directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r1200870 [1/3] - in /directory/apacheds/trunk: interceptor-kerberos/src/main/java/org/apache/directory/server/core/kerberos/ interceptors/admin/src/main/java/org/apache/directory/server/core/admin/ interceptors/authn/src/main/java/org/apach...
Date Fri, 11 Nov 2011 13:15:40 GMT
Author: elecharny
Date: Fri Nov 11 13:15:39 2011
New Revision: 1200870

URL: http://svn.apache.org/viewvc?rev=1200870&view=rev
Log:
o Added missing Javadoc
o Cleanup
o Reorganized the order of methods

Modified:
    directory/apacheds/trunk/interceptor-kerberos/src/main/java/org/apache/directory/server/core/kerberos/KeyDerivationInterceptor.java
    directory/apacheds/trunk/interceptors/admin/src/main/java/org/apache/directory/server/core/admin/AdministrativePointInterceptor.java
    directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
    directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
    directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java
    directory/apacheds/trunk/interceptors/changelog/src/main/java/org/apache/directory/server/core/changelog/ChangeLogInterceptor.java
    directory/apacheds/trunk/interceptors/event/src/main/java/org/apache/directory/server/core/event/EventInterceptor.java
    directory/apacheds/trunk/interceptors/exception/src/main/java/org/apache/directory/server/core/exception/ExceptionInterceptor.java
    directory/apacheds/trunk/interceptors/hash/src/main/java/org/apache/directory/server/core/hash/PasswordHashingInterceptor.java
    directory/apacheds/trunk/interceptors/journal/src/main/java/org/apache/directory/server/core/journal/JournalInterceptor.java
    directory/apacheds/trunk/interceptors/logger/src/main/java/org/apache/directory/server/core/logger/TimerInterceptor.java
    directory/apacheds/trunk/interceptors/normalization/src/main/java/org/apache/directory/server/core/normalization/NormalizationInterceptor.java
    directory/apacheds/trunk/interceptors/operational/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java
    directory/apacheds/trunk/interceptors/referral/src/main/java/org/apache/directory/server/core/referral/ReferralInterceptor.java
    directory/apacheds/trunk/interceptors/schema/src/main/java/org/apache/directory/server/core/schema/SchemaInterceptor.java
    directory/apacheds/trunk/interceptors/subtree/src/main/java/org/apache/directory/server/core/subtree/SubentryInterceptor.java
    directory/apacheds/trunk/interceptors/trigger/src/main/java/org/apache/directory/server/core/trigger/TriggerInterceptor.java

Modified: directory/apacheds/trunk/interceptor-kerberos/src/main/java/org/apache/directory/server/core/kerberos/KeyDerivationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptor-kerberos/src/main/java/org/apache/directory/server/core/kerberos/KeyDerivationInterceptor.java?rev=1200870&r1=1200869&r2=1200870&view=diff
==============================================================================
--- directory/apacheds/trunk/interceptor-kerberos/src/main/java/org/apache/directory/server/core/kerberos/KeyDerivationInterceptor.java (original)
+++ directory/apacheds/trunk/interceptor-kerberos/src/main/java/org/apache/directory/server/core/kerberos/KeyDerivationInterceptor.java Fri Nov 11 13:15:39 2011
@@ -163,8 +163,7 @@ public class KeyDerivationInterceptor ex
      * @param subContext
      * @throws LdapException
      */
-    void detectPasswordModification( ModifyOperationContext modContext, ModifySubContext subContext )
-        throws LdapException
+    void detectPasswordModification( ModifyOperationContext modContext, ModifySubContext subContext ) throws LdapException
     {
         List<Modification> mods = modContext.getModItems();
 
@@ -237,18 +236,17 @@ public class KeyDerivationInterceptor ex
      * @param subContext
      * @throws LdapException
      */
-    void lookupPrincipalAttributes( ModifyOperationContext modContext, ModifySubContext subContext )
-        throws LdapException
+    void lookupPrincipalAttributes( ModifyOperationContext modContext, ModifySubContext subContext ) throws LdapException
     {
         Dn principalDn = modContext.getDn();
 
         LookupOperationContext lookupContext = modContext.newLookupContext( principalDn );
         lookupContext.setAttrsId( new String[]
-        {
+            {
             SchemaConstants.OBJECT_CLASS_AT,
             KerberosAttribute.KRB5_PRINCIPAL_NAME_AT,
             KerberosAttribute.KRB5_KEY_VERSION_NUMBER_AT
-        } );
+            } );
 
         Entry userEntry = directoryService.getPartitionNexus().lookup( lookupContext );
 
@@ -395,6 +393,7 @@ public class KeyDerivationInterceptor ex
         }
     }
 
+
     static class ModifySubContext
     {
         private boolean isPrincipal = false;

Modified: directory/apacheds/trunk/interceptors/admin/src/main/java/org/apache/directory/server/core/admin/AdministrativePointInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/admin/src/main/java/org/apache/directory/server/core/admin/AdministrativePointInterceptor.java?rev=1200870&r1=1200869&r2=1200870&view=diff
==============================================================================
--- directory/apacheds/trunk/interceptors/admin/src/main/java/org/apache/directory/server/core/admin/AdministrativePointInterceptor.java (original)
+++ directory/apacheds/trunk/interceptors/admin/src/main/java/org/apache/directory/server/core/admin/AdministrativePointInterceptor.java Fri Nov 11 13:15:39 2011
@@ -339,7 +339,7 @@ public class AdministrativePointIntercep
     private void addRole( String role, Dn dn, String uuid, DnNode<AccessControlAdministrativePoint> acapCache,
         DnNode<CollectiveAttributeAdministrativePoint> caapCache, DnNode<TriggerExecutionAdministrativePoint> teapCache,
         DnNode<SubschemaAdministrativePoint> ssapCache ) throws LdapException
-        {
+    {
         // Deal with Autonomous AP : create the 4 associated SAP/AAP
         if ( isAutonomousAreaRole( role ) )
         {
@@ -422,7 +422,7 @@ public class AdministrativePointIntercep
 
             return;
         }
-        }
+    }
 
 
 
@@ -433,7 +433,7 @@ public class AdministrativePointIntercep
     private void delRole( String role, Dn dn, String uuid, DnNode<AccessControlAdministrativePoint> acapCache,
         DnNode<CollectiveAttributeAdministrativePoint> caapCache, DnNode<TriggerExecutionAdministrativePoint> teapCache,
         DnNode<SubschemaAdministrativePoint> ssapCache ) throws LdapException
-        {
+    {
         // Deal with Autonomous AP : remove the 4 associated SAP/AAP
         if ( isAutonomousAreaRole( role ) )
         {
@@ -483,7 +483,7 @@ public class AdministrativePointIntercep
 
             return;
         }
-        }
+    }
 
 
     private AdministrativePoint getParent( AdministrativePoint ap, List<AdministrativePoint> aps,
@@ -824,9 +824,8 @@ public class AdministrativePointIntercep
     /**
      * Update The Administrative Points cache, removing the given AdminPoint
      */
-    private void deleteAdminPointCache( Attribute adminPoint, DeleteOperationContext deleteContext )
-        throws LdapException
-        {
+    private void deleteAdminPointCache( Attribute adminPoint, DeleteOperationContext deleteContext ) throws LdapException
+    {
         Dn dn = deleteContext.getDn();
 
