Package org.apache.directory.fortress.core.model

Class PwPolicy

  • All Implemented Interfaces:
    Serializable
    public class PwPolicy
extends FortEntity
implements Serializable
    This class contains the Password Policy entity which is used to pass directives into and out of ldap.
    The unique key to locate a Policy entity (which is subsequently assigned to Users) is name.

    Password Policies

    OpenLDAP supports the IETF draft Password Policies for LDAP directories. Policies may be applied at the user, group or global level.

    Password enforcement options include:

    1. A configurable limit on failed authentication attempts.
    2. A counter to track the number of failed authentication attempts.
    3. A time frame in which the limit of consecutive failed authentication attempts must happen before action is taken.
    4. The action to be taken when the limit is reached. The action will either be nothing, or the account will be locked.
    5. An amount of time the account is locked (if it is to be locked) This can be indefinite.
    6. Password expiration.
    7. Expiration warning
    8. Grace authentications
    9. Password history
    10. Password minimum age
    11. Password minimum length
    12. Password Change after Reset
    13. Safe Modification of Password

    Schema

    The OpenLDAP Password Policy entity is a composite of the following structural and aux object classes:

    1. organizationalRole Structural Object Class is used to store basic attributes like cn and description. 

     ------------------------------------------
 objectclass ( 2.5.6.14 NAME 'device'
  DESC 'RFC2256: a device'
  SUP top STRUCTURAL
  MUST cn
  MAY (
      serialNumber $ seeAlso $ owner $ ou $ o $ l $ description
  )
 )
 ------------------------------------------

    2. pwdPolicy AUXILIARY Object Class is used to store OpenLDAP Password Policies. 

     ------------------------------------------
 objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
  NAME 'pwdPolicy'
  SUP top
  AUXILIARY
  MUST (
      pwdAttribute
  )
  MAY (
      pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
      pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $
      pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
      pwdMustChange $ pwdAllowUserChange $ pwdSafeModify
  )
 )
 ------------------------------------------

    3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity. 

     ------------------------------------------
 Fortress Audit Modification Auxiliary Object Class
 objectclass ( 1.3.6.1.4.1.38088.3.4
  NAME 'ftMods'
  DESC 'Fortress Modifiers AUX Object Class'
  AUXILIARY
  MAY (
      ftModifier $
      ftModCode $
      ftModId
  )
 )
 ------------------------------------------

    Author:
    Apache Directory Project
    See Also:
    Serialized Form

    • Constructor Summary

      Constructors 
      Constructor Description
      PwPolicy()
      Default constructor is used by internal Fortress classes and not intended for external use.
      PwPolicy​(String name)
      Create instance given a policy name.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean equals​(Object thatObj)
      Matches the name from two PwPolicy entities.
      Boolean getAllowUserChange()
      This optional attribute indicates whether users can change their own passwords, although the change operation is still subject to access control.
      Short getCheckQuality()
      This optional attribute is not currently supported by Fortress.
      Long getExpireWarning()
      This optional attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user.
      Short getFailureCountInterval()
      This optional attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred.
      Short getGraceLoginLimit()
      This optional attribute specifies the number of times an expired password can be used to authenticate.
      Short getInHistory()
      This optional attribute specifies the maximum number of used passwords stored in the pwdHistory attribute.
      Boolean getLockout()
      This optional attribute indicates, when its value is "TRUE", that the password may not be used to authenticate after a specified number of consecutive failed bind attempts.
      Integer getLockoutDuration()
      This optional attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts.
      Long getMaxAge()
      This optional attribute holds the number of seconds after which a modified password will expire.
      Short getMaxFailure()
      This optional attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate.
      Integer getMinAge()
      This optional attribute holds the number of seconds that must elapse between modifications to the password.
      Short getMinLength()
      When quality checking is enabled, this optional attribute holds the minimum number of characters that must be used in a password.
      Boolean getMustChange()
      This optional attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator.
      String getName()
      Get the policy name associated with this instance.
      Boolean getSafeModify()
      This optional attribute specifies whether or not the existing password must be sent along with the new password when being changed.
      int hashCode()  
      void setAllowUserChange​(Boolean allowUserChange)
      This optional attribute indicates whether users can change their own passwords, although the change operation is still subject to access control.
      void setCheckQuality​(Short checkQuality)
      This optional attribute is not currently supported by Fortress.
      void setExpireWarning​(Long expireWarning)
      This optional attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user.
      void setFailureCountInterval​(Short failureCountInterval)
      This optional attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred.
      void setGraceLoginLimit​(Short graceLoginLimit)
      This optional attribute specifies the number of times an expired password can be used to authenticate.
      void setInHistory​(Short inHistory)
      This optional attribute specifies the maximum number of used passwords stored in the pwdHistory attribute.
      void setLockout​(Boolean lockout)
      This optional attribute indicates, when its value is "TRUE", that the password may not be used to authenticate after a specified number of consecutive failed bind attempts.
      void setLockoutDuration​(Integer lockoutDuration)
      This optional attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts.
      void setMaxAge​(Long maxAge)
      This optional attribute holds the number of seconds after which a modified password will expire.
      void setMaxFailure​(Short maxFailure)
      This optional attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate.
      void setMinAge​(Integer minAge)
      This optional attribute holds the number of seconds that must elapse between modifications to the password.
      void setMinLength​(Short minLength)
      When quality checking is enabled, this optional attribute holds the minimum number of characters that must be used in a password.
      void setMustChange​(Boolean mustChange)
      This optional attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator.
      void setName​(String name)
      Set the required attribute policy name on this entity.
      void setSafeModify​(Boolean safeModify)
      This optional attribute specifies whether or not the existing password must be sent along with the new password when being changed.
      String toString()  

