Class PwPolicy
- java.lang.Object
-
- org.apache.directory.fortress.core.model.FortEntity
-
- org.apache.directory.fortress.core.model.PwPolicy
-
- All Implemented Interfaces:
Serializable
public class PwPolicy extends FortEntity implements Serializable
This class contains the Password Policy entity which is used to pass directives into and out of ldap.
The unique key to locate a Policy entity (which is subsequently assigned to Users) isname
.Password Policies
OpenLDAP supports the IETF draft Password Policies for LDAP directories. Policies may be applied at the user, group or global level.Password enforcement options include:
- A configurable limit on failed authentication attempts.
- A counter to track the number of failed authentication attempts.
- A time frame in which the limit of consecutive failed authentication attempts must happen before action is taken.
- The action to be taken when the limit is reached. The action will either be nothing, or the account will be locked.
- An amount of time the account is locked (if it is to be locked) This can be indefinite.
- Password expiration.
- Expiration warning
- Grace authentications
- Password history
- Password minimum age
- Password minimum length
- Password Change after Reset
- Safe Modification of Password
Schema
The OpenLDAP Password Policy entity is a composite of the following structural and aux object classes:1. organizationalRole Structural Object Class is used to store basic attributes like cn and description.
------------------------------------------ objectclass ( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) ------------------------------------------
2. pwdPolicy AUXILIARY Object Class is used to store OpenLDAP Password Policies.
------------------------------------------ objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST ( pwdAttribute ) MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) ------------------------------------------
3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.
------------------------------------------ Fortress Audit Modification Auxiliary Object Class objectclass ( 1.3.6.1.4.1.38088.3.4 NAME 'ftMods' DESC 'Fortress Modifiers AUX Object Class' AUXILIARY MAY ( ftModifier $ ftModCode $ ftModId ) ) ------------------------------------------
- Author:
- Apache Directory Project
- See Also:
- Serialized Form
-
-
Field Summary
-
Fields inherited from class org.apache.directory.fortress.core.model.FortEntity
adminSession, contextId, modCode, modId, sequenceId
-
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
equals(Object thatObj)
Matches the name from two PwPolicy entities.Boolean
getAllowUserChange()
This optional attribute indicates whether users can change their own passwords, although the change operation is still subject to access control.Short
getCheckQuality()
This optional attribute is not currently supported by Fortress.Long
getExpireWarning()
This optional attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user.Short
getFailureCountInterval()
This optional attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred.Short
getGraceLoginLimit()
This optional attribute specifies the number of times an expired password can be used to authenticate.Short
getInHistory()
This optional attribute specifies the maximum number of used passwords stored in the pwdHistory attribute.Boolean
getLockout()
This optional attribute indicates, when its value is "TRUE", that the password may not be used to authenticate after a specified number of consecutive failed bind attempts.Integer
getLockoutDuration()
This optional attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts.Long
getMaxAge()
This optional attribute holds the number of seconds after which a modified password will expire.Short
getMaxFailure()
This optional attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate.Integer
getMinAge()
This optional attribute holds the number of seconds that must elapse between modifications to the password.Short
getMinLength()
When quality checking is enabled, this optional attribute holds the minimum number of characters that must be used in a password.Boolean
getMustChange()
This optional attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator.String
getName()
Get the policy name associated with this instance.Boolean
getSafeModify()
This optional attribute specifies whether or not the existing password must be sent along with the new password when being changed.int
hashCode()
void
setAllowUserChange(Boolean allowUserChange)
This optional attribute indicates whether users can change their own passwords, although the change operation is still subject to access control.void
setCheckQuality(Short checkQuality)