         // Remove the APs in the AP cache
@@ -886,7 +885,7 @@ public class AdministrativePointIntercep
                 continue;
             }
         }
-        }
+    }
 
 
     /**
@@ -1065,9 +1064,8 @@ public class AdministrativePointIntercep
      * Check that the IAPs (if any) have a parent. We will check for each kind or role :
      * AC, CA and TE.
      */
-    private void checkIAPHasParent( String role, Attribute adminPoint, Dn dn )
-        throws LdapUnwillingToPerformException
-        {
+    private void checkIAPHasParent( String role, Attribute adminPoint, Dn dn ) throws LdapUnwillingToPerformException
+    {
         // Check for the AC role
         if ( isAccessControlInnerRole( role ) )
         {
@@ -1118,7 +1116,7 @@ public class AdministrativePointIntercep
             LOG.error( message );
             throw new LdapUnwillingToPerformException( message );
         }
-        }
+    }
 
 
     //-------------------------------------------------------------------------------------------
@@ -1457,9 +1455,8 @@ public class AdministrativePointIntercep
     /**
      * {@inheritDoc}
      */
-    public void moveAndRename( MoveAndRenameOperationContext moveAndRenameContext )
-        throws LdapException
-        {
+    public void moveAndRename( MoveAndRenameOperationContext moveAndRenameContext ) throws LdapException
+    {
         LOG.debug( ">>> Entering into the Administrative Interceptor, moveAndRenameRequest" );
         Entry entry = moveAndRenameContext.getOriginalEntry();
 
@@ -1480,7 +1477,7 @@ public class AdministrativePointIntercep
         String message = "Cannot move and rename an Administrative Point in the current version";
         LOG.error( message );
         throw new LdapUnwillingToPerformException( message );
-        }
+    }
 
 
     /**

Modified: directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java?rev=1200870&r1=1200869&r2=1200870&view=diff
==============================================================================
--- directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java (original)
+++ directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java Fri Nov 11 13:15:39 2011
@@ -295,6 +295,9 @@ public class AuthenticationInterceptor e
     }
 
 
+    /**
+     * {@inheritDoc}
+     */
     public void add( AddOperationContext addContext ) throws LdapException
     {
         if ( IS_DEBUG )
@@ -373,361 +376,301 @@ public class AuthenticationInterceptor e
     }
 
 
-    public void delete( DeleteOperationContext deleteContext ) throws LdapException
-    {
-        if ( IS_DEBUG )
-        {
-            LOG.debug( "Operation Context: {}", deleteContext );
-        }
-
-        checkAuthenticated( deleteContext );
-        checkPwdReset( deleteContext );
-        next( deleteContext );
-        invalidateAuthenticatorCaches( deleteContext.getDn() );
-    }
-
-
     /**
      * {@inheritDoc}
      */
-    public Entry getRootDSE( GetRootDSEOperationContext getRootDseContext ) throws LdapException
+    public void bind( BindOperationContext bindContext ) throws LdapException
     {
         if ( IS_DEBUG )
         {
-            LOG.debug( "Operation Context: {}", getRootDseContext );
+            LOG.debug( "Operation Context: {}", bindContext );
         }
 
-        checkAuthenticated( getRootDseContext );
-        checkPwdReset( getRootDseContext );
-
-        return next( getRootDseContext );
-    }
+        if ( ( bindContext.getSession() != null ) && ( bindContext.getSession().getEffectivePrincipal() != null ) )
+        {
+            // null out the credentials
+            bindContext.setCredentials( null );
+        }
 
+        // pick the first matching authenticator type
+        AuthenticationLevel level = bindContext.getAuthenticationLevel();
 
-    /**
-     * {@inheritDoc}
-     */
-    public boolean hasEntry( EntryOperationContext hasEntryContext ) throws LdapException
-    {
-        if ( IS_DEBUG )
+        if ( level == AuthenticationLevel.UNAUTHENT )
         {
-            LOG.debug( "Operation Context: {}", hasEntryContext );
+            // This is a case where the Bind request contains a Dn, but no password.
+            // We don't check the Dn, we just return a UnwillingToPerform error
+            // Cf RFC 4513, chap. 5.1.2
+            throw new LdapUnwillingToPerformException( ResultCodeEnum.UNWILLING_TO_PERFORM, "Cannot Bind for Dn "
+                + bindContext.getDn().getName() );
         }
 
-        checkAuthenticated( hasEntryContext );
-        checkPwdReset( hasEntryContext );
+        Collection<Authenticator> authenticators = getAuthenticators( level );
 
-        return next( hasEntryContext );
-    }
+        if ( authenticators == null )
+        {
+            LOG.debug( "No authenticators found, delegating bind to the nexus." );
 
+            // as a last resort try binding via the nexus
+            next( bindContext );
 
-    /**
-     * {@inheritDoc}
-     */
-    public EntryFilteringCursor list( ListOperationContext listContext ) throws LdapException
-    {
-        if ( IS_DEBUG )
-        {
-            LOG.debug( "Operation Context: {}", listContext );
-        }
+            LOG.debug( "Nexus succeeded on bind operation." );
 
-        checkAuthenticated( listContext );
-        checkPwdReset( listContext );
+            // bind succeeded if we got this far
+            // TODO - authentication level not being set
+            LdapPrincipal principal = new LdapPrincipal( schemaManager, bindContext.getDn(), AuthenticationLevel.SIMPLE );
+            CoreSession session = new DefaultCoreSession( principal, directoryService );
+            bindContext.setSession( session );
 
-        return next( listContext );
-    }
+            // remove creds so there is no security risk
+            bindContext.setCredentials( null );
+            return;
+        }
+
+        boolean isPPolicyReqCtrlPresent = bindContext.hasRequestControl( PasswordPolicy.OID );
+        PasswordPolicyDecorator pwdRespCtrl =
+            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
 
+        boolean authenticated = false;
+        PasswordPolicyException ppe = null;
 
-    public Entry lookup( LookupOperationContext lookupContext ) throws LdapException
-    {
-        if ( IS_DEBUG )
+        // TODO : we should refactor that.
+        // try each authenticator
+        for ( Authenticator authenticator : authenticators )
         {
-            LOG.debug( "Operation Context: {}", lookupContext );
-        }
+            try
+            {
+                // perform the authentication
+                LdapPrincipal principal = authenticator.authenticate( bindContext );
 
-        checkAuthenticated( lookupContext );
-        checkPwdReset( lookupContext );
+                LdapPrincipal clonedPrincipal = ( LdapPrincipal ) ( principal.clone() );
 
-        return next( lookupContext );
-    }
+                // remove creds so there is no security risk
+                bindContext.setCredentials( null );
+                clonedPrincipal.setUserPassword( StringConstants.EMPTY_BYTES );
 
+                // authentication was successful
+                CoreSession session = new DefaultCoreSession( clonedPrincipal, directoryService );
+                bindContext.setSession( session );
 
-    private void invalidateAuthenticatorCaches( Dn principalDn )
-    {
-        for ( AuthenticationLevel authMech : authenticatorsMapByType.keySet() )
-        {
-            Collection<Authenticator> authenticators = getAuthenticators( authMech );
+                authenticated = true;
 