    • Constructor Detail

      • PwPolicy

        public PwPolicy()
        Default constructor is used by internal Fortress classes and not intended for external use.

      • PwPolicy

        public PwPolicy​(String name)
        Create instance given a policy name.
        Parameters:
        name -

    • Method Detail

      • getName

        public String getName()
        Get the policy name associated with this instance.
        Returns:
        attribute stored as 'cn' in 'pwdPolicy' object class.

      • setName

        public void setName​(String name)
        Set the required attribute policy name on this entity.
        Parameters:
        name - stored as 'cn' in 'pwdPolicy' object class.

      • getMinAge

        public Integer getMinAge()
        This optional attribute holds the number of seconds that must elapse between modifications to the password. If this attribute is not present, 0 seconds is assumed.
        Returns:
        attribute stored as 'pwdMinAge' in 'pwdPolicy' object class.

      • setMinAge

        public void setMinAge​(Integer minAge)
        This optional attribute holds the number of seconds that must elapse between modifications to the password. If this attribute is not present, 0 seconds is assumed.
        Parameters:
        minAge - stored as 'pwdMinAge' in 'pwdPolicy' object class.

      • getMaxAge

        public Long getMaxAge()
        This optional attribute holds the number of seconds after which a modified password will expire. If this attribute is not present, or if the value is 0 the password does not expire. If not 0, the value must be greater than or equal to the value of the pwdMinAge.
        Returns:
        attribute stored as 'pwdMaxAge' in 'pwdPolicy' object class.

      • setMaxAge

        public void setMaxAge​(Long maxAge)
        This optional attribute holds the number of seconds after which a modified password will expire. If this attribute is not present, or if the value is 0 the password does not expire. If not 0, the value must be greater than or equal to the value of the pwdMinAge.
        Parameters:
        maxAge - attribute stored as 'pwdMaxAge' in 'pwdPolicy' object class.

      • getInHistory

        public Short getInHistory()
        This optional attribute specifies the maximum number of used passwords stored in the pwdHistory attribute. If this attribute is not present, or if the value is 0, used passwords are not stored in the pwdInHistory attribute and thus may be reused.
        Returns:
        attribute stored as 'pwdInHistory' in 'pwdPolicy' object class.

      • setInHistory

        public void setInHistory​(Short inHistory)
        This optional attribute specifies the maximum number of used passwords stored in the pwdHistory attribute. If this attribute is not present, or if the value is 0, used passwords are not stored in the pwdInHistory attribute and thus may be reused.
        Parameters:
        inHistory - attribute stored as 'pwdInHistory' in 'pwdPolicy' object class.

      • getCheckQuality

        public Short getCheckQuality()
        This optional attribute is not currently supported by Fortress. This attribute indicates how the password quality will be verified while being modified or added. If this attribute is not present, or if the value is '0', quality checking will not be enforced. A value of '1' indicates that the server will check the quality, and if the server is unable to check it (due to a hashed password or other reasons) it will be accepted. A value of '2' indicates that the server will check the quality, and if the server is unable to verify it, it will return an error refusing the password.
        Returns:
        attribute stored as 'pwdCheckQuality' in 'pwdPolicy' object class.

