/**
* Validates a number of password policy state constraints for the user. This will be called
* before the offered credentials are checked.
*
* @param userEntry The entry for the user that is authenticating.
* @param saslHandler The SASL mechanism handler if this is a SASL bind, or {@code null} for a
* simple bind.
* @throws DirectoryException If a problem occurs that should cause the bind to fail.
*/
protected void checkUnverifiedPasswordPolicyState(
Entry userEntry, SASLMechanismHandler<?> saslHandler) throws DirectoryException {
PasswordPolicyState pwPolicyState = (PasswordPolicyState) authPolicyState;
PasswordPolicy policy = pwPolicyState.getAuthenticationPolicy();
boolean isSASLBind = saslHandler != null;
// If the password policy is configured to track authentication failures or
// keep the last login time and the associated backend is disabled, then we
// may need to reject the bind immediately.
if ((policy.getStateUpdateFailurePolicy()
== PasswordPolicyCfgDefn.StateUpdateFailurePolicy.PROACTIVE)
&& ((policy.getLockoutFailureCount() > 0)
|| ((policy.getLastLoginTimeAttribute() != null)
&& (policy.getLastLoginTimeFormat() != null)))
&& ((DirectoryServer.getWritabilityMode() == WritabilityMode.DISABLED)
|| (backend.getWritabilityMode() == WritabilityMode.DISABLED))) {
// This policy isn't applicable to root users, so if it's a root
// user then ignore it.
if (!DirectoryServer.isRootDN(userEntry.getName())) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS,
ERR_BIND_OPERATION_WRITABILITY_DISABLED.get(userEntry.getName()));
}
}
// Check to see if the authentication must be done in a secure
// manner. If so, then the client connection must be secure.
if (policy.isRequireSecureAuthentication() && !clientConnection.isSecure()) {
if (isSASLBind) {
if (!saslHandler.isSecure(saslMechanism)) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS,
ERR_BIND_OPERATION_INSECURE_SASL_BIND.get(saslMechanism, userEntry.getName()));
}
} else {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_OPERATION_INSECURE_SIMPLE_BIND.get());
}
}
}
/**
* Perform policy checks for accounts when the credentials are correct.
*
* @param userEntry The entry for the user that is authenticating.
* @param saslHandler The SASL mechanism handler if this is a SASL bind, or {@code null} for a
* simple bind.
* @throws DirectoryException If a problem occurs that should cause the bind to fail.
*/
protected void checkVerifiedPasswordPolicyState(
Entry userEntry, SASLMechanismHandler<?> saslHandler) throws DirectoryException {
PasswordPolicyState pwPolicyState = (PasswordPolicyState) authPolicyState;
PasswordPolicy policy = pwPolicyState.getAuthenticationPolicy();
boolean isSASLBind = saslHandler != null;
// Check to see if the user is administratively disabled or locked.
if (pwPolicyState.isDisabled()) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_OPERATION_ACCOUNT_DISABLED.get());
} else if (pwPolicyState.isAccountExpired()) {
LocalizableMessage m = ERR_BIND_OPERATION_ACCOUNT_EXPIRED.get();
pwPolicyState.generateAccountStatusNotification(
AccountStatusNotificationType.ACCOUNT_EXPIRED,
userEntry,
m,
AccountStatusNotification.createProperties(pwPolicyState, false, -1, null, null));
throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, m);
} else if (pwPolicyState.lockedDueToFailures()) {
if (pwPolicyErrorType == null) {
pwPolicyErrorType = PasswordPolicyErrorType.ACCOUNT_LOCKED;
}
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_OPERATION_ACCOUNT_FAILURE_LOCKED.get());
} else if (pwPolicyState.lockedDueToIdleInterval()) {
if (pwPolicyErrorType == null) {
pwPolicyErrorType = PasswordPolicyErrorType.ACCOUNT_LOCKED;
}
LocalizableMessage m = ERR_BIND_OPERATION_ACCOUNT_IDLE_LOCKED.get();
pwPolicyState.generateAccountStatusNotification(
AccountStatusNotificationType.ACCOUNT_IDLE_LOCKED,
userEntry,
m,
AccountStatusNotification.createProperties(pwPolicyState, false, -1, null, null));
throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, m);
}
// If it's a simple bind, or if it's a password-based SASL bind, then
// perform a number of password-based checks.
