to a hashed password or other reasons) it will be accepted. A value of '2' indicates that the server will check the quality, and if the server is unable to verify it, it will return an error refusing the password. -
PwPolicy.attribute
- This holds the name of the attribute to which the password policy is applied. For example, the password policy may be applied to the userPassword attribute
- Parameters:
policy
- Object must containPwPolicy.name
and optionally other attributes.- Throws:
SecurityException
- In the event of data validation or system error.
-
-
update
void update(PwPolicy policy) throws SecurityException
This method will update an exiting policy entry to the POLICIES data set. This command is valid if and only if the policy entry is already present in the POLICIES data set.required parameters
-
PwPolicy.name
- Maps to name attribute of pwdPolicy object class being updated.
optional parameters
-
PwPolicy.minAge
- This attribute holds the number of seconds that must elapse between modifications to the password. If this attribute is not present, 0 seconds is assumed. -
PwPolicy.maxAge
- This attribute holds the number of seconds after which a modified password will expire. If this attribute is not present, or if the value is 0 the password does not expire. If not 0, the value must be greater than or equal to the value of the pwdMinAge. -
PwPolicy.inHistory
- This attribute specifies the maximum number of used passwords stored in the pwdHistory attribute. If this attribute is not present, or if the value is 0, used passwords are not stored in the pwdHistory attribute and thus may be reused. -
PwPolicy.minLength
- When quality checking is enabled, this attribute holds the minimum number of characters that must be used in a password. If this attribute is not present, no minimum password length will be enforced. If the server is unable to check the length (due to a hashed password or otherwise), the server will, depending on the value of the pwdCheckQuality attribute, either accept the password without checking it ('0' or '1') or refuse it ('2'). -
PwPolicy.expireWarning
- This attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user. If this attribute is not present, or if the value is 0 no warnings will be returned. If not 0, the value must be smaller than the value of the pwdMaxAge attribute. -
PwPolicy.graceLoginLimit
- This attribute specifies the number of times an expired password can be used to authenticate. If this attribute is not present or if the value is 0, authentication will fail. -
PwPolicy.lockout
- This attribute indicates, when its value is "TRUE", that the password may not be used to authenticate after a specified number of consecutive failed bind attempts. The maximum number of consecutive failed bind attempts is specified in pwdMaxFailure. If this attribute is not present, or if the value is "FALSE", the password may be used to authenticate when the number of failed bind attempts has been reached. -
PwPolicy.lockoutDuration
- This attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts. If this attribute is not present, or if the value is 0 the password cannot be used to authenticate until reset by a password administrator. -
PwPolicy.maxFailure
- This attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate. If this attribute is not present, or if the value is 0, this policy is not checked, and the value of pwdLockout will be ignored. -
PwPolicy.failureCountInterval
- This attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. If this attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication. -
PwPolicy.mustChange
- This attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator. If this attribute is not present, or if the value is "FALSE", users are not required to change their password upon binding after the password administrator sets or resets the password. This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password. -
PwPolicy.allowUserChange
- This attribute indicates whether users can change their own passwords, although the change operation is still subject to access control. If this attribute is not present, a value of "TRUE" is assumed. This attribute is intended to be used in the absence of an access control mechanism. -
PwPolicy.safeModify
- This attribute specifies whether or not the existing password must be sent along with the new password when being changed. If this attribute is not present, a "FALSE" value is assumed. -
PwPolicy.checkQuality
- This attribute indicates how the password quality will be verified while being modified or added. If this attribute is not present, or if the value is '0', quality checking will not be enforced. A value of '1' indicates that the server will check the quality, and if the server is unable to check it (due to a hashed password or other reasons) it will be accepted. A value of '2' indicates that the server will check the quality, and if the server is unable to verify it, it will return an error refusing the password. -
PwPolicy.attribute
- This holds the name of the attribute to which the password policy is applied. For example, the password policy may be applied to the userPassword attribute
- Parameters:
policy
- Object must containPwPolicy.name
and optionally all non-null attributes will be updated. null attributes will be ignored.- Throws:
SecurityException
- In the event policy not found , data validation or system error.
-
-
delete
void delete(PwPolicy policy) throws SecurityException
This method will delete exiting policy entry from the POLICIES data set. This command is valid if and only if the policy entry is already present in the POLICIES data set. Existing users that are assigned this policy will be removed from association.required parameters
-
PwPolicy.name
- Maps to name attribute of pwdPolicy object class being removed.
- Parameters:
policy
- Object must containPwPolicy.name
of the policy entity to remove.- Throws:
SecurityException
- In the event policy entity not found or system error.
-
-
read
PwPolicy read(String name) throws SecurityException
This method will return the password policy entity to the caller. This command is valid if and only if the policy entry is present in the POLICIES data set.required parameters
-
PwPolicy.name
- Maps to name attribute of pwdPolicy object class being read.
- Parameters:
name
- String contains thePwPolicy.name
of the policy entity to read.- Returns:
- PswdPolicy entity returns fully populated with attributes.
- Throws:
SecurityException
- In the event policy entry not found, data validation or system error.
-
-
search
List<PwPolicy> search(String searchVal) throws SecurityException
This method will return a list of all password policy entities that match a particular search string. This command will return an empty list of no matching entries are found.- Parameters:
searchVal
- String contains the leading chars of a policy entity. This search is not case sensitive.- Returns:
- List<PswdPolicy> contains all matching password policy entities. If no records found this will be empty.
- Throws:
SecurityException
- In the event of data validation or system error.
-
updateUserPolicy
void updateUserPolicy(String userId, String policyName) throws SecurityException
This method will associate a user entity with a password policy entity. This function is valid if and only if the user is a member of the USERS data set and the policyName refers to a policy that is a member of the PWPOLICIES data set.- Parameters:
userId
- ContainsUser.userId
of a User entity in USERS data set.policyName
- String contains thePwPolicy.name
of a pw policy entity contained within the PWPOLICIES data set.- Throws:
SecurityException
- thrown in the event either user or policy not valid or system error.
-
deletePasswordPolicy
void deletePasswordPolicy(String userId) throws SecurityException
This method will remove the pw policy assignment from a user entity. This function is valid if and only if the user is a member of the USERS data set and the policy attribute is assigned. Removal of pw policy assignment will revert the user's policy to use the global default for OpenLDAP instance that contains user.- Parameters:
userId
- ContainsUser.userId
of a User entity in USERS data set.- Throws:
SecurityException
- Thrown in the event either user not valid or system error.
-
-