com.unboundid.directory.sdk.ds.scripting

Class ScriptedPasswordValidator

java.lang.Object

com.unboundid.directory.sdk.ds.scripting.ScriptedPasswordValidator

All Implemented Interfaces:

Configurable, Reconfigurable<PasswordValidatorConfig>

@Extensible
@DirectoryServerExtension
@DirectoryProxyServerExtension(appliesToLocalContent=true,
                               appliesToRemoteContent=false)
@SynchronizationServerExtension(appliesToLocalContent=true,
                                appliesToSynchronizedContent=false)
@ThreadSafety(level=INTERFACE_THREADSAFE)
public abstract class ScriptedPasswordValidator
extends java.lang.Object
implements Reconfigurable<PasswordValidatorConfig>

This class defines an API that must be implemented by scripted extensions which attempt to determine whether a proposed user password is acceptable. Each server password policy may be configured with zero or more password validators, and whenever a user changes his or her password (and optionally whenever an administrator resets the password for another user), then each of the password validators configured in the password policy for the target user will be given access to the clear-text password in order to determine whether that password will be allowed. Password validators will also have access to the rest of the user entry, and may also have access to a clear-text version of the user's current password(s) if they were provided in the request.

Configuring Groovy-Scripted Password Validators

In order to configure a scripted password validator based on this API and written in the Groovy scripting language, use a command like:

      dsconfig create-password-validator \
           --validator-name "{validator-name}" \
           --type groovy-scripted \
           --set enabled:true \
           --set "script-class:{class-name}" \
           --set "script-argument:{name=value}"
 

where "{validator-name}" is the name to use for the password validator instance, "{class-name}" is the fully-qualified name of the Groovy class written using this API, and "{name=value}" represents name-value pairs for any arguments to provide to the password validator. If multiple arguments should be provided to the password validator, then the "--set script-argument:{name=value}" option should be provided multiple times.

See Also:

PasswordValidator

Constructor Summary

Constructors

Constructor and Description
ScriptedPasswordValidator() Creates a new instance of this password validator.

Method Summary

Methods

Modifier and Type	Method and Description
com.unboundid.ldap.sdk.ResultCode	applyConfiguration(PasswordValidatorConfig config, com.unboundid.util.args.ArgumentParser parser, java.util.List<java.lang.String> adminActionsRequired, java.util.List<java.lang.String> messages) Attempts to apply the configuration from the provided argument parser to this extension.
void	defineConfigArguments(com.unboundid.util.args.ArgumentParser parser) Updates the provided argument parser to define any configuration arguments which may be used by this extension.
void	finalizePasswordValidator() Performs any cleanup which may be necessary when this password validator is to be taken out of service.
com.unboundid.ldap.sdk.unboundidds.extensions.PasswordQualityRequirement	getPasswordQualityRequirement() Retrieves the password quality requirement for this password validator, if available.
void	initializePasswordValidator(DirectoryServerContext serverContext, PasswordValidatorConfig config, com.unboundid.util.args.ArgumentParser parser) Initializes this password validator.
boolean	invokeForAdd() Indicates whether this password validator should be invoked for add operations that attempt to create an entry containing one or more password values.
boolean	invokeForAdministrativeReset() Indicates whether this password validator should be invoked for modify or password modify operations that represent one user's attempt to change the password for another user.
boolean	invokeForSelfChange() Indicates whether this password validator should be invoked for modify or password modify operations that represent a user's attempt to change his/her own password.
boolean	isConfigurationAcceptable(PasswordValidatorConfig config, com.unboundid.util.args.ArgumentParser parser, java.util.List<java.lang.String> unacceptableReasons) Indicates whether the configuration represented by the provided argument parser is acceptable for use by this extension.
abstract boolean	isPasswordAcceptable(OperationContext operationContext, com.unboundid.util.ByteString newPassword, java.util.Set<com.unboundid.util.ByteString> currentPasswords, Entry userEntry, java.lang.StringBuilder invalidReason) Indicates whether the proposed password is acceptable for the specified user.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ScriptedPasswordValidator

public ScriptedPasswordValidator()

Creates a new instance of this password validator. All password validator implementations must include a default constructor, but any initialization should generally be done in the initializePasswordValidator method.

Method Detail

defineConfigArguments

public void defineConfigArguments(com.unboundid.util.args.ArgumentParser parser)
                           throws com.unboundid.util.args.ArgumentException

Updates the provided argument parser to define any configuration arguments which may be used by this extension. The argument parser may also be updated to define relationships between arguments (e.g., to specify required, exclusive, or dependent argument sets).

Specified by:

defineConfigArguments in interface Configurable

Parameters:

parser - The argument parser to be updated with the configuration arguments which may be used by this extension.