This optional attribute is not currently supported by Fortress.void
setExpireWarning(Long expireWarning)
This optional attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user.void
setFailureCountInterval(Short failureCountInterval)
This optional attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred.void
setGraceLoginLimit(Short graceLoginLimit)
This optional attribute specifies the number of times an expired password can be used to authenticate.void
setInHistory(Short inHistory)
This optional attribute specifies the maximum number of used passwords stored in the pwdHistory attribute.void
setLockout(Boolean lockout)
This optional attribute indicates, when its value is "TRUE", that the password may not be used to authenticate after a specified number of consecutive failed bind attempts.void
setLockoutDuration(Integer lockoutDuration)
This optional attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts.void
setMaxAge(Long maxAge)
This optional attribute holds the number of seconds after which a modified password will expire.void
setMaxFailure(Short maxFailure)
This optional attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate.void
setMinAge(Integer minAge)
This optional attribute holds the number of seconds that must elapse between modifications to the password.void
setMinLength(Short minLength)
When quality checking is enabled, this optional attribute holds the minimum number of characters that must be used in a password.void
setMustChange(Boolean mustChange)
This optional attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator.void
setName(String name)
Set the required attribute policy name on this entity.void
setSafeModify(Boolean safeModify)
This optional attribute specifies whether or not the existing password must be sent along with the new password when being changed.String
toString()
-
Methods inherited from class org.apache.directory.fortress.core.model.FortEntity
getAdminSession, getContextId, getModCode, getModId, getSequenceId, setAdminSession, setContextId, setModCode, setSequenceId
-
-
-
-
Constructor Detail
-
PwPolicy
public PwPolicy()
Default constructor is used by internal Fortress classes and not intended for external use.
-
PwPolicy
public PwPolicy(String name)
Create instance given a policy name.- Parameters:
name
-
-
-
Method Detail
-
getName
public String getName()
Get the policy name associated with this instance.- Returns:
- attribute stored as 'cn' in 'pwdPolicy' object class.
-
setName
public void setName(String name)
Set the required attribute policy name on this entity.- Parameters:
name
- stored as 'cn' in 'pwdPolicy' object class.
-
getMinAge
public Integer getMinAge()
This optional attribute holds the number of seconds that must elapse between modifications to the password. If this attribute is not present, 0 seconds is assumed.- Returns:
- attribute stored as 'pwdMinAge' in 'pwdPolicy' object class.
-
setMinAge
public void setMinAge(Integer minAge)
This optional attribute holds the number of seconds that must elapse between modifications to the password. If this attribute is not present, 0 seconds is assumed.- Parameters:
minAge
- stored as 'pwdMinAge' in 'pwdPolicy' object class.
-
getMaxAge
public Long getMaxAge()
This optional attribute holds the number of seconds after which a modified password will expire. If this attribute is not present, or if the value is 0 the password does not expire. If not 0, the value must be greater than or equal to the value of the pwdMinAge.- Returns:
- attribute stored as 'pwdMaxAge' in 'pwdPolicy' object class.
-
setMaxAge
public void setMaxAge(Long maxAge)
This optional attribute holds the number of seconds after which a modified password will expire. If this attribute is not present, or if the value is 0 the password does not expire. If not 0, the value must be greater than or equal to the value of the pwdMinAge.- Parameters:
maxAge
- attribute stored as 'pwdMaxAge' in 'pwdPolicy' object class.
-
getInHistory
public Short getInHistory()
This optional attribute specifies the maximum number of used passwords stored in the pwdHistory attribute. If this attribute is not present, or if the value is 0, used passwords are not stored in the pwdInHistory attribute and thus may be reused.- Returns:
- attribute stored as 'pwdInHistory' in 'pwdPolicy' object class.
-
setInHistory
public void setInHistory(Short inHistory)
This optional attribute specifies the maximum number of used passwords stored in the pwdHistory attribute. If this attribute is not present, or if the value is 0, used passwords are not stored in the pwdInHistory attribute and thus may be reused.- Parameters:
inHistory
- attribute stored as 'pwdInHistory' in 'pwdPolicy' object class.
