SubentryPasswordPolicy.java revision ea1068c292e9b341af6d6b563cd8988a96be20a9
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2010 Sun Microsystems, Inc.
* Portions Copyright 2011-2015 ForgeRock AS.
*/
/**
* This class represents subentry password policy based on Password Policy for
* LDAP Directories Internet-Draft. In order to represent subentry password
* policies as OpenDJ password policies it performs a mapping of Draft defined
* attributes to OpenDJ implementation specific attributes. Any missing
* attributes are inherited from server default password policy. This class is
* also responsible for any Draft attributes validation ie making sure that
* provided values are acceptable and within the predefined range.
*/
public final class SubentryPasswordPolicy extends PasswordPolicy
{
// Password Policy Subentry draft attributes.
private static final String PWD_ATTR_FAILURECOUNTINTERVAL =
"pwdfailurecountinterval";
/** Password Policy Subentry DN. */
private final DN passwordPolicySubentryDN;
/** The value of the "allow-user-password-changes" property. */
private final Boolean pAllowUserPasswordChanges;
/** The value of the "force-change-on-reset" property. */
private final Boolean pForceChangeOnReset;
/** The value of the "grace-login-count" property. */
private final Integer pGraceLoginCount;
/** The value of the "lockout-duration" property. */
private final Long pLockoutDuration;
/** The value of the "lockout-failure-count" property. */
private final Integer pLockoutFailureCount;
/** The value of the "lockout-failure-expiration-interval" property. */
private final Long pLockoutFailureExpirationInterval;
/** The value of the "max-password-age" property. */
private final Long pMaxPasswordAge;
/** The value of the "min-password-age" property. */
private final Long pMinPasswordAge;
/** The value of the "password-attribute" property. */
private final AttributeType pPasswordAttribute;
/** The value of the "password-change-requires-current-password" property. */
private final Boolean pPasswordChangeRequiresCurrentPassword;
/** The value of the "password-expiration-warning-interval" property. */
private final Long pPasswordExpirationWarningInterval;
/** The value of the "password-history-count" property. */
private final Integer pPasswordHistoryCount;
/** Indicates if the password attribute uses auth password syntax. */
private final Boolean pAuthPasswordSyntax;
/** The set of password validators if any. */
/** Used when logging errors due to invalid validator reference. */
/**
* Returns the global default password policy which will be used for deriving
* the default properties of sub-entries.
*/
private PasswordPolicy getDefaultPasswordPolicy()
{
return DirectoryServer.getDefaultPasswordPolicy();
}
/**
* Creates subentry password policy object from the subentry, parsing and
* evaluating subentry password policy attributes.
*
* @param subentry
* password policy subentry.
* @throws DirectoryException
* If a problem occurs while creating subentry password policy
* instance from given subentry.
*/
{
// Determine if this is a password policy subentry.
if (pwdPolicyOC == null)
{
// This should not happen -- The server doesn't
// have a pwdPolicy objectclass defined.
if (logger.isTraceEnabled())
{
}
{
{
break;
}
}
}
{
}
// Subentry DN for this password policy.
// Get known Password Policy draft attributes from the entry.
// If any given attribute is missing or empty set its value
// from default Password Policy configuration.
{
this.pPasswordAttribute =
if (this.pPasswordAttribute == null)
{
}
// Check the syntax.
{
pAuthPasswordSyntax = true;
}
{
pAuthPasswordSyntax = false;
}
else
{
{
}
}
}
else
{
this.pPasswordAttribute = null;
this.pAuthPasswordSyntax = null;
}
this.pPasswordHistoryCount =
// This one is managed via the password validator
// so only check if its value is acceptable.
// This one is managed via the password validator
// so only check if its value is acceptable.
// This one depends on lockout failure count value
// so only check if its value is acceptable.
this.pGraceLoginCount =
this.pLockoutFailureCount =
// Now check for the pwdValidatorPolicy OC and its attribute.
// Determine if this is a password validator policy object class.
if (pwdValidatorPolicyOC != null &&
{
{
{
{
{
ERR_PWPOLICY_UNKNOWN_VALIDATOR.get(this.passwordPolicySubentryDN, validatorDN, PWD_ATTR_VALIDATOR));
}
}
}
}
}
}
throws DirectoryException
{
{
{
}
}
return null;
}
throws DirectoryException
{
{
try
{
return result;
}
catch (NumberFormatException ne)
{
ne.getLocalizedMessage()));
}
}
return null;
}
{
{
try
{
return result;
}
catch (NumberFormatException ne)
{
ne.getLocalizedMessage()));
}
}
return null;
}
/**
* Helper method to validate integer values.
*
* @param attrName
* integer attribute name.
* @param attrValue
* integer value to validate.
* @param lowerBound
* lowest acceptable value.
* @param upperBound
* highest acceptable value.
* @throws DirectoryException
* if the value is out of bounds.
*/
{
if (attrValue < lowerBound)
{
lowerBound));
}
if (attrValue > upperBound)
{
upperBound));
}
}
/**
* Helper method to retrieve an attribute value from given entry.