      • setCheckQuality

        public void setCheckQuality​(Short checkQuality)
        This optional attribute is not currently supported by Fortress. This attribute indicates how the password quality will be verified while being modified or added. If this attribute is not present, or if the value is '0', quality checking will not be enforced. A value of '1' indicates that the server will check the quality, and if the server is unable to check it (due to a hashed password or other reasons) it will be accepted. A value of '2' indicates that the server will check the quality, and if the server is unable to verify it, it will return an error refusing the password.
        Parameters:
        checkQuality - attribute stored as 'pwdCheckQuality' in 'pwdPolicy' object class.

      • getMinLength

        public Short getMinLength()
        When quality checking is enabled, this optional attribute holds the minimum number of characters that must be used in a password. If this attribute is not present, no minimum password length will be enforced. If the server is unable to check the length (due to a hashed password or otherwise), the server will, depending on the value of the pwdCheckQuality attribute, either accept the password without checking it ('0' or '1') or refuse it ('2').
        Returns:
        attribute stored as 'pwdMinLength' in 'pwdPolicy' object class.

      • setMinLength

        public void setMinLength​(Short minLength)
        When quality checking is enabled, this optional attribute holds the minimum number of characters that must be used in a password. If this attribute is not present, no minimum password length will be enforced. If the server is unable to check the length (due to a hashed password or otherwise), the server will, depending on the value of the pwdCheckQuality attribute, either accept the password without checking it ('0' or '1') or refuse it ('2').
        Parameters:
        minLength - attribute stored as 'pwdMinLength' in 'pwdPolicy' object class.

      • getExpireWarning

        public Long getExpireWarning()
        This optional attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user. If this attribute is not present, or if the value is 0 no warnings will be returned. If not 0, the value must be smaller than the value of the pwdMaxAge attribute.
        Returns:
        attribute stored as 'pwdExpireWarning' in 'pwdPolicy' object class.

      • setExpireWarning

        public void setExpireWarning​(Long expireWarning)
        This optional attribute specifies the maximum number of seconds before a password is due to expire that expiration warning messages will be returned to an authenticating user. If this attribute is not present, or if the value is 0 no warnings will be returned. If not 0, the value must be smaller than the value of the pwdMaxAge attribute.
        Parameters:
        expireWarning - attribute stored as 'pwdExpireWarning' in 'pwdPolicy' object class.

      • getGraceLoginLimit

        public Short getGraceLoginLimit()
        This optional attribute specifies the number of times an expired password can be used to authenticate. If this attribute is not present or if the value is 0, authentication will fail.
        Returns:
        attribute stored as 'pwdGraceAuthNLimit' in 'pwdPolicy' object class.

      • setGraceLoginLimit

        public void setGraceLoginLimit​(Short graceLoginLimit)
        This optional attribute specifies the number of times an expired password can be used to authenticate. If this attribute is not present or if the value is 0, authentication will fail.
        Parameters:
        graceLoginLimit - attribute stored as 'pwdGraceAuthNLimit' in 'pwdPolicy' object class.

      • getLockout

        public Boolean getLockout()
        This optional attribute indicates, when its value is "TRUE", that the password may not be used to authenticate after a specified number of consecutive failed bind attempts. The maximum number of consecutive failed bind attempts is specified in pwdMaxFailure. If this attribute is not present, or if the value is "FALSE", the password may be used to authenticate when the number of failed bind attempts has been reached.
        Returns:
        attribute stored as 'pwdLockout' in 'pwdPolicy' object class.

      • setLockout

        public void setLockout​(Boolean lockout)
        This optional attribute indicates, when its value is "TRUE", that the password may not be used to authenticate after a specified number of consecutive failed bind attempts. The maximum number of consecutive failed bind attempts is specified in pwdMaxFailure. If this attribute is not present, or if the value is "FALSE", the password may be used to authenticate when the number of failed bind attempts has been reached.
        Parameters:
        lockout - attribute stored as 'pwdLockout' in 'pwdPolicy' object class.

      • getLockoutDuration

        public Integer getLockoutDuration()
        This optional attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts. If this attribute is not present, or if the value is 0 the password cannot be used to authenticate until reset by a password administrator.
        Returns:
        attribute stored as 'pwdLockoutDuration' in 'pwdPolicy' object class.