-
getCheckQuality
public Short getCheckQuality()
This optional attribute is not currently supported by Fortress. This attribute indicates how the password quality will be verified while being modified or added. If this attribute is not present, or if the value is '0', quality checking will not be enforced. A value of '1' indicates that the server will check the quality, and if the server is unable to check it (due to a hashed password or other reasons) it will be accepted. A value of '2' indicates that the server will check the quality, and if the server is unable to verify it, it will return an error refusing the password.- Returns:
- attribute stored as 'pwdCheckQuality' in 'pwdPolicy' object class.
-
setCheckQuality
public void setCheckQuality(Short checkQuality)
This optional attribute is not currently supported by Fortress. This attribute indicates how the password quality will be verified while being modified or added. If this attribute is not present, or if the value is '0', quality checking will not be enforced. A value of '1' indicates that the server will check the quality, and if the server is unable to check it (due to a hashed password or other reasons) it will be accepted. A value of '2' indicates that the server will check the quality, and if the server is unable to verify it, it will return an error refusing the password.- Parameters:
checkQuality
- attribute stored as 'pwdCheckQuality' in 'pwdPolicy' object class.
-
getMinLength
public Short getMinLength()
When quality checking is enabled, this optional attribute holds the minimum number of characters that must be used in a password. If this attribute is not present, no minimum password length will be enforced. If the server is unable to check the length (due to a hashed password or otherwise), the server will, depending on the value of the pwdCheckQuality attribute, either accept the password without checking it ('0' or '1') or refuse it ('2').- Returns:
- attribute stored as 'pwdMinLength' in 'pwdPolicy' object class.
-
setMinLength
public void setMinLength(Short minLength)
When quality checking is enabled, this optional attribute holds the minimum number of characters that must be used in a password. If this attribute is not present, no minimum password length will be enforced. If the server is unable to check the length (due to a hashed password or otherwise), the server will, depending on the value of the pwdCheckQuality attribute, either accept the password without checking it ('0' or '1') or refuse it ('2').- Parameters:
minLength
- attribute stored as 'pwdMinLength' in 'pwdPolicy' object class.
-
getExpireWarning
public Long getExpireWarning()
This optional attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user. If this attribute is not present, or if the value is 0 no warnings will be returned. If not 0, the value must be smaller than the value of the pwdMaxAge attribute.- Returns:
- attribute stored as 'pwdExpireWarning' in 'pwdPolicy' object class.
-
setExpireWarning
public void setExpireWarning(Long expireWarning)
This optional attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user. If this attribute is not present, or if the value is 0 no warnings will be returned. If not 0, the value must be smaller than the value of the pwdMaxAge attribute.- Parameters:
expireWarning
- attribute stored as 'pwdExpireWarning' in 'pwdPolicy' object class.
-
getGraceLoginLimit
public Short getGraceLoginLimit()
This optional attribute specifies the number of times an expired password can be used to authenticate. If this attribute is not present or if the value is 0, authentication will fail.- Returns:
- attribute stored as 'pwdGraceAuthNLimit' in 'pwdPolicy' object class.
-
setGraceLoginLimit
public void setGraceLoginLimit(Short graceLoginLimit)
This optional attribute specifies the number of times an expired password can be used to authenticate. If this attribute is not present or if the value is 0, authentication will fail.- Parameters:
graceLoginLimit
- attribute stored as 'pwdGraceAuthNLimit' in 'pwdPolicy' object class.
-
getLockout
public Boolean getLockout()
This optional attribute indicates, when its value is "TRUE", that the password may not be used to authenticate after a specified number of consecutive failed bind attempts. The maximum number of consecutive failed bind attempts is specified in pwdMaxFailure. If this attribute is not present, or if the value is "FALSE", the password may be used to authenticate when the number of failed bind attempts has been reached.- Returns:
- attribute stored as 'pwdLockout' in 'pwdPolicy' object class.
-
setLockout
public void setLockout(Boolean lockout)
This optional attribute indicates, when its value is "TRUE", that the password may not be used to authenticate after a specified number of consecutive failed bind attempts. The maximum number of consecutive failed bind attempts is specified in pwdMaxFailure. If this attribute is not present, or if the value is "FALSE", the password may be used to authenticate when the number of failed bind attempts has been reached.- Parameters:
lockout
- attribute stored as 'pwdLockout' in 'pwdPolicy' object class.