*
* @param entry
* the entry to retrieve an attribute value from.
* @param pwdAttrName
* attribute name to retrieve the value for.
* @return <CODE>String</CODE> or <CODE>null</CODE>.
*/
{
true);
{
{
{
}
}
}
return null;
}
/** {@inheritDoc} */
public boolean isAllowExpiredPasswordChanges()
{
}
/** {@inheritDoc} */
public boolean isAllowMultiplePasswordValues()
{
}
/** {@inheritDoc} */
public boolean isAllowPreEncodedPasswords()
{
return getDefaultPasswordPolicy().isAllowPreEncodedPasswords();
}
/** {@inheritDoc} */
public boolean isAllowUserPasswordChanges()
{
}
/** {@inheritDoc} */
public boolean isExpirePasswordsWithoutWarning()
{
}
/** {@inheritDoc} */
public boolean isForceChangeOnAdd()
{
// Don't use pwdMustChange since the password provided when the entry was
// added may have been provided by the user. See OPENDJ-341.
return getDefaultPasswordPolicy().isForceChangeOnAdd();
}
/** {@inheritDoc} */
public boolean isForceChangeOnReset()
{
}
/** {@inheritDoc} */
public int getGraceLoginCount()
{
}
/** {@inheritDoc} */
public long getIdleLockoutInterval()
{
return getDefaultPasswordPolicy().getIdleLockoutInterval();
}
/** {@inheritDoc} */
public AttributeType getLastLoginTimeAttribute()
{
return getDefaultPasswordPolicy().getLastLoginTimeAttribute();
}
/** {@inheritDoc} */
public String getLastLoginTimeFormat()
{
return getDefaultPasswordPolicy().getLastLoginTimeFormat();
}
/** {@inheritDoc} */
public long getLockoutDuration()
{
}
/** {@inheritDoc} */
public int getLockoutFailureCount()
{
}
/** {@inheritDoc} */
public long getLockoutFailureExpirationInterval()
{
return pLockoutFailureExpirationInterval != null ?
}
/** {@inheritDoc} */
public long getMaxPasswordAge()
{
}
/** {@inheritDoc} */
public long getMaxPasswordResetAge()
{
return getDefaultPasswordPolicy().getMaxPasswordResetAge();
}
/** {@inheritDoc} */
public long getMinPasswordAge()
{
}
/** {@inheritDoc} */
public AttributeType getPasswordAttribute()
{
}
/** {@inheritDoc} */
public boolean isPasswordChangeRequiresCurrentPassword()
{
return pPasswordChangeRequiresCurrentPassword != null ?
}
/** {@inheritDoc} */
public long getPasswordExpirationWarningInterval()
{
return pPasswordExpirationWarningInterval != null ?
}
/** {@inheritDoc} */
public int getPasswordHistoryCount()
{
}
/** {@inheritDoc} */
public long getPasswordHistoryDuration()
{
return getDefaultPasswordPolicy().getPasswordHistoryDuration();
}
/** {@inheritDoc} */
{
}
/** {@inheritDoc} */
public long getRequireChangeByTime()
{
return getDefaultPasswordPolicy().getRequireChangeByTime();
}
/** {@inheritDoc} */
public boolean isRequireSecureAuthentication()
{
}
/** {@inheritDoc} */
public boolean isRequireSecurePasswordChanges()
{
}
/** {@inheritDoc} */
public boolean isSkipValidationForAdministrators()
{
}
/** {@inheritDoc} */
{
return getDefaultPasswordPolicy().getStateUpdateFailurePolicy();
}
/** {@inheritDoc} */
public boolean isAuthPasswordSyntax()
{
}
/** {@inheritDoc} */
{
}
/** {@inheritDoc} */
{
}
/** {@inheritDoc} */
{
return passwordPolicySubentryDN;
}
/** {@inheritDoc} */
{
}
/** {@inheritDoc} */
{
}
/** {@inheritDoc} */
{
if (!pValidatorNames.isEmpty())
{
new HashSet<PasswordValidator<?>>();
return values;
}
}
isAlreadyLogged.set(false);
return values;
}
return getDefaultPasswordPolicy().getPasswordValidators();
}
/**
* Implementation of a specific Password Validator that reject all
* password due to mis-configured password policy subentry.
* This is only used when a subentry is referencing a password
* validator that is no longer configured.
*/
private final class RejectPasswordValidator extends
{
private final String validatorName;
private final String pwPolicyName;
{
super();
}
/** {@inheritDoc} */
{
// do nothing
}
/** {@inheritDoc} */
{
.get());
// Only log an error once, on first error
if (isAlreadyLogged.compareAndSet(false, true)) {
}
return false;
}
}
/** {@inheritDoc} */
public Collection<AccountStatusNotificationHandler<?>>
{
}
/** {@inheritDoc} */
public PasswordGenerator<?> getPasswordGenerator()
{
return getDefaultPasswordPolicy().getPasswordGenerator();
}
}