Throws:

com.unboundid.util.args.ArgumentException - If a problem is encountered while updating the provided argument parser.

initializePasswordValidator

public void initializePasswordValidator(DirectoryServerContext serverContext,
                               PasswordValidatorConfig config,
                               com.unboundid.util.args.ArgumentParser parser)
                                 throws com.unboundid.ldap.sdk.LDAPException

Initializes this password validator.

Parameters:

serverContext - A handle to the server context for the server in which this extension is running.

config - The general configuration for this password validator.

parser - The argument parser which has been initialized from the configuration for this password validator.

Throws:

com.unboundid.ldap.sdk.LDAPException - If a problem occurs while initializing this password validator.

finalizePasswordValidator

public void finalizePasswordValidator()

Performs any cleanup which may be necessary when this password validator is to be taken out of service.

isConfigurationAcceptable

public boolean isConfigurationAcceptable(PasswordValidatorConfig config,
                                com.unboundid.util.args.ArgumentParser parser,
                                java.util.List<java.lang.String> unacceptableReasons)

Indicates whether the configuration represented by the provided argument parser is acceptable for use by this extension. The parser will have been used to parse any configuration available for this extension, and any automatic validation will have been performed. This method may be used to perform any more complex validation which cannot be performed automatically by the argument parser.

Specified by:

isConfigurationAcceptable in interface Reconfigurable<PasswordValidatorConfig>

Parameters:

config - The general configuration for this extension.

parser - The argument parser that has been used to parse the proposed configuration for this extension.

unacceptableReasons - A list to which messages may be added to provide additional information about why the provided configuration is not acceptable.

Returns:

true if the configuration in the provided argument parser appears to be acceptable, or false if not.

applyConfiguration

public com.unboundid.ldap.sdk.ResultCode applyConfiguration(PasswordValidatorConfig config,
                                                   com.unboundid.util.args.ArgumentParser parser,
                                                   java.util.List<java.lang.String> adminActionsRequired,
                                                   java.util.List<java.lang.String> messages)

Attempts to apply the configuration from the provided argument parser to this extension.

Specified by:

applyConfiguration in interface Reconfigurable<PasswordValidatorConfig>

Parameters:

config - The general configuration for this extension.

parser - The argument parser that has been used to parse the new configuration for this extension.

adminActionsRequired - A list to which messages may be added to provide additional information about any additional administrative actions that may be required to apply some of the configuration changes.

messages - A list to which messages may be added to provide additional information about the processing performed by this method.

Returns:

A result code providing information about the result of applying the configuration change. A result of SUCCESS should be used to indicate that all processing completed successfully. Any other result will indicate that a problem occurred during processing.

invokeForAdd

public boolean invokeForAdd()

Indicates whether this password validator should be invoked for add operations that attempt to create an entry containing one or more password values.

Returns:

true if this password validator should be invoked for add operations that include one or more passwords, or false if not.

invokeForSelfChange

public boolean invokeForSelfChange()

Indicates whether this password validator should be invoked for modify or password modify operations that represent a user's attempt to change his/her own password.

Returns:

true if this password validator should be invoked for self password change operations, or false if not.

invokeForAdministrativeReset

public boolean invokeForAdministrativeReset()

Indicates whether this password validator should be invoked for modify or password modify operations that represent one user's attempt to change the password for another user.

Returns:

true if this password validator should be invoked for administrative password reset operations, or false if not.

getPasswordQualityRequirement

public com.unboundid.ldap.sdk.unboundidds.extensions.PasswordQualityRequirement getPasswordQualityRequirement()

Retrieves the password quality requirement for this password validator, if available.

Returns:

The password quality requirement for this password validator, or null if no requirement information is available.

isPasswordAcceptable

public abstract boolean isPasswordAcceptable(OperationContext operationContext,
                           com.unboundid.util.ByteString newPassword,
                           java.util.Set<com.unboundid.util.ByteString> currentPasswords,
                           Entry userEntry,
                           java.lang.StringBuilder invalidReason)

Indicates whether the proposed password is acceptable for the specified user.

Parameters:

operationContext - The operation context for the associated request. It may be associated with an add, modify, or password modify operation.

newPassword - The proposed new password for the user that should be validated. It will not be encoded or obscured in any way.

currentPasswords - The current set of passwords for the user, if available. It may be null if this is not available. Note that even if one or more current passwords are available, it may not constitute the complete set of passwords for the user.

userEntry - The entry for the user whose password is being changed.

invalidReason - A buffer to which a message may be appended to indicate why the proposed password is not acceptable.

Returns:

true if the proposed new password is acceptable, or false if not.