Package com.isode.dsapi.config

Class PasswordPolicyConfig

java.lang.Object
com.isode.dsapi.config.PasswordPolicyConfig
public class PasswordPolicyConfig extends Object
This class encapsulates a set of settings relating to the password policy as retrieved from the DSA.

Callers are assumed to be using an IsodeDirectorySession which has operator access rights to the DSA. To check the password policy status of a user, fetch an Entry object for the user, making sure to include all attributes that are needed by this class. For example 

   IsodeDirectorySession ids;
   .
   .
   PasswordPolicyConfig ppc = new PasswordPolicyConfig(ids);
   Selection mySel = new Selection(SelectionType.NO_ATTRIBUTES);
   List attrs = ppc.getPasswordPolicyAttributes();
   for (AttributeType at:attrs) {
       mySel.selectAttributeType(at);
   }
   // now add any other attributes of interest...
   .
   .
   // now read the entry from the directory
   Entry = ids.readEntry(entryDN, mySel, null);
   .
   // and find out what might be wrong with it
   Set<PasswordPolicy.AccountIssue> issues = ppc.getAccountIssues(e);
   .
   .
Note that a user may be excluded from password policy. Use isExcludedFromPwdPolicy(Entry) to check whether a user is subject to password policy. For such users, methods which return password-policy related information (such as getPwdMaxIdle() will still work. However, getAccountIssues(Entry) will not return any problems that are caused by password policy for such users.
Since:
R16.6

  • Field Details

    • at_pwdAttribute

      public static AttributeType at_pwdAttribute

    • at_pwdCheckQuality

      public static AttributeType at_pwdCheckQuality

    • at_pwdExpireWarning

      public static AttributeType at_pwdExpireWarning

    • at_pwdLockout

      public static AttributeType at_pwdLockout

    • at_pwdGraceAuthNLimit

      public static AttributeType at_pwdGraceAuthNLimit

    • at_pwdFailureCountInterval

      public static AttributeType at_pwdFailureCountInterval

    • at_pwdInHistory

      public static AttributeType at_pwdInHistory

    • at_pwdLockoutDuration

      public static AttributeType at_pwdLockoutDuration

    • at_pwdMaxAge

      public static AttributeType at_pwdMaxAge

    • at_pwdMaxFailure

      public static AttributeType at_pwdMaxFailure

    • at_pwdMaxIdle

      public static AttributeType at_pwdMaxIdle

    • at_pwdMaxDelay

      public static AttributeType at_pwdMaxDelay

    • at_pwdMinDelay

      public static AttributeType at_pwdMinDelay

    • at_pwdGraceExpiry

      public static AttributeType at_pwdGraceExpiry

    • at_pwdMinAge

      public static AttributeType at_pwdMinAge

    • at_pwdMinLength

      public static AttributeType at_pwdMinLength

    • at_pwdMaxLength

      public static AttributeType at_pwdMaxLength

    • at_pwdMustChange

      public static AttributeType at_pwdMustChange

    • at_pwdAllowUserChange

      public static AttributeType at_pwdAllowUserChange

    • at_pwdSafeModify

      public static AttributeType at_pwdSafeModify

    • at_pwdCheckEntropy

      public static AttributeType at_pwdCheckEntropy

    • at_pwdHistoryDuration

      public static AttributeType at_pwdHistoryDuration

    • at_pwdAutoMigrate

      public static AttributeType at_pwdAutoMigrate

    • at_pwdConfiguredSchemeComparators

      public static AttributeType at_pwdConfiguredSchemeComparators

    • at_pwdConfiguredSchemeGenerators

      public static AttributeType at_pwdConfiguredSchemeGenerators

    • at_pwdStartTime

      public static AttributeType at_pwdStartTime

    • at_pwdEndTime

      public static AttributeType at_pwdEndTime

    • at_pwdLastSuccess

      public static AttributeType at_pwdLastSuccess

    • at_pwdChangedTime

      public static AttributeType at_pwdChangedTime

    • at_createTimeStamp

      public static AttributeType at_createTimeStamp

    • at_accountLock

      public static AttributeType at_accountLock

    • at_accountLockReason

      public static AttributeType at_accountLockReason

    • at_pwdExclude

      public static AttributeType at_pwdExclude

    • at_pwdReset

      public static AttributeType at_pwdReset

  • Constructor Details

  • Method Details

    • getPasswordPolicyAttributes

      public static List<AttributeType> getPasswordPolicyAttributes() throws NoSuchAttributeException
      Returns a list of attributes that should be requested when performing a search or read of user entries. This list contains password policy related attributes that are used by this class when it is determining whether a user has violated password policy constraints.
      Returns:
      a List of AttributeType values which should be added to any Selection that the caller uses when reading user entry information.
      Throws:
      NoSuchAttributeException - if the schema does not have password policy attributes defined.

    • getPwdStartTime

      public Date getPwdStartTime(Entry e) throws BadValueException
      Determine the "password start time" for this entry
      Parameters:
      e - a user entry. Must not be null;
      Returns:
      the password start time for the entry, or null if none is present
      Throws:
      BadValueException - if the password start time is present but cannot be interpreted as a date.

    • getPwdEndTime

      public Date getPwdEndTime(Entry e) throws BadValueException
      Determine the "password end time" for this entry
      Parameters:
      e - an Entry representing a user
      Returns:
      the password end time for the entry, or null if none is present
      Throws:
      BadValueException - if the password start time is present but cannot be interpreted as a date.

    • isExcludedFromPwdPolicy

      public boolean isExcludedFromPwdPolicy(Entry e)
      Determine whether this user is excluded from password policy
      Parameters:
      e - an Entry representing a user
      Returns:
      true if the user is excluded from password policy, false otherwise.