-            // try each authenticator
-            for ( Authenticator authenticator : authenticators )
+                // break out of the loop if the authentication succeeded
+                break;
+            }
+            catch ( PasswordPolicyException e )
             {
-                authenticator.invalidateCache( principalDn );
+                ppe = e;
+                break;
+            }
+            catch ( LdapAuthenticationException e )
+            {
+                // authentication failed, try the next authenticator
+                if ( LOG.isInfoEnabled() )
+                {
+                    LOG.info( "Authenticator {} failed to authenticate: {}", authenticator, bindContext );
+                }
+            }
+            catch ( Exception e )
+            {
+                // Log other exceptions than LdapAuthenticationException
+                if ( LOG.isWarnEnabled() )
+                {
+                    LOG.info( "Unexpected failure for Authenticator {} : {}", authenticator, bindContext );
+                }
             }
         }
-    }
 
-
-    public void modify( ModifyOperationContext modifyContext ) throws LdapException
-    {
-        if ( IS_DEBUG )
+        if ( ppe != null )
         {
-            LOG.debug( "Operation Context: {}", modifyContext );
+            if ( isPPolicyReqCtrlPresent )
+            {
+                pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.get( ppe.getErrorCode() ) );
+                bindContext.addResponseControl( pwdRespCtrl );
+            }
+
+            throw ppe;
         }
 
-        checkAuthenticated( modifyContext );
+        Dn dn = bindContext.getDn();
+        Entry userEntry = bindContext.getEntry();
 
+        PasswordPolicyConfiguration policyConfig = getPwdPolicy( userEntry );
 
-        if ( ! directoryService.isPwdPolicyEnabled() )
+        // check if the user entry is null, it will be null
+        // in cases of anonymous bind
+        if ( authenticated && ( userEntry == null ) && directoryService.isAllowAnonymousAccess() )
         {
-            next( modifyContext );
-            invalidateAuthenticatorCaches( modifyContext.getDn() );
             return;
         }
 
-        // handle the case where pwdPolicySubentry AT is about to be deleted in thid modify()
-        PasswordPolicyConfiguration policyConfig = getPwdPolicy( modifyContext.getEntry() );
-
-        boolean isPPolicyReqCtrlPresent = modifyContext.hasRequestControl( PasswordPolicy.OID );
-        Dn userDn = modifyContext.getSession().getAuthenticatedPrincipal().getDn();
-
-        PwdModDetailsHolder pwdModDetails = null;
-
-        pwdModDetails = getPwdModDetails( modifyContext, policyConfig );
-
-        if ( pwdModDetails.isPwdModPresent() )
+        if ( !authenticated )
         {
-            if ( pwdResetSet.contains( userDn ) )
+            if ( LOG.isInfoEnabled() )
             {
-                if ( pwdModDetails.isOtherModExists() )
-                {
-                    if ( isPPolicyReqCtrlPresent )
-                    {
-                        PasswordPolicyDecorator responseControl =
-                            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-                        responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.CHANGE_AFTER_RESET );
-                        modifyContext.addResponseControl( responseControl );
-                    }
-
-                    throw new LdapNoPermissionException();
-                }
+                LOG.info( "Cannot bind to the server " );
             }
 
-            if ( policyConfig.isPwdSafeModify() )
+            if ( ( policyConfig != null ) && ( userEntry != null ) )
             {
-                if ( pwdModDetails.isAddOrReplace() && !pwdModDetails.isDelete() )
-                {
-                    LOG.debug( "trying to update password attribute without the supplying the old password" );
-
-                    if ( isPPolicyReqCtrlPresent )
-                    {
-                        PasswordPolicyDecorator responseControl =
-                            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-                        responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.MUST_SUPPLY_OLD_PASSWORD );
-                        modifyContext.addResponseControl( responseControl );
-                    }
+                Attribute pwdFailTimeAt = userEntry.get( PWD_FAILURE_TIME_AT );
 
-                    throw new LdapNoPermissionException();
+                if ( pwdFailTimeAt == null )
+                {
+                    pwdFailTimeAt = new DefaultAttribute( AT_PWD_FAILURE_TIME );
                 }
-            }
-
-            if ( !policyConfig.isPwdAllowUserChange() && !modifyContext.getSession().isAnAdministrator() )
-            {
-                if ( isPPolicyReqCtrlPresent )
+                else
                 {
-                    PasswordPolicyDecorator responseControl =
-                        new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-                    responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.PASSWORD_MOD_NOT_ALLOWED );
-                    modifyContext.addResponseControl( responseControl );
+                    PasswordUtil.purgeFailureTimes( policyConfig, pwdFailTimeAt );
                 }
 
-                throw new LdapNoPermissionException();
-            }
+                String failureTime = DateUtils.getGeneralizedTime();
+                pwdFailTimeAt.add( failureTime );
+                Modification pwdFailTimeMod = new DefaultModification( ADD_ATTRIBUTE, pwdFailTimeAt );
 
-            Entry entry = modifyContext.getEntry();
+                List<Modification> mods = new ArrayList<Modification>();
+                mods.add( pwdFailTimeMod );
 
-            if ( isPwdTooYoung( entry, policyConfig ) )
-            {
-                if ( isPPolicyReqCtrlPresent )
+                int numFailures = pwdFailTimeAt.size();
+
+                if ( policyConfig.isPwdLockout() && ( numFailures >= policyConfig.getPwdMaxFailure() ) )
                 {
-                    PasswordPolicyDecorator responseControl =
-                        new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-                    responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.PASSWORD_TOO_YOUNG );
-                    modifyContext.addResponseControl( responseControl );
-                }
+                    Attribute pwdAccountLockedTimeAt = new DefaultAttribute( AT_PWD_ACCOUNT_LOCKED_TIME );
 
-                throw new LdapOperationException( ResultCodeEnum.CONSTRAINT_VIOLATION,
-                    "password is too young to update" );
-            }
+                    // if zero, lockout permanently, only admin can unlock it
+                    if ( policyConfig.getPwdLockoutDuration() == 0 )
+                    {
+                        pwdAccountLockedTimeAt.add( "000001010000Z" );
+                    }
+                    else
+                    {
+                        pwdAccountLockedTimeAt.add( failureTime );
+                    }
 
-            byte[] newPassword = null;
+                    Modification pwdAccountLockedMod = new DefaultModification( ADD_ATTRIBUTE, pwdAccountLockedTimeAt );
+                    mods.add( pwdAccountLockedMod );
 
-            if ( ( pwdModDetails != null ) )
-            {
-                newPassword = pwdModDetails.getNewPwd();
-
-                try
-                {
-                    String userName = entry.getDn().getRdn().getUpValue().getString();
-                    check( userName, newPassword, policyConfig );
+                    pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.ACCOUNT_LOCKED );
                 }
-                catch ( PasswordPolicyException e )
+                else if ( policyConfig.getPwdMinDelay() > 0 )
                 {
-                    if ( isPPolicyReqCtrlPresent )
+                    int numDelay = numFailures * policyConfig.getPwdMinDelay();
+                    int maxDelay = policyConfig.getPwdMaxDelay();
+                    if ( numDelay > maxDelay )
                     {
-                        PasswordPolicyDecorator responseControl =
-                            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-                        responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.get( e.getErrorCode() ) );
-                        modifyContext.addResponseControl( responseControl );
+                        numDelay = maxDelay;
                     }
 
