Class PwPolicyMgrImpl

  • All Implemented Interfaces:
    Manageable, PwPolicyMgr

    public class PwPolicyMgrImpl
    extends Manageable
    implements PwPolicyMgr
    This class is used to perform administrative and review functions on the PWPOLICIES and USERS data sets.

    Password Policies

    OpenLDAP and ApacheDS support the IETF draft Password Policies for LDAP directories. Policies may be applied at the user, group or global level.

    Password enforcement options include:

    1. A configurable limit on failed authentication attempts.
    2. A counter to track the number of failed authentication attempts.
    3. A time frame in which the limit of consecutive failed authentication attempts must happen before action is taken.
    4. The action to be taken when the limit is reached. The action will either be nothing, or the account will be locked.
    5. An amount of time the account is locked (if it is to be locked) This can be indefinite.
    6. Password expiration.
    7. Expiration warning
    8. Grace authentications
    9. Password history
    10. Password minimum age
    11. Password minimum length
    12. Password Change after Reset
    13. Safe Modification of Password

    This class is NOT thread safe if parent instance variables (Manageable.contextId or Manageable.adminSess) are set.

    Author:
    Apache Directory Project
    • Constructor Detail

      • PwPolicyMgrImpl

        public PwPolicyMgrImpl()
    • Method Detail

      • add

        public void add​(PwPolicy policy)
                 throws SecurityException
        This method will add a new policy entry to the POLICIES data set. This command is valid if and only if the policy entry is not already present in the POLICIES data set.

        required parameters

        • PwPolicy.name - Maps to name attribute of pwdPolicy object class being added.

        optional parameters

        • PwPolicy.minAge - This attribute holds the number of seconds that must elapse between modifications to the password. If this attribute is not present, 0 seconds is assumed.
        • PwPolicy.maxAge - This attribute holds the number of seconds after which a modified password will expire. If this attribute is not present, or if the value is 0 the password does not expire. If not 0, the value must be greater than or equal to the value of the pwdMinAge.
        • PwPolicy.inHistory - This attribute specifies the maximum number of used passwords stored in the pwdHistory attribute. If this attribute is not present, or if the value is 0, used passwords are not stored in the pwdHistory attribute and thus may be reused.
        • PwPolicy.minLength - When quality checking is enabled, this attribute holds the minimum number of characters that must be used in a password. If this attribute is not present, no minimum password length will be enforced. If the server is unable to check the length (due to a hashed password or otherwise), the server will, depending on the value of the pwdCheckQuality attribute, either accept the password without checking it ('0' or '1') or refuse it ('2').
        • PwPolicy.expireWarning - This attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user. If this attribute is not present, or if the value is 0 no warnings will be returned. If not 0, the value must be smaller than the value of the pwdMaxAge attribute.
        • PwPolicy.graceLoginLimit - This attribute specifies the number of times an expired password can be used to authenticate. If this attribute is not present or if the value is 0, authentication will fail.
        • PwPolicy.lockout - This attribute indicates, when its value is "TRUE", that the password may not be used to authenticate after a specified number of consecutive failed bind attempts. The maximum number of consecutive failed bind attempts is specified in pwdMaxFailure. If this attribute is not present, or if the value is "FALSE", the password may be used to authenticate when the number of failed bind attempts has been reached.
        • PwPolicy.lockoutDuration - This attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts. If this attribute is not present, or if the value is 0 the password cannot be used to authenticate until reset by a password administrator.
        • PwPolicy.maxFailure - This attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate. If this attribute is not present, or if the value is 0, this policy is not checked, and the value of pwdLockout will be ignored.
        • PwPolicy.failureCountInterval - This attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. If this attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication.
        • PwPolicy.mustChange - This attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator. If this attribute is not present, or if the value is "FALSE", users are not required to change their password upon binding after the password administrator sets or resets the password. This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.
        • PwPolicy.allowUserChange - This attribute indicates whether users can change their own passwords, although the change operation is still subject to access control. If this attribute is not present, a value of "TRUE" is assumed. This attribute is intended to be used in the absence of an access control mechanism.
        • PwPolicy.safeModify - This attribute specifies whether or not the existing password must be sent along with the new password when being changed. If this attribute is not present, a "FALSE" value is assumed.
        • PwPolicy.checkQuality - This attribute indicates how the password quality will be verified while being modified or added. If this attribute is not present, or if the value is '0', quality checking will not be enforced. A value of '1' indicates that the server will check the quality, and if the server is unable to check it (due to a hashed password or other reasons) it will be accepted. A value of '2' indicates that the server will check the quality, and if the server is unable to verify it, it will return an error refusing the password.
        • PwPolicy.attribute - This holds the name of the attribute to which the password policy is applied. For example, the password policy may be applied to the userPassword attribute
        Specified by:
        add in interface PwPolicyMgr
        Parameters:
        policy - Object must contain PwPolicy.name and optionally other attributes.
        Throws:
        SecurityException - In the event of data validation or system error.
      • update

        public void update​(PwPolicy policy)
                    throws SecurityException
        This method will update an exiting policy entry to the POLICIES data set. This command is valid if and only if the policy entry is already present in the POLICIES data set.

        required parameters

        • PwPolicy.name - Maps to name attribute of pwdPolicy object class being updated.

