From 16a4c18b4c101e8e3dc7b8be756de1807970065f Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Thu, 19 Jul 2007 16:12:32 +0000
Subject: [PATCH] Update the server to provide more complete support for the password policy control as described in draft-behera-ldap-password-policy.  In particular, improved support has been provided for all operations for the case in which a user must change his/her password before performing any other types of operations.  These changes also provide enhanced support for add and modify operations that are rejected because a password change is not acceptable for some reason.

---
 opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java |   37 ++++++++++++++++++++++++++++++++++++-
 1 files changed, 36 insertions(+), 1 deletions(-)

diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
index 681aff6..211629a 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
@@ -29,6 +29,7 @@
 import static org.opends.server.config.ConfigConstants.*;
 import static org.opends.server.messages.CoreMessages.*;
 import static org.opends.server.messages.MessageHandler.getMessage;
+import static org.opends.server.util.ServerConstants.*;
 
 import java.util.ArrayList;
 import java.util.HashSet;
@@ -39,6 +40,8 @@
 
 import org.opends.server.api.PasswordStorageScheme;
 import org.opends.server.api.PasswordValidator;
+import org.opends.server.controls.PasswordPolicyErrorType;
+import org.opends.server.controls.PasswordPolicyResponseControl;
 import org.opends.server.core.AddOperation;
 import org.opends.server.core.AddOperationWrapper;
 import org.opends.server.core.DirectoryServer;
@@ -51,6 +54,7 @@
 import org.opends.server.types.AttributeType;
 import org.opends.server.types.AttributeValue;
 import org.opends.server.types.ByteString;
+import org.opends.server.types.Control;
 import org.opends.server.types.DirectoryException;
 import org.opends.server.types.Entry;
 import org.opends.server.types.ObjectClass;
@@ -121,7 +125,7 @@
    *                              policy processing for the add operation.
    */
   public final void handlePasswordPolicy(PasswordPolicy passwordPolicy,
-                                          Entry userEntry)
+                                         Entry userEntry)
          throws DirectoryException
   {
     // See if a password was specified.
@@ -161,6 +165,8 @@
     if ((! passwordPolicy.allowMultiplePasswordValues()) && (values.size() > 1))
     {
       // FIXME -- What if they're pre-encoded and might all be the same?
+      addPWPolicyControl(PasswordPolicyErrorType.PASSWORD_MOD_NOT_ALLOWED);
+
       int    msgID   = MSGID_PWPOLICY_MULTIPLE_PW_VALUES_NOT_ALLOWED;
       String message = getMessage(msgID, passwordAttribute.getNameOrOID());
       throw new DirectoryException(ResultCode.CONSTRAINT_VIOLATION, message,
@@ -187,6 +193,9 @@
           }
           else
           {
+            addPWPolicyControl(
+                 PasswordPolicyErrorType.INSUFFICIENT_PASSWORD_QUALITY);
+
             int    msgID   = MSGID_PWPOLICY_PREENCODED_NOT_ALLOWED;
             String message = getMessage(msgID,
                                         passwordAttribute.getNameOrOID());
@@ -206,6 +215,9 @@
           }
           else
           {
+            addPWPolicyControl(
+                 PasswordPolicyErrorType.INSUFFICIENT_PASSWORD_QUALITY);
+
             int    msgID   = MSGID_PWPOLICY_PREENCODED_NOT_ALLOWED;
             String message = getMessage(msgID,
                                         passwordAttribute.getNameOrOID());
@@ -229,6 +241,9 @@
           if (! validator.passwordIsAcceptable(value, currentPasswords, this,
                                                userEntry, invalidReason))
           {
+            addPWPolicyControl(
+                 PasswordPolicyErrorType.INSUFFICIENT_PASSWORD_QUALITY);
+
             int    msgID   = MSGID_PWPOLICY_VALIDATION_FAILED;
             String message = getMessage(msgID, passwordAttribute.getNameOrOID(),
                                         String.valueOf(invalidReason));
@@ -289,6 +304,8 @@
     // If we should force change on add, then set the appropriate flag.
     if (passwordPolicy.forceChangeOnAdd())
     {
+      addPWPolicyControl(PasswordPolicyErrorType.CHANGE_AFTER_RESET);
+
       AttributeType resetType =
            DirectoryServer.getAttributeType(OP_ATTR_PWPOLICY_RESET_REQUIRED_LC);
       if (resetType == null)
@@ -309,6 +326,24 @@
   }
 
   /**
+   * Adds a password policy response control if the corresponding request
+   * control was included.
+   *
+   * @param  errorType  The error type to use for the response control.
+   */
+  private void addPWPolicyControl(PasswordPolicyErrorType errorType)
+  {
+    for (Control c : getRequestControls())
+    {
+      if (c.getOID().equals(OID_PASSWORD_POLICY_CONTROL))
+      {
+        addResponseControl(new PasswordPolicyResponseControl(null, 0,
+                                                             errorType));
+      }
+    }
+  }
+
+  /**
    * Adds the provided objectClass to the entry, along with its superior classes
    * if appropriate.
    *

--
Gitblit v1.10.0