-                    // throw exception if userPassword quality checks fail
-                    throw new LdapOperationException( ResultCodeEnum.CONSTRAINT_VIOLATION, e.getMessage(), e );
-                }
-            }
-
-            int histSize = policyConfig.getPwdInHistory();
-            Modification pwdRemHistMod = null;
-            Modification pwdAddHistMod = null;
-            String pwdChangedTime = DateUtils.getGeneralizedTime();
-
-            if ( histSize > 0 )
-            {
-                Attribute pwdHistoryAt = entry.get( PWD_HISTORY_AT );
-
-                if ( pwdHistoryAt == null )
-                {
-                    pwdHistoryAt = new DefaultAttribute( AT_PWD_HISTORY );
-                }
-
-                List<PasswordHistory> pwdHistLst = new ArrayList<PasswordHistory>();
-
-                for ( Value<?> value : pwdHistoryAt  )
-                {
-                    PasswordHistory pwdh = new PasswordHistory( Strings.utf8ToString( value.getBytes() ) );
-
-                    boolean matched = Arrays.equals( newPassword, pwdh.getPassword() );
-
-                    if ( matched )
+                    try
                     {
-                        if ( isPPolicyReqCtrlPresent )
-                        {
-                            PasswordPolicyDecorator responseControl =
-                                new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-                            responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.PASSWORD_IN_HISTORY );
-                            modifyContext.addResponseControl( responseControl );
-                        }
-
-                        throw new LdapOperationException( ResultCodeEnum.CONSTRAINT_VIOLATION,
-                            "invalid reuse of password present in password history" );
+                        Thread.sleep( numDelay * 1000 );
+                    }
+                    catch ( InterruptedException e )
+                    {
+                        LOG.warn(
+                            "Interrupted while delaying to send the failed authentication response for the user {}",
+                            dn, e );
                     }
-
-                    pwdHistLst.add( pwdh );
-                }
-
-                if ( pwdHistLst.size() >= histSize )
-                {
-                    // see the javadoc of PasswordHistory
-                    Collections.sort( pwdHistLst );
-
-                    // remove the oldest value
-                    PasswordHistory remPwdHist = ( PasswordHistory ) pwdHistLst.toArray()[histSize - 1];
-                    Attribute tempAt = new DefaultAttribute( AT_PWD_HISTORY );
-                    tempAt.add( remPwdHist.getHistoryValue() );
-                    pwdRemHistMod = new DefaultModification( REMOVE_ATTRIBUTE, tempAt );
                 }
 
-                pwdHistoryAt.clear();
-                PasswordHistory newPwdHist = new PasswordHistory( pwdChangedTime, newPassword );
-                pwdHistoryAt.clear();
-                pwdHistoryAt.add( newPwdHist.getHistoryValue() );
-                pwdAddHistMod = new DefaultModification( ADD_ATTRIBUTE, pwdHistoryAt );
+                //adminSession.modify( dn, Collections.singletonList( pwdFailTimeMod ) );
+                ModifyOperationContext bindModCtx = new ModifyOperationContext( adminSession );
+                bindModCtx.setDn( dn );
+                bindModCtx.setModItems( mods );
+                directoryService.getPartitionNexus().modify( bindModCtx );
             }
 
-            next( modifyContext );
-
-            invalidateAuthenticatorCaches( modifyContext.getDn() );
-
+            String upDn = ( dn == null ? "" : dn.getName() );
+            throw new LdapAuthenticationException( I18n.err( I18n.ERR_229, upDn ) );
+        }
+        else if ( policyConfig != null )
+        {
             List<Modification> mods = new ArrayList<Modification>();
 
-            if ( ( policyConfig.getPwdMinAge() > 0 ) || ( policyConfig.getPwdMaxAge() > 0 ) )
+            if ( policyConfig.getPwdMaxIdle() > 0 )
             {
-                Attribute pwdChangedTimeAt = new DefaultAttribute( AT_PWD_CHANGED_TIME );
-                pwdChangedTimeAt.add( pwdChangedTime );
-                Modification pwdChangedTimeMod = new DefaultModification( REPLACE_ATTRIBUTE, pwdChangedTimeAt );
-                mods.add( pwdChangedTimeMod );
+                Attribute pwdLastSuccesTimeAt = new DefaultAttribute( AT_PWD_LAST_SUCCESS );
+                pwdLastSuccesTimeAt.add( DateUtils.getGeneralizedTime() );
+                Modification pwdLastSuccesTimeMod = new DefaultModification( REPLACE_ATTRIBUTE, pwdLastSuccesTimeAt );
+                mods.add( pwdLastSuccesTimeMod );
             }
 
-            if ( pwdAddHistMod != null )
+            Attribute pwdFailTimeAt = userEntry.get( AT_PWD_FAILURE_TIME );
+
+            if ( pwdFailTimeAt != null )
             {
-                mods.add( pwdAddHistMod );
+                Modification pwdFailTimeMod = new DefaultModification( REMOVE_ATTRIBUTE, pwdFailTimeAt );
+                mods.add( pwdFailTimeMod );
             }
 
-            if ( pwdRemHistMod != null )
+            Attribute pwdAccLockedTimeAt = userEntry.get( AT_PWD_ACCOUNT_LOCKED_TIME );
+
+            if ( pwdAccLockedTimeAt != null )
             {
-                mods.add( pwdRemHistMod );
+                Modification pwdAccLockedTimeMod = new DefaultModification( REMOVE_ATTRIBUTE, pwdAccLockedTimeAt );
+                mods.add( pwdAccLockedTimeMod );
             }
 
-            boolean removeFromPwdResetSet = false;
-
-            if ( policyConfig.isPwdMustChange() )
+            // checking the expiration time *after* performing authentication, do we need to care about millisecond precision?
+            if ( ( policyConfig.getPwdMaxAge() > 0 ) && ( policyConfig.getPwdGraceAuthNLimit() > 0 ) )
             {
-                Attribute pwdMustChangeAt = new DefaultAttribute( AT_PWD_RESET );
-                Modification pwdMustChangeMod = null;
+                Attribute pwdChangeTimeAttr = userEntry.get( PWD_CHANGED_TIME_AT );
 
-                if ( modifyContext.getSession().isAnAdministrator() )
-                {
-                    pwdMustChangeAt.add( "TRUE" );
-                    pwdMustChangeMod = new DefaultModification( REPLACE_ATTRIBUTE, pwdMustChangeAt );
-                }
-                else
+                if ( pwdChangeTimeAttr != null )
                 {
-                    pwdMustChangeMod = new DefaultModification( REMOVE_ATTRIBUTE, pwdMustChangeAt );
-                    removeFromPwdResetSet = true;
-                }
+                    boolean expired = PasswordUtil.isPwdExpired( pwdChangeTimeAttr.getString(),
+                        policyConfig.getPwdMaxAge() );
 
-                mods.add( pwdMustChangeMod );
-            }
+                    if ( expired )
+                    {
+                        Attribute pwdGraceUseAttr = userEntry.get( PWD_GRACE_USE_TIME_AT );
+                        int numGraceAuth = 0;
 
-            Attribute pwdFailureTimeAt = entry.get( PWD_FAILURE_TIME_AT );
+                        if ( pwdGraceUseAttr != null )
+                        {
+                            numGraceAuth = policyConfig.getPwdGraceAuthNLimit() - ( pwdGraceUseAttr.size() + 1 );
+                        }
+                        else
+                        {
+                            pwdGraceUseAttr = new DefaultAttribute( AT_PWD_GRACE_USE_TIME );
+                            numGraceAuth = policyConfig.getPwdGraceAuthNLimit() - 1;
+                        }
 
