mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
opends/resource/schema/02-config.ldif
@@ -1475,6 +1475,9 @@ NAME 'ds-cfg-strip-syntax-minimum-upper-bound' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'OpenDS Directory Server' ) attributeTypes: ( 1.3.6.1.4.1.26027.1.1.443 NAME 'ds-cfg-state-update-failure-policy' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenDS Directory Server' ) objectClasses: ( 1.3.6.1.4.1.26027.1.2.1 NAME 'ds-cfg-access-control-handler' SUP top STRUCTURAL MUST ( cn $ ds-cfg-acl-handler-class $ ds-cfg-acl-handler-enabled ) @@ -1602,7 +1605,7 @@ X-ORIGIN 'OpenDS Directory Server' ) objectClasses: ( 1.3.6.1.4.1.26027.1.2.23 NAME 'ds-cfg-access-logger' SUP ds-cfg-logger STRUCTURAL MAY ( ds-cfg-suppress-internal-operations $ STRUCTURAL MAY ( ds-cfg-suppress-internal-operations $ ds-cfg-suppress-synchronization-operations ) X-ORIGIN 'OpenDS Directory Server' ) objectClasses: ( 1.3.6.1.4.1.26027.1.2.24 NAME 'ds-cfg-error-logger' @@ -1803,8 +1806,8 @@ ds-cfg-password-validator-dn $ ds-cfg-previous-last-login-time-format $ ds-cfg-require-change-by-time $ ds-cfg-require-secure-authentication $ ds-cfg-require-secure-password-changes $ ds-cfg-skip-validation-for-administrators ) X-ORIGIN 'OpenDS Directory Server' ) ds-cfg-skip-validation-for-administrators $ ds-cfg-state-update-failure-policy ) X-ORIGIN 'OpenDS Directory Server' ) objectClasses: ( 1.3.6.1.4.1.26027.1.2.63 NAME 'ds-cfg-jmx-connection-handler' SUP ds-cfg-connection-handler STRUCTURAL MUST ( ds-cfg-listen-port $ ds-cfg-ssl-cert-nickname $ opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyConfiguration.xml
@@ -944,4 +944,57 @@ </ldap:attribute> </adm:profile> </adm:property> <adm:property name="state-update-failure-policy" mandatory="false" multi-valued="false"> <adm:synopsis> Specifies how the server should deal with the inability to update password policy state information during an authentication attempt. In particular, it may be used to control whether an otherwise successful bind operation should fail if a failure occurs while attempting to update password policy state information (e.g., to clear a record of previous authentication failures or to update the last login time), or even whether to reject a bind request if it is known aheaed of time that it will not be possible to update the authentication failure times in the event of an unsuccessful bind attempt (e.g., if the backend writability mode is disabled). </adm:synopsis> <adm:default-behavior> <adm:defined> <adm:value>reactive</adm:value> </adm:defined> </adm:default-behavior> <adm:syntax> <adm:enumeration> <adm:value name="ignore"> <adm:synopsis> If a bind attempt would otherwise be successful, then do not reject it if a problem occurs while attempting to update the password policy state information for the user. </adm:synopsis> </adm:value> <adm:value name="reactive"> <adm:synopsis> Even if a bind attempt would otherwise be successful, reject it if a problem occurs while attempting to update the password policy state information for the user. </adm:synopsis> </adm:value> <adm:value name="proactive"> <adm:synopsis> Proactively reject any bind attempt if it is known ahead of time that it would not be possible to update the user's password policy state information. </adm:synopsis> </adm:value> </adm:enumeration> </adm:syntax> <adm:profile name="ldap"> <ldap:attribute> <ldap:oid>1.3.6.1.4.1.26027.1.1.443</ldap:oid> <ldap:name>ds-cfg-state-update-failure-policy</ldap:name> </ldap:attribute> </adm:profile> </adm:property> </adm:managed-object>
@@ -827,6 +827,7 @@ logBindRequest(this); logBindResponse(this); clientConnection.setBindInProgress(false); return; } else if (preParseResult.sendResponseImmediately()) @@ -884,14 +885,16 @@ setProcessingStopTime(); logBindResponse(this); invokePostResponsePlugins(); clientConnection.setBindInProgress(false); return; } // Unset the "bind in progress" flag to allow other operations to be // processed. // FIXME -- Make sure this also gets unset at every possible point at which // the bind could fail and this method could return early. clientConnection.setBindInProgress(false); // If the bind processing is finished, then unset the "bind in progress" // flag to allow other operations to be processed on the connection. if (getResultCode() != ResultCode.SASL_BIND_IN_PROGRESS) { clientConnection.setBindInProgress(false); } // Stop the processing timer. setProcessingStopTime(); opends/src/server/org/opends/server/core/PasswordPolicy.java
@@ -39,6 +39,7 @@ import java.util.concurrent.CopyOnWriteArrayList; import java.util.concurrent.CopyOnWriteArraySet; import org.opends.server.admin.std.meta.PasswordPolicyCfgDefn; import org.opends.server.admin.std.server.PasswordPolicyCfg; import org.opends.server.admin.std.server.PasswordValidatorCfg; import org.opends.server.api.AccountStatusNotificationHandler; @@ -215,6 +216,11 @@ private CopyOnWriteArrayList<String> previousLastLoginTimeFormats = new CopyOnWriteArrayList<String>(); // The state update failure policy. private PasswordPolicyCfgDefn.StateUpdateFailurePolicy stateUpdateFailurePolicy = PasswordPolicyCfgDefn.StateUpdateFailurePolicy.REACTIVE; /** @@ -801,6 +807,11 @@ // Get the idle lockout duration. this.idleLockoutInterval = (int) configuration.getIdleLockoutInterval(); // Get the state update failure policy. this.stateUpdateFailurePolicy = configuration.getStateUpdateFailurePolicy(); /* * Holistic validation. */ @@ -1448,6 +1459,19 @@ /** * Retrieves the state update failure policy for this password policy. * * @return The state update failure policy for this password policy. */ public PasswordPolicyCfgDefn.StateUpdateFailurePolicy getStateUpdateFailurePolicy() { return stateUpdateFailurePolicy; } /** * Retrieves a string representation of this password policy. * * @return A string representation of this password policy.