        optional parameters

        • PwPolicy.minAge - This attribute holds the number of seconds that must elapse between modifications to the password. If this attribute is not present, 0 seconds is assumed.
        • PwPolicy.maxAge - This attribute holds the number of seconds after which a modified password will expire. If this attribute is not present, or if the value is 0 the password does not expire. If not 0, the value must be greater than or equal to the value of the pwdMinAge.
        • PwPolicy.inHistory - This attribute specifies the maximum number of used passwords stored in the pwdHistory attribute. If this attribute is not present, or if the value is 0, used passwords are not stored in the pwdHistory attribute and thus may be reused.
        • PwPolicy.minLength - When quality checking is enabled, this attribute holds the minimum number of characters that must be used in a password. If this attribute is not present, no minimum password length will be enforced. If the server is unable to check the length (due to a hashed password or otherwise), the server will, depending on the value of the pwdCheckQuality attribute, either accept the password without checking it ('0' or '1') or refuse it ('2').
        • PwPolicy.expireWarning - This attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user. If this attribute is not present, or if the value is 0 no warnings will be returned. If not 0, the value must be smaller than the value of the pwdMaxAge attribute.
        • PwPolicy.graceLoginLimit - This attribute specifies the number of times an expired password can be used to authenticate. If this attribute is not present or if the value is 0, authentication will fail.
        • PwPolicy.lockout - This attribute indicates, when its value is "TRUE", that the password may not be used to authenticate after a specified number of consecutive failed bind attempts. The maximum number of consecutive failed bind attempts is specified in pwdMaxFailure. If this attribute is not present, or if the value is "FALSE", the password may be used to authenticate when the number of failed bind attempts has been reached.
        • PwPolicy.lockoutDuration - This attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts. If this attribute is not present, or if the value is 0 the password cannot be used to authenticate until reset by a password administrator.
        • PwPolicy.maxFailure - This attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate. If this attribute is not present, or if the value is 0, this policy is not checked, and the value of pwdLockout will be ignored.
        • PwPolicy.failureCountInterval - This attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. If this attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication.
        • PwPolicy.mustChange - This attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator. If this attribute is not present, or if the value is "FALSE", users are not required to change their password upon binding after the password administrator sets or resets the password. This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.
        • PwPolicy.allowUserChange - This attribute indicates whether users can change their own passwords, although the change operation is still subject to access control. If this attribute is not present, a value of "TRUE" is assumed. This attribute is intended to be used in the absence of an access control mechanism.
        • PwPolicy.safeModify - This attribute specifies whether or not the existing password must be sent along with the new password when being changed. If this attribute is not present, a "FALSE" value is assumed.
        • PwPolicy.checkQuality - This attribute indicates how the password quality will be verified while being modified or added. If this attribute is not present, or if the value is '0', quality checking will not be enforced. A value of '1' indicates that the server will check the quality, and if the server is unable to check it (due to a hashed password or other reasons) it will be accepted. A value of '2' indicates that the server will check the quality, and if the server is unable to verify it, it will return an error refusing the password.
        • PwPolicy.attribute - This holds the name of the attribute to which the password policy is applied. For example, the password policy may be applied to the userPassword attribute
        Specified by:
        update in interface PwPolicyMgr
        Parameters:
        policy - Object must contain PwPolicy.name and optionally all non-null attributes will be updated. null attributes will be ignored.
        Throws:
        SecurityException - In the event policy not found , data validation or system error.
      • delete

        public void delete​(PwPolicy policy)
                    throws SecurityException
        This method will delete exiting policy entry from the POLICIES data set. This command is valid if and only if the policy entry is already present in the POLICIES data set. Existing users that are assigned this policy will be removed from association.

        required parameters

        • PwPolicy.name - Maps to name attribute of pwdPolicy object class being removed.
        Specified by:
        delete in interface PwPolicyMgr
        Parameters:
        policy - Object must contain PwPolicy.name of the policy entity to remove.
        Throws:
        SecurityException - In the event policy entity not found or system error.
      • read

        public PwPolicy read​(String name)
                      throws SecurityException
        This method will return the password policy entity to the caller. This command is valid if and only if the policy entry is present in the POLICIES data set.

        required parameters

        • PwPolicy.name - Maps to name attribute of pwdPolicy object class being read.
        Specified by:
        read in interface PwPolicyMgr
        Parameters:
        name - String contains the PwPolicy.name of the policy entity to read.
        Returns:
        PswdPolicy entity returns fully populated with attributes.
        Throws:
        SecurityException - In the event policy entry not found, data validation or system error.
      • search

        public List<PwPolicy> search​(String searchVal)
                              throws SecurityException
        This method will return a list of all password policy entities that match a particular search string. This command will return an empty list of no matching entries are found.
        Specified by:
        search in interface PwPolicyMgr
        Parameters:
        searchVal - String contains the leading chars of a policy entity. This search is not case sensitive.
        Returns:
        List<PswdPolicy> contains all matching password policy entities. If no records found this will be empty.
        Throws:
        SecurityException - In the event of data validation or system error.
      • updateUserPolicy

        public void updateUserPolicy​(String userId,
                                     String policyName)
                              throws SecurityException
        This method will associate a user entity with a password policy entity. This function is valid if and only if the user is a member of the USERS data set and the policyName refers to a policy that is a member of the PWPOLICIES data set.
        Specified by:
        updateUserPolicy in interface PwPolicyMgr
        Parameters:
        userId - Contains User.userId of a User entity in USERS data set.
        policyName - String contains the PwPolicy.name of a pw policy entity contained within the PWPOLICIES data set.
        Throws:
        SecurityException - thrown in the event either user or policy not valid or system error.
      • deletePasswordPolicy

        public void deletePasswordPolicy​(String userId)
                                  throws SecurityException
        This method will remove the pw policy assignment from a user entity. This function is valid if and only if the user is a member of the USERS data set and the policy attribute is assigned. Removal of pw policy assignment will revert the user's policy to use the global default for OpenLDAP instance that contains user.
        Specified by:
        deletePasswordPolicy in interface PwPolicyMgr
        Parameters:
        userId - Contains User.userId of a User entity in USERS data set.
        Throws:
        SecurityException - Thrown in the event either user not valid or system error.