-            if ( pwdFailureTimeAt != null )
-            {
-                mods.add( new DefaultModification( REMOVE_ATTRIBUTE, pwdFailureTimeAt ) );
-            }
+                        pwdRespCtrl.getResponse().setGraceAuthNsRemaining( numGraceAuth );
 
-            Attribute pwdGraceUseTimeAt = entry.get( PWD_GRACE_USE_TIME_AT );
+                        pwdGraceUseAttr.add( DateUtils.getGeneralizedTime() );
+                        Modification pwdGraceUseMod = new DefaultModification( ADD_ATTRIBUTE, pwdGraceUseAttr );
+                        mods.add( pwdGraceUseMod );
+                    }
+                }
+            }
 
-            if ( pwdGraceUseTimeAt != null )
+            if ( !mods.isEmpty() )
             {
-                mods.add( new DefaultModification( REMOVE_ATTRIBUTE, pwdGraceUseTimeAt ) );
+                //adminSession.modify( dn, mods );
+                ModifyOperationContext bindModCtx = new ModifyOperationContext( adminSession );
+                bindModCtx.setDn( dn );
+                bindModCtx.setModItems( mods );
+                directoryService.getPartitionNexus().modify( bindModCtx );
             }
 
-            directoryService.getAdminSession().modify( modifyContext.getDn(), mods );
-
-            if ( removeFromPwdResetSet )
+            if ( isPPolicyReqCtrlPresent )
             {
-                pwdResetSet.remove( userDn );
-            }
-        }
-        else
-        {
-            next( modifyContext );
-            invalidateAuthenticatorCaches( modifyContext.getDn() );
-        }
-    }
+                int expiryWarnTime = getPwdTimeBeforeExpiry( userEntry, policyConfig );
+
+                if ( expiryWarnTime > 0 )
+                {
+                    pwdRespCtrl.getResponse().setTimeBeforeExpiration( expiryWarnTime );
+                }
 
+                if ( isPwdMustReset( userEntry ) )
+                {
+                    pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.CHANGE_AFTER_RESET );
+                    pwdResetSet.add( dn );
+                }
 
-    public void rename( RenameOperationContext renameContext ) throws LdapException
-    {
-        if ( IS_DEBUG )
-        {
-            LOG.debug( "Operation Context: {}", renameContext );
+                bindContext.addResponseControl( pwdRespCtrl );
+            }
         }
-
-        checkAuthenticated( renameContext );
-        checkPwdReset( renameContext );
-        next( renameContext );
-        invalidateAuthenticatorCaches( renameContext.getDn() );
     }
 
 
@@ -750,365 +693,430 @@ public class AuthenticationInterceptor e
     }
 
 
-    public void moveAndRename( MoveAndRenameOperationContext moveAndRenameContext ) throws LdapException
+    /**
+     * {@inheritDoc}
+     */
+    public void delete( DeleteOperationContext deleteContext ) throws LdapException
     {
         if ( IS_DEBUG )
         {
-            LOG.debug( "Operation Context: {}", moveAndRenameContext );
+            LOG.debug( "Operation Context: {}", deleteContext );
         }
 
-        checkAuthenticated( moveAndRenameContext );
-        checkPwdReset( moveAndRenameContext );
-        next( moveAndRenameContext );
-        invalidateAuthenticatorCaches( moveAndRenameContext.getDn() );
+        checkAuthenticated( deleteContext );
+        checkPwdReset( deleteContext );
+        next( deleteContext );
+        invalidateAuthenticatorCaches( deleteContext.getDn() );
     }
 
 
     /**
      * {@inheritDoc}
      */
-    public void move( MoveOperationContext moveContext ) throws LdapException
+    public Entry getRootDSE( GetRootDSEOperationContext getRootDseContext ) throws LdapException
     {
         if ( IS_DEBUG )
         {
-            LOG.debug( "Operation Context: {}", moveContext );
+            LOG.debug( "Operation Context: {}", getRootDseContext );
         }
 
-        checkAuthenticated( moveContext );
-        checkPwdReset( moveContext );
-        next( moveContext );
-        invalidateAuthenticatorCaches( moveContext.getDn() );
+        checkAuthenticated( getRootDseContext );
+        checkPwdReset( getRootDseContext );
+
+        return next( getRootDseContext );
     }
 
 
-    public EntryFilteringCursor search( SearchOperationContext searchContext ) throws LdapException
+    /**
+     * {@inheritDoc}
+     */
+    public boolean hasEntry( EntryOperationContext hasEntryContext ) throws LdapException
     {
         if ( IS_DEBUG )
         {
-            LOG.debug( "Operation Context: {}", searchContext );
+            LOG.debug( "Operation Context: {}", hasEntryContext );
         }
 
-        checkAuthenticated( searchContext );
-        checkPwdReset( searchContext );
+        checkAuthenticated( hasEntryContext );
+        checkPwdReset( hasEntryContext );
 
-        return next( searchContext );
+        return next( hasEntryContext );
     }
 
 
     /**
-     * Check if the current operation has a valid PrincipalDN or not.
-     *
-     * @param operation the operation type
-     * @throws Exception
+     * {@inheritDoc}
      */
-    private void checkAuthenticated( OperationContext operation ) throws LdapException
+    public EntryFilteringCursor list( ListOperationContext listContext ) throws LdapException
     {
-        if ( operation.getSession().isAnonymous() && !directoryService.isAllowAnonymousAccess()
-            && !operation.getDn().isEmpty() )
+        if ( IS_DEBUG )
         {
-            String msg = I18n.err( I18n.ERR_5, operation.getName() );
-            LOG.error( msg );
-            throw new LdapNoPermissionException( msg );
+            LOG.debug( "Operation Context: {}", listContext );
         }
+
+        checkAuthenticated( listContext );
+        checkPwdReset( listContext );
+
+        return next( listContext );
     }
 
 
-    public void bind( BindOperationContext bindContext ) throws LdapException
+    /**
+     * {@inheritDoc}
+     */
+    public Entry lookup( LookupOperationContext lookupContext ) throws LdapException
     {
         if ( IS_DEBUG )
         {
-            LOG.debug( "Operation Context: {}", bindContext );
+            LOG.debug( "Operation Context: {}", lookupContext );
         }
 
-        if ( ( bindContext.getSession() != null ) && ( bindContext.getSession().getEffectivePrincipal() != null ) )
-        {
-            // null out the credentials
-            bindContext.setCredentials( null );
-        }
+        checkAuthenticated( lookupContext );
+        checkPwdReset( lookupContext );
 
-        // pick the first matching authenticator type
-        AuthenticationLevel level = bindContext.getAuthenticationLevel();
+        return next( lookupContext );
+    }
 
-        if ( level == AuthenticationLevel.UNAUTHENT )
+
+    private void invalidateAuthenticatorCaches( Dn principalDn )
+    {
+        for ( AuthenticationLevel authMech : authenticatorsMapByType.keySet() )
         {
-            // This is a case where the Bind request contains a Dn, but no password.
-            // We don't check the Dn, we just return a UnwillingToPerform error
-            // Cf RFC 4513, chap. 5.1.2
-            throw new LdapUnwillingToPerformException( ResultCodeEnum.UNWILLING_TO_PERFORM, "Cannot Bind for Dn "
-                + bindContext.getDn().getName() );
+            Collection<Authenticator> authenticators = getAuthenticators( authMech );
+
+            // try each authenticator
+            for ( Authenticator authenticator : authenticators )
+            {
+                authenticator.invalidateCache( principalDn );
+            }
         }
+    }
 