if (!isSASLBind || saslHandler.isPasswordBased(saslMechanism)) {
// Check to see if the account is locked due to the maximum reset age.
if (pwPolicyState.lockedDueToMaximumResetAge()) {
if (pwPolicyErrorType == null) {
pwPolicyErrorType = PasswordPolicyErrorType.ACCOUNT_LOCKED;
}
LocalizableMessage m = ERR_BIND_OPERATION_ACCOUNT_RESET_LOCKED.get();
pwPolicyState.generateAccountStatusNotification(
AccountStatusNotificationType.ACCOUNT_RESET_LOCKED,
userEntry,
m,
AccountStatusNotification.createProperties(pwPolicyState, false, -1, null, null));
throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, m);
}
// Determine whether the password is expired, or whether the user
// should be warned about an upcoming expiration.
if (pwPolicyState.isPasswordExpired()) {
if (pwPolicyErrorType == null) {
pwPolicyErrorType = PasswordPolicyErrorType.PASSWORD_EXPIRED;
}
int maxGraceLogins = policy.getGraceLoginCount();
if (maxGraceLogins > 0 && pwPolicyState.mayUseGraceLogin()) {
List<Long> graceLoginTimes = pwPolicyState.getGraceLoginTimes();
if (graceLoginTimes == null || graceLoginTimes.size() < maxGraceLogins) {
isGraceLogin = true;
mustChangePassword = true;
if (pwPolicyWarningType == null) {
pwPolicyWarningType = PasswordPolicyWarningType.GRACE_LOGINS_REMAINING;
pwPolicyWarningValue = maxGraceLogins - (graceLoginTimes.size() + 1);
}
} else {
LocalizableMessage m = ERR_BIND_OPERATION_PASSWORD_EXPIRED.get();
pwPolicyState.generateAccountStatusNotification(
AccountStatusNotificationType.PASSWORD_EXPIRED,
userEntry,
m,
AccountStatusNotification.createProperties(pwPolicyState, false, -1, null, null));
throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, m);
}
} else {
LocalizableMessage m = ERR_BIND_OPERATION_PASSWORD_EXPIRED.get();
pwPolicyState.generateAccountStatusNotification(
AccountStatusNotificationType.PASSWORD_EXPIRED,
userEntry,
m,
AccountStatusNotification.createProperties(pwPolicyState, false, -1, null, null));
throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, m);
}
} else if (pwPolicyState.shouldWarn()) {
int numSeconds = pwPolicyState.getSecondsUntilExpiration();
if (pwPolicyWarningType == null) {
pwPolicyWarningType = PasswordPolicyWarningType.TIME_BEFORE_EXPIRATION;
pwPolicyWarningValue = numSeconds;
}
isFirstWarning = pwPolicyState.isFirstWarning();
}
// Check to see if the user's password has been reset.
if (pwPolicyState.mustChangePassword()) {
mustChangePassword = true;
if (pwPolicyErrorType == null) {
pwPolicyErrorType = PasswordPolicyErrorType.CHANGE_AFTER_RESET;
}
}
}
}
/**
* Performs the processing necessary for a SASL bind operation.
*
* @return {@code true} if processing should continue for the operation, or {@code false} if not.
* @throws DirectoryException If a problem occurs that should cause the bind operation to fail.
*/
private boolean processSASLBind() throws DirectoryException {
// Get the appropriate authentication handler for this request based
// on the SASL mechanism. If there is none, then fail.