      • setLockoutDuration

        public void setLockoutDuration​(Integer lockoutDuration)
        This optional attribute holds the number of seconds that the password cannot be used to authenticate due to too many failed bind attempts. If this attribute is not present, or if the value is 0 the password cannot be used to authenticate until reset by a password administrator.
        Parameters:
        lockoutDuration - attribute stored as 'pwdLockoutDuration' in 'pwdPolicy' object class.

      • getMaxFailure

        public Short getMaxFailure()
        This optional attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate. If this attribute is not present, or if the value is 0, this policy is not checked, and the value of pwdLockout will be ignored.
        Returns:
        attribute stored as 'pwdMaxFailure' in 'pwdPolicy' object class.

      • setMaxFailure

        public void setMaxFailure​(Short maxFailure)
        This optional attribute specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate. If this attribute is not present, or if the value is 0, this policy is not checked, and the value of pwdLockout will be ignored.
        Parameters:
        maxFailure - attribute stored as 'pwdMaxFailure' in 'pwdPolicy' object class.

      • getFailureCountInterval

        public Short getFailureCountInterval()
        This optional attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. If this attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication.
        Returns:
        attribute stored as 'pwdFailureCountInterval' in 'pwdPolicy' object class.

      • setFailureCountInterval

        public void setFailureCountInterval​(Short failureCountInterval)
        This optional attribute holds the number of seconds after which the password failures are purged from the failure counter, even though no successful authentication occurred. If this attribute is not present, or if its value is 0, the failure counter is only reset by a successful authentication.
        Parameters:
        failureCountInterval - attribute stored as 'pwdFailureCountInterval' in 'pwdPolicy' object class.

      • getMustChange

        public Boolean getMustChange()
        This optional attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator. If this attribute is not present, or if the value is "FALSE", users are not required to change their password upon binding after the password administrator sets or resets the password. This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.
        Returns:
        attribute stored as 'pwdMustChange' in 'pwdPolicy' object class.

      • setMustChange

        public void setMustChange​(Boolean mustChange)
        This optional attribute specifies with a value of "TRUE" that users must change their passwords when they first bind to the directory after a password is set or reset by a password administrator. If this attribute is not present, or if the value is "FALSE", users are not required to change their password upon binding after the password administrator sets or resets the password. This attribute is not set due to any actions specified by this document, it is typically set by a password administrator after resetting a user's password.
        Parameters:
        mustChange - attribute stored as 'pwdMustChange' in 'pwdPolicy' object class.

      • getAllowUserChange

        public Boolean getAllowUserChange()
        This optional attribute indicates whether users can change their own passwords, although the change operation is still subject to access control. If this attribute is not present, a value of "TRUE" is assumed. This attribute is intended to be used in the absence of an access control mechanism.
        Returns:
        attribute stored as 'pwdAllowUserChange' in 'pwdPolicy' object class.

      • setAllowUserChange

        public void setAllowUserChange​(Boolean allowUserChange)
        This optional attribute indicates whether users can change their own passwords, although the change operation is still subject to access control. If this attribute is not present, a value of "TRUE" is assumed. This attribute is intended to be used in the absence of an access control mechanism.
        Parameters:
        allowUserChange - attribute stored as 'pwdAllowUserChange' in 'pwdPolicy' object class.

      • getSafeModify

        public Boolean getSafeModify()
        This optional attribute specifies whether or not the existing password must be sent along with the new password when being changed. If this attribute is not present, a "FALSE" value is assumed.
        Returns:
        attribute stored as 'pwdSafeModify' in 'pwdPolicy' object class.

      • setSafeModify

        public void setSafeModify​(Boolean safeModify)
        This optional attribute specifies whether or not the existing password must be sent along with the new password when being changed. If this attribute is not present, a "FALSE" value is assumed.
        Parameters:
        safeModify - attribute stored as 'pwdSafeModify' in 'pwdPolicy' object class.

      • equals

        public boolean equals​(Object thatObj)
        Matches the name from two PwPolicy entities.
        Overrides:
        equals in class Object
        Parameters:
        thatObj - contains a Role entity.
        Returns:
        boolean indicating both objects contain matching PwPolicy names.

      • hashCode

        public int hashCode()
        Overrides:
        hashCode in class Object