-        Collection<Authenticator> authenticators = getAuthenticators( level );
 
-        if ( authenticators == null )
+    /**
+     * {@inheritDoc}
+     */
+    public void modify( ModifyOperationContext modifyContext ) throws LdapException
+    {
+        if ( IS_DEBUG )
         {
-            LOG.debug( "No authenticators found, delegating bind to the nexus." );
-
-            // as a last resort try binding via the nexus
-            next( bindContext );
+            LOG.debug( "Operation Context: {}", modifyContext );
+        }
 
-            LOG.debug( "Nexus succeeded on bind operation." );
+        checkAuthenticated( modifyContext );
 
-            // bind succeeded if we got this far
-            // TODO - authentication level not being set
-            LdapPrincipal principal = new LdapPrincipal( schemaManager, bindContext.getDn(), AuthenticationLevel.SIMPLE );
-            CoreSession session = new DefaultCoreSession( principal, directoryService );
-            bindContext.setSession( session );
 
-            // remove creds so there is no security risk
-            bindContext.setCredentials( null );
+        if ( ! directoryService.isPwdPolicyEnabled() )
+        {
+            next( modifyContext );
+            invalidateAuthenticatorCaches( modifyContext.getDn() );
             return;
         }
 
-        boolean isPPolicyReqCtrlPresent = bindContext.hasRequestControl( PasswordPolicy.OID );
-        PasswordPolicyDecorator pwdRespCtrl =
-            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+        // handle the case where pwdPolicySubentry AT is about to be deleted in thid modify()
+        PasswordPolicyConfiguration policyConfig = getPwdPolicy( modifyContext.getEntry() );
 
-        boolean authenticated = false;
-        PasswordPolicyException ppe = null;
+        boolean isPPolicyReqCtrlPresent = modifyContext.hasRequestControl( PasswordPolicy.OID );
+        Dn userDn = modifyContext.getSession().getAuthenticatedPrincipal().getDn();
 
-        // TODO : we should refactor that.
-        // try each authenticator
-        for ( Authenticator authenticator : authenticators )
+        PwdModDetailsHolder pwdModDetails = null;
+
+        pwdModDetails = getPwdModDetails( modifyContext, policyConfig );
+
+        if ( pwdModDetails.isPwdModPresent() )
         {
-            try
+            if ( pwdResetSet.contains( userDn ) )
             {
-                // perform the authentication
-                LdapPrincipal principal = authenticator.authenticate( bindContext );
-
-                LdapPrincipal clonedPrincipal = ( LdapPrincipal ) ( principal.clone() );
+                if ( pwdModDetails.isOtherModExists() )
+                {
+                    if ( isPPolicyReqCtrlPresent )
+                    {
+                        PasswordPolicyDecorator responseControl =
+                            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+                        responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.CHANGE_AFTER_RESET );
+                        modifyContext.addResponseControl( responseControl );
+                    }
 
-                // remove creds so there is no security risk
-                bindContext.setCredentials( null );
-                clonedPrincipal.setUserPassword( StringConstants.EMPTY_BYTES );
+                    throw new LdapNoPermissionException();
+                }
+            }
 
-                // authentication was successful
-                CoreSession session = new DefaultCoreSession( clonedPrincipal, directoryService );
-                bindContext.setSession( session );
+            if ( policyConfig.isPwdSafeModify() )
+            {
+                if ( pwdModDetails.isAddOrReplace() && !pwdModDetails.isDelete() )
+                {
+                    LOG.debug( "trying to update password attribute without the supplying the old password" );
 
-                authenticated = true;
+                    if ( isPPolicyReqCtrlPresent )
+                    {
+                        PasswordPolicyDecorator responseControl =
+                            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+                        responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.MUST_SUPPLY_OLD_PASSWORD );
+                        modifyContext.addResponseControl( responseControl );
+                    }
 
-                // break out of the loop if the authentication succeeded
-                break;
+                    throw new LdapNoPermissionException();
+                }
             }
-            catch ( PasswordPolicyException e )
+
+            if ( !policyConfig.isPwdAllowUserChange() && !modifyContext.getSession().isAnAdministrator() )
             {
-                ppe = e;
-                break;
+                if ( isPPolicyReqCtrlPresent )
+                {
+                    PasswordPolicyDecorator responseControl =
+                        new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+                    responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.PASSWORD_MOD_NOT_ALLOWED );
+                    modifyContext.addResponseControl( responseControl );
+                }
+
+                throw new LdapNoPermissionException();
             }
-            catch ( LdapAuthenticationException e )
+
+            Entry entry = modifyContext.getEntry();
+
+            if ( isPwdTooYoung( entry, policyConfig ) )
             {
-                // authentication failed, try the next authenticator
-                if ( LOG.isInfoEnabled() )
+                if ( isPPolicyReqCtrlPresent )
                 {
-                    LOG.info( "Authenticator {} failed to authenticate: {}", authenticator, bindContext );
+                    PasswordPolicyDecorator responseControl =
+                        new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+                    responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.PASSWORD_TOO_YOUNG );
+                    modifyContext.addResponseControl( responseControl );
                 }
+
+                throw new LdapOperationException( ResultCodeEnum.CONSTRAINT_VIOLATION,
+                    "password is too young to update" );
             }
-            catch ( Exception e )
+
+            byte[] newPassword = null;
+
+            if ( ( pwdModDetails != null ) )
             {
-                // Log other exceptions than LdapAuthenticationException
-                if ( LOG.isWarnEnabled() )
+                newPassword = pwdModDetails.getNewPwd();
+
+                try
                 {
-                    LOG.info( "Unexpected failure for Authenticator {} : {}", authenticator, bindContext );
+                    String userName = entry.getDn().getRdn().getUpValue().getString();
+                    check( userName, newPassword, policyConfig );
+                }
+                catch ( PasswordPolicyException e )
+                {
+                    if ( isPPolicyReqCtrlPresent )
+                    {
+                        PasswordPolicyDecorator responseControl =
+                            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+                        responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.get( e.getErrorCode() ) );
+                        modifyContext.addResponseControl( responseControl );
+                    }
+
+                    // throw exception if userPassword quality checks fail
+                    throw new LdapOperationException( ResultCodeEnum.CONSTRAINT_VIOLATION, e.getMessage(), e );
                 }
             }
-        }
 
-        if ( ppe != null )
-        {
-            if ( isPPolicyReqCtrlPresent )
+            int histSize = policyConfig.getPwdInHistory();
+            Modification pwdRemHistMod = null;
+            Modification pwdAddHistMod = null;
+            String pwdChangedTime = DateUtils.getGeneralizedTime();
+
+            if ( histSize > 0 )
             {
-                pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.get( ppe.getErrorCode() ) );
-                bindContext.addResponseControl( pwdRespCtrl );
-            }
+                Attribute pwdHistoryAt = entry.get( PWD_HISTORY_AT );
 
-            throw ppe;
-        }
+                if ( pwdHistoryAt == null )
+                {
+                    pwdHistoryAt = new DefaultAttribute( AT_PWD_HISTORY );
+                }
 
-        Dn dn = bindContext.getDn();
-        Entry userEntry = bindContext.getEntry();
+                List<PasswordHistory> pwdHistLst = new ArrayList<PasswordHistory>();
+
+                for ( Value<?> value : pwdHistoryAt  )
+                {
+                    PasswordHistory pwdh = new PasswordHistory( Strings.utf8ToString( value.getBytes() ) );
+
+                    boolean matched = Arrays.equals( newPassword, pwdh.getPassword() );
+
+                    if ( matched )
+                    {
+                        if ( isPPolicyReqCtrlPresent )
+                        {
+                            PasswordPolicyDecorator responseControl =
+                                new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+                            responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.PASSWORD_IN_HISTORY );
+                            modifyContext.addResponseControl( responseControl );
+                        }
+
+                        throw new LdapOperationException( ResultCodeEnum.CONSTRAINT_VIOLATION,
+                            "invalid reuse of password present in password history" );
+                    }
+
+                    pwdHistLst.add( pwdh );
+                }
+
+                if ( pwdHistLst.size() >= histSize )
+                {
+                    // see the javadoc of PasswordHistory
+                    Collections.sort( pwdHistLst );
+
+                    // remove the oldest value
+                    PasswordHistory remPwdHist = ( PasswordHistory ) pwdHistLst.toArray()[histSize - 1];
+                    Attribute tempAt = new DefaultAttribute( AT_PWD_HISTORY );
+                    tempAt.add( remPwdHist.getHistoryValue() );
+                    pwdRemHistMod = new DefaultModification( REMOVE_ATTRIBUTE, tempAt );
+                }
+
+                pwdHistoryAt.clear();
+                PasswordHistory newPwdHist = new PasswordHistory( pwdChangedTime, newPassword );
+                pwdHistoryAt.clear();
+                pwdHistoryAt.add( newPwdHist.getHistoryValue() );
+                pwdAddHistMod = new DefaultModification( ADD_ATTRIBUTE, pwdHistoryAt );
+            }
+
+            next( modifyContext );
 
-        PasswordPolicyConfiguration policyConfig = getPwdPolicy( userEntry );
+            invalidateAuthenticatorCaches( modifyContext.getDn() );
 
-        // check if the user entry is null, it will be null
-        // in cases of anonymous bind
-        if ( authenticated && ( userEntry == null ) && directoryService.isAllowAnonymousAccess() )
-        {
-            return;
-        }
+            List<Modification> mods = new ArrayList<Modification>();
 
-        if ( !authenticated )
-        {
-            if ( LOG.isInfoEnabled() )
+            if ( ( policyConfig.getPwdMinAge() > 0 ) || ( policyConfig.getPwdMaxAge() > 0 ) )
             {
-                LOG.info( "Cannot bind to the server " );
+                Attribute pwdChangedTimeAt = new DefaultAttribute( AT_PWD_CHANGED_TIME );
+                pwdChangedTimeAt.add( pwdChangedTime );
+                Modification pwdChangedTimeMod = new DefaultModification( REPLACE_ATTRIBUTE, pwdChangedTimeAt );
+                mods.add( pwdChangedTimeMod );
             }
 
-            if ( ( policyConfig != null ) && ( userEntry != null ) )
+            if ( pwdAddHistMod != null )
             {
-                Attribute pwdFailTimeAt = userEntry.get( PWD_FAILURE_TIME_AT );
-
-                if ( pwdFailTimeAt == null )
-                {
-                    pwdFailTimeAt = new DefaultAttribute( AT_PWD_FAILURE_TIME );
-                }
-                else
-                {
-                    PasswordUtil.purgeFailureTimes( policyConfig, pwdFailTimeAt );
-                }
+                mods.add( pwdAddHistMod );
+            }
 
-                String failureTime = DateUtils.getGeneralizedTime();
-                pwdFailTimeAt.add( failureTime );
-                Modification pwdFailTimeMod = new DefaultModification( ADD_ATTRIBUTE, pwdFailTimeAt );
+            if ( pwdRemHistMod != null )
+            {
+                mods.add( pwdRemHistMod );
+            }
 
-                List<Modification> mods = new ArrayList<Modification>();
-                mods.add( pwdFailTimeMod );
+            boolean removeFromPwdResetSet = false;
 
-                int numFailures = pwdFailTimeAt.size();
+            if ( policyConfig.isPwdMustChange() )
+            {
+                Attribute pwdMustChangeAt = new DefaultAttribute( AT_PWD_RESET );
+                Modification pwdMustChangeMod = null;
 
-                if ( policyConfig.isPwdLockout() && ( numFailures >= policyConfig.getPwdMaxFailure() ) )
+                if ( modifyContext.getSession().isAnAdministrator() )
                 {
-                    Attribute pwdAccountLockedTimeAt = new DefaultAttribute( AT_PWD_ACCOUNT_LOCKED_TIME );
-
-                    // if zero, lockout permanently, only admin can unlock it
-                    if ( policyConfig.getPwdLockoutDuration() == 0 )
-                    {
-                        pwdAccountLockedTimeAt.add( "000001010000Z" );
-                    }
-                    else
-                    {
-                        pwdAccountLockedTimeAt.add( failureTime );
-                    }
-
-                    Modification pwdAccountLockedMod = new DefaultModification( ADD_ATTRIBUTE, pwdAccountLockedTimeAt );
-                    mods.add( pwdAccountLockedMod );
-
-                    pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.ACCOUNT_LOCKED );
+                    pwdMustChangeAt.add( "TRUE" );
+                    pwdMustChangeMod = new DefaultModification( REPLACE_ATTRIBUTE, pwdMustChangeAt );
                 }
-                else if ( policyConfig.getPwdMinDelay() > 0 )
+                else
                 {
-                    int numDelay = numFailures * policyConfig.getPwdMinDelay();
-                    int maxDelay = policyConfig.getPwdMaxDelay();
-                    if ( numDelay > maxDelay )
-                    {
-                        numDelay = maxDelay;
-                    }
-
-                    try
-                    {
-                        Thread.sleep( numDelay * 1000 );
-                    }
-                    catch ( InterruptedException e )
-                    {
-                        LOG.warn(
-                            "Interrupted while delaying to send the failed authentication response for the user {}",
-                            dn, e );
-                    }
+                    pwdMustChangeMod = new DefaultModification( REMOVE_ATTRIBUTE, pwdMustChangeAt );
+                    removeFromPwdResetSet = true;
                 }
 
-                //adminSession.modify( dn, Collections.singletonList( pwdFailTimeMod ) );
-                ModifyOperationContext bindModCtx = new ModifyOperationContext( adminSession );
-                bindModCtx.setDn( dn );
-                bindModCtx.setModItems( mods );
-                directoryService.getPartitionNexus().modify( bindModCtx );
+                mods.add( pwdMustChangeMod );
             }
 
-            String upDn = ( dn == null ? "" : dn.getName() );
-            throw new LdapAuthenticationException( I18n.err( I18n.ERR_229, upDn ) );
-        }
-        else if ( policyConfig != null )
-        {
-            List<Modification> mods = new ArrayList<Modification>();
+            Attribute pwdFailureTimeAt = entry.get( PWD_FAILURE_TIME_AT );
 
-            if ( policyConfig.getPwdMaxIdle() > 0 )
+            if ( pwdFailureTimeAt != null )
             {
-                Attribute pwdLastSuccesTimeAt = new DefaultAttribute( AT_PWD_LAST_SUCCESS );
-                pwdLastSuccesTimeAt.add( DateUtils.getGeneralizedTime() );
-                Modification pwdLastSuccesTimeMod = new DefaultModification( REPLACE_ATTRIBUTE, pwdLastSuccesTimeAt );
-                mods.add( pwdLastSuccesTimeMod );
+                mods.add( new DefaultModification( REMOVE_ATTRIBUTE, pwdFailureTimeAt ) );
             }
 
-            Attribute pwdFailTimeAt = userEntry.get( AT_PWD_FAILURE_TIME );
+            Attribute pwdGraceUseTimeAt = entry.get( PWD_GRACE_USE_TIME_AT );
 
-            if ( pwdFailTimeAt != null )
+            if ( pwdGraceUseTimeAt != null )
             {
-                Modification pwdFailTimeMod = new DefaultModification( REMOVE_ATTRIBUTE, pwdFailTimeAt );
-                mods.add( pwdFailTimeMod );
+                mods.add( new DefaultModification( REMOVE_ATTRIBUTE, pwdGraceUseTimeAt ) );
             }
 
-            Attribute pwdAccLockedTimeAt = userEntry.get( AT_PWD_ACCOUNT_LOCKED_TIME );
+            directoryService.getAdminSession().modify( modifyContext.getDn(), mods );
 
-            if ( pwdAccLockedTimeAt != null )
+            if ( removeFromPwdResetSet )
             {
-                Modification pwdAccLockedTimeMod = new DefaultModification( REMOVE_ATTRIBUTE, pwdAccLockedTimeAt );
-                mods.add( pwdAccLockedTimeMod );
+                pwdResetSet.remove( userDn );
             }
+        }
+        else
+        {
+            next( modifyContext );
+            invalidateAuthenticatorCaches( modifyContext.getDn() );
+        }
+    }
 
-            // checking the expiration time *after* performing authentication, do we need to care about millisecond precision?
-            if ( ( policyConfig.getPwdMaxAge() > 0 ) && ( policyConfig.getPwdGraceAuthNLimit() > 0 ) )
-            {
-                Attribute pwdChangeTimeAttr = userEntry.get( PWD_CHANGED_TIME_AT );
 
-                if ( pwdChangeTimeAttr != null )
-                {
-                    boolean expired = PasswordUtil.isPwdExpired( pwdChangeTimeAttr.getString(),
-                        policyConfig.getPwdMaxAge() );
+    /**
+     * {@inheritDoc}
+     */
+    public void move( MoveOperationContext moveContext ) throws LdapException
+    {
+        if ( IS_DEBUG )
+        {
+            LOG.debug( "Operation Context: {}", moveContext );
+        }
 
-                    if ( expired )
-                    {
-                        Attribute pwdGraceUseAttr = userEntry.get( PWD_GRACE_USE_TIME_AT );
-                        int numGraceAuth = 0;
+        checkAuthenticated( moveContext );
+        checkPwdReset( moveContext );
+        next( moveContext );
+        invalidateAuthenticatorCaches( moveContext.getDn() );
+    }
 
-                        if ( pwdGraceUseAttr != null )
-                        {
-                            numGraceAuth = policyConfig.getPwdGraceAuthNLimit() - ( pwdGraceUseAttr.size() + 1 );
-                        }
-                        else
-                        {
-                            pwdGraceUseAttr = new DefaultAttribute( AT_PWD_GRACE_USE_TIME );
-                            numGraceAuth = policyConfig.getPwdGraceAuthNLimit() - 1;
-                        }
 
-                        pwdRespCtrl.getResponse().setGraceAuthNsRemaining( numGraceAuth );
+    /**
+     * {@inheritDoc}
+     */
+    public void moveAndRename( MoveAndRenameOperationContext moveAndRenameContext ) throws LdapException
+    {
+        if ( IS_DEBUG )
+        {
+            LOG.debug( "Operation Context: {}", moveAndRenameContext );
+        }
 
-                        pwdGraceUseAttr.add( DateUtils.getGeneralizedTime() );
-                        Modification pwdGraceUseMod = new DefaultModification( ADD_ATTRIBUTE, pwdGraceUseAttr );
-                        mods.add( pwdGraceUseMod );
-                    }
-                }
-            }
+        checkAuthenticated( moveAndRenameContext );
+        checkPwdReset( moveAndRenameContext );
+        next( moveAndRenameContext );
+        invalidateAuthenticatorCaches( moveAndRenameContext.getDn() );
+    }
 
-            if ( !mods.isEmpty() )
-            {
-                //adminSession.modify( dn, mods );
-                ModifyOperationContext bindModCtx = new ModifyOperationContext( adminSession );
-                bindModCtx.setDn( dn );
-                bindModCtx.setModItems( mods );
-                directoryService.getPartitionNexus().modify( bindModCtx );
-            }
 
-            if ( isPPolicyReqCtrlPresent )
-            {
-                int expiryWarnTime = getPwdTimeBeforeExpiry( userEntry, policyConfig );
+    /**
+     * {@inheritDoc}
+     */
+    public void rename( RenameOperationContext renameContext ) throws LdapException
+    {
+        if ( IS_DEBUG )
+        {
+            LOG.debug( "Operation Context: {}", renameContext );
+        }
 
-                if ( expiryWarnTime > 0 )
-                {
-                    pwdRespCtrl.getResponse().setTimeBeforeExpiration( expiryWarnTime );
-                }
+        checkAuthenticated( renameContext );
+        checkPwdReset( renameContext );
+        next( renameContext );
+        invalidateAuthenticatorCaches( renameContext.getDn() );
+    }
 
-                if ( isPwdMustReset( userEntry ) )
-                {
-                    pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.CHANGE_AFTER_RESET );
-                    pwdResetSet.add( dn );
-                }
 
-                bindContext.addResponseControl( pwdRespCtrl );
-            }
+    /**
+     * {@inheritDoc}
+     */
+    public EntryFilteringCursor search( SearchOperationContext searchContext ) throws LdapException
+    {
+        if ( IS_DEBUG )
+        {
+            LOG.debug( "Operation Context: {}", searchContext );
         }
+
+        checkAuthenticated( searchContext );
+        checkPwdReset( searchContext );
+
+        return next( searchContext );
     }
 
 
-    @Override
+    /**
+     * {@inheritDoc}
+     */
     public void unbind( UnbindOperationContext unbindContext ) throws LdapException
     {
         next( unbindContext );
@@ -1124,6 +1132,24 @@ public class AuthenticationInterceptor e
 
 
     /**
+     * Check if the current operation has a valid PrincipalDN or not.
+     *
+     * @param operation the operation type
+     * @throws Exception
+     */
+    private void checkAuthenticated( OperationContext operation ) throws LdapException
+    {
+        if ( operation.getSession().isAnonymous() && !directoryService.isAllowAnonymousAccess()
+            && !operation.getDn().isEmpty() )
+        {
+            String msg = I18n.err( I18n.ERR_5, operation.getName() );
+            LOG.error( msg );
+            throw new LdapNoPermissionException( msg );
+        }
+    }
+
+
+    /**
      * Initialize the PasswordPolicy attributeTypes
      * 
      * @throws LdapException If the initialization failed
@@ -1157,7 +1183,6 @@ public class AuthenticationInterceptor e
 
 
     // ---------- private methods ----------------
-
     private void check( String username, byte[] password, PasswordPolicyConfiguration policyConfig ) throws LdapException
     {
         final int qualityVal = policyConfig.getPwdCheckQuality();