    • isPasswordInValidityPeriod

      public Instant isPasswordInValidityPeriod(Entry e) throws BadValueException
      Determines whether the user represented by the specified entry has a passwordStartTime that is before the current time, and a passwordEndTime that is later than the current time. If no passwordStartTime or passwordEndTime is specified, then the method returns null
      Parameters:
      e - a user entry. Must not be null;
      Returns:
      the passwordStartTime if the password is not yet valid, or passwordEndTime if the password is no longer valid, or null if the password is within its validity period (or there is no validity period restriction, or if password policy is not enabled).
      Throws:
      BadValueException - if either time value does not represent an actual time.

    • getPwdLastSuccess

      public Date getPwdLastSuccess(Entry e) throws BadValueException
      Determine the last time the password was successfully used for this entry
      Parameters:
      e - a user entry. Must not be null;
      Returns:
      the pwdLastSuccess for the entry, or null if none is present
      Throws:
      BadValueException - if the time value is present but cannot be interpreted as a date.

    • getPwdChangedTime

      public Date getPwdChangedTime(Entry e) throws BadValueException
      Determine the last time the password was changed for this entry
      Parameters:
      e - a user entry. Must not be null;
      Returns:
      the pwdChangedTime for the entry, or the createtimestamp if no valid pwdChangedTime is present, or null if there's no createtimestamp either
      Throws:
      BadValueException - if createTimeStamp contains an illegal value

    • getCreateTimestamp

      public Date getCreateTimestamp(Entry e) throws BadValueException
      Determine the createTimestamp for this entry
      Parameters:
      e - a user entry. Must not be null;
      Returns:
      the createTimestamp for the entry, should not be null assuming the directory isn't broken.
      Throws:
      BadValueException - if the time value is present but cannot be interpreted as a date.

    • getPwdAttribute

      public AttributeType getPwdAttribute() throws BadAttributeTypeException
      Determine the pwdAttribute defined by the password policy
      Returns:
      the pwdAttribute (e.g. "userPassword") which is the attribute on an entry which is used to store the password, or "userPassword" if password policy is not enabled (or the field "pwdAttribute" is not set for some reason).
      Throws:
      BadAttributeTypeException - if the password policy specifies an illegal value for pwdAttribute

    • getPwdMaxIdle

      public long getPwdMaxIdle() throws BadValueException
      Determine what the "pwdMaxIdle" value is for this configuration. This is the time that can elapse after a successful password authentication before the account is locked.
      Returns:
      the pwdMaxIdle time in milliseconds, or -1 if none is configured, or if password policy is not enabled.
      Throws:
      BadValueException - if the pwdMaxIdle time is configured to an illegal value.

    • getPwdMaxAge

      public long getPwdMaxAge() throws BadValueException
      Determine what the "pwdMaxAge" value is for this configuration. This is the time that can elapse after a password has been changed before it expires
      Returns:
      the pwdMaxAge time in milliseconds, or -1 if none is configured, or if password policy is not enabled.
      Throws:
      BadValueException - if the pwdMaxIdle time is configured to an illegal value.

    • isPasswordIdle

      public Instant isPasswordIdle(Entry e) throws BadValueException
      Determine whether the password for this user has been unused for more than the configured value for password policy's "pwdMaxIdle". If no password policy is configured, then this method always null.
      Parameters:
      e - a user entry. Must not be null;
      Returns:
      an Instant representing the time that this password could last have been used before it became idle, or null if the password is not considered to be idle (which will also be the case if password policy is not enabled).
      Throws:
      BadValueException - if the pwdMaxIdle or pwdLastSuccess values cannot be interpreted as a date, or there is no createTimestamp on the entry

    • hasPasswordExpired

      public Instant hasPasswordExpired(Entry e) throws BadValueException
      Determine whether the password for this user has expired, based on the last pwdChangedTime being more than pwdMaxAge seconds ago.
      Parameters:
      e - a user entry. Must not be null;
      Returns:
      null if the password has not expired (which will also be the case if password policy is not enabled), or the date when the password expired.
      Throws:
      BadValueException - if the pwdMaxIdle or pwdLastSuccess values cannot be interpreted as a date.

    • getAccountIssues

      public Set<PasswordPolicyConfig.AccountIssue> getAccountIssues(Entry e)
      Get a set of reasons why password policy would lock this user.
      Parameters:
      e - an entry representing a user
      Returns:
      a set (which may be empty) containing password policy issues for this user.

    • isAccountLocked

      public String isAccountLocked(Entry e)
      Determine whether an account has been administratively locked (i.e. it has the "accountLock" attribute set).
      Parameters:
      e - the entry representing the account to test
      Returns:
      a String containing the accountLockReason (if any). This String may be empty ("") if the account is locked but no reason has been specified. A value of null is returned if the account is not administratively locked.

    • isPasswordResetRequired

      public boolean isPasswordResetRequired(Entry e)
      Determine whether an account requires a password reset before it can be used.
      Parameters:
      e - the entry representing the account to test
      Returns:
      true if the user's entry has the pwdReset attribute set to true and password policy is enabled, false otherwise.

    • isPasswordPresent

      public boolean isPasswordPresent(Entry e)
      Determine whether an account has a password attribute (where the attribute name comes from password policy, or, if password policy is not enabled or does not specify an attribute, then "userPassword").
      Parameters:
      e - the entry representing the account to test
      Returns:
      true if the user's entry has a password, false otherwise.

    • isPasswordPolicyEnabled

      public boolean isPasswordPolicyEnabled()
      Determine whether password policy is enabled.
      Returns:
      true if password policy is enabled for this DSA, false otherwise.