SASLMechanismHandler<?> saslHandler = DirectoryServer.getSASLMechanismHandler(saslMechanism);
if (saslHandler == null) {
throw new DirectoryException(
ResultCode.AUTH_METHOD_NOT_SUPPORTED,
ERR_BIND_OPERATION_UNKNOWN_SASL_MECHANISM.get(saslMechanism));
}
// Check to see if the client has sufficient permission to perform the bind.
// NYI
// Invoke pre-operation plugins.
if (!invokePreOpPlugins()) {
return false;
}
// Actually process the SASL bind.
saslHandler.processSASLBind(this);
// If the server is operating in lockdown mode, then we will need to
// ensure that the authentication was successful and performed as a
// root user to continue.
Entry saslAuthUserEntry = getSASLAuthUserEntry();
if (DirectoryServer.lockdownMode()) {
ResultCode resultCode = getResultCode();
if (resultCode != ResultCode.SASL_BIND_IN_PROGRESS
&& (resultCode != ResultCode.SUCCESS
|| saslAuthUserEntry == null
|| !ClientConnection.hasPrivilege(saslAuthUserEntry, BYPASS_LOCKDOWN))) {
throw new DirectoryException(
ResultCode.INVALID_CREDENTIALS, ERR_BIND_REJECTED_LOCKDOWN_MODE.get());
}
}
// Create the password policy state object.
if (saslAuthUserEntry != null) {
setUserEntryDN(saslAuthUserEntry.getName());
// FIXME -- Need to have a way to enable debugging.
authPolicyState = AuthenticationPolicyState.forUser(saslAuthUserEntry, false);
if (authPolicyState.isPasswordPolicy()) {
// Account is managed locally: perform password policy checks that can
// be completed before we have checked authentication was successful.
checkUnverifiedPasswordPolicyState(saslAuthUserEntry, saslHandler);
}
}
// Determine whether the authentication was successful and perform
// any remaining password policy processing accordingly.
ResultCode resultCode = getResultCode();
if (resultCode == ResultCode.SUCCESS) {
if (authPolicyState != null && authPolicyState.isPasswordPolicy()) {
checkVerifiedPasswordPolicyState(saslAuthUserEntry, saslHandler);
PasswordPolicyState pwPolicyState = (PasswordPolicyState) authPolicyState;
if (saslHandler.isPasswordBased(saslMechanism) && pwPolicyState.mustChangePassword()) {
mustChangePassword = true;
}
if (isFirstWarning) {
pwPolicyState.setWarnedTime();
int numSeconds = pwPolicyState.getSecondsUntilExpiration();
LocalizableMessage m = WARN_BIND_PASSWORD_EXPIRING.get(secondsToTimeString(numSeconds));
pwPolicyState.generateAccountStatusNotification(
AccountStatusNotificationType.PASSWORD_EXPIRING,
saslAuthUserEntry,
m,
AccountStatusNotification.createProperties(
pwPolicyState, false, numSeconds, null, null));
}
if (isGraceLogin) {
pwPolicyState.updateGraceLoginTimes();
}
pwPolicyState.setLastLoginTime();
}
// Set appropriate resource limits for the user (note that SASL ANONYMOUS
// does not have a user).
if (saslAuthUserEntry != null) {
setResourceLimits(saslAuthUserEntry);
}
} else if (resultCode == ResultCode.SASL_BIND_IN_PROGRESS) {
// FIXME -- Is any special processing needed here?
return false;
} else {
if (authPolicyState != null && authPolicyState.isPasswordPolicy()) {
PasswordPolicyState pwPolicyState = (PasswordPolicyState) authPolicyState;
if (saslHandler.isPasswordBased(saslMechanism)
&& pwPolicyState.getAuthenticationPolicy().getLockoutFailureCount() > 0) {
generateAccountStatusNotificationForLockedBindAccount(saslAuthUserEntry, pwPolicyState);
}
}
}
return true;
}