-
getLockoutDuration
public Integer getLockoutDuration()
This optional attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts. If this attribute is not present, or if the value is 0 the password cannot be used to authenticate until reset by a password administrator.- Returns:
- attribute stored as 'pwdLockoutDuration' in 'pwdPolicy' object class.
-
setLockoutDuration
public void setLockoutDuration(Integer lockoutDuration)
This optional attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts. If this attribute is not present, or if the value is 0 the password cannot be used to authenticate until reset by a password administrator.- Parameters:
lockoutDuration
- attribute stored as 'pwdLockoutDuration' in 'pwdPolicy' object class.
-
getMaxFailure
public Short getMaxFailure()
This optional attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate. If this attribute is not present, or if the value is 0, this policy is not checked, and the value of pwdLockout will be ignored.- Returns:
- attribute stored as 'pwdMaxFailure' in 'pwdPolicy' object class.
-
setMaxFailure
public void setMaxFailure(Short maxFailure)
This optional attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate. If this attribute is not present, or if the value is 0, this policy is not checked, and the value of pwdLockout will be ignored.- Parameters:
maxFailure
- attribute stored as 'pwdMaxFailure' in 'pwdPolicy' object class.
-
getFailureCountInterval
public Short getFailureCountInterval()
This optional attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. If this attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication.- Returns:
- attribute stored as 'pwdFailureCountInterval' in 'pwdPolicy' object class.
-
setFailureCountInterval
public void setFailureCountInterval(Short failureCountInterval)
This optional attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. If this attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication.- Parameters:
failureCountInterval
- attribute stored as 'pwdFailureCountInterval' in 'pwdPolicy' object class.
-
getMustChange
public Boolean getMustChange()
This optional attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator. If this attribute is not present, or if the value is "FALSE", users are not required to change their password upon binding after the password administrator sets or resets the password. This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.- Returns:
- attribute stored as 'pwdMustChange' in 'pwdPolicy' object class.
-
setMustChange
public void setMustChange(Boolean mustChange)
This optional attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator. If this attribute is not present, or if the value is "FALSE", users are not required to change their password upon binding after the password administrator sets or resets the password. This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.- Parameters:
mustChange
- attribute stored as 'pwdMustChange' in 'pwdPolicy' object class.
-
getAllowUserChange
public Boolean getAllowUserChange()
This optional attribute indicates whether users can change their own passwords, although the change operation is still subject to access control. If this attribute is not present, a value of "TRUE" is assumed. This attribute is intended to be used in the absence of an access control mechanism.- Returns:
- attribute stored as 'pwdAllowUserChange' in 'pwdPolicy' object class.
-
setAllowUserChange
public void setAllowUserChange(Boolean allowUserChange)
This optional attribute indicates whether users can change their own passwords, although the change operation is still subject to access control. If this attribute is not present, a value of "TRUE" is assumed. This attribute is intended to be used in the absence of an access control mechanism.- Parameters:
allowUserChange
- attribute stored as 'pwdAllowUserChange' in 'pwdPolicy' object class.
-
getSafeModify
public Boolean getSafeModify()
This optional attribute specifies whether or not the existing password must be sent along with the new password when being changed. If this attribute is not present, a "FALSE" value is assumed.- Returns:
- attribute stored as 'pwdSafeModify' in 'pwdPolicy' object class.
-
setSafeModify
public void setSafeModify(Boolean safeModify)
This optional attribute specifies whether or not the existing password must be sent along with the new password when being changed. If this attribute is not present, a "FALSE" value is assumed.- Parameters:
safeModify
- attribute stored as 'pwdSafeModify' in 'pwdPolicy' object class.
-
equals
public boolean equals(Object thatObj)
Matches the name from two PwPolicy entities.
-
toString
public String toString()
- Overrides:
toString
in classObject
- See Also:
Object.toString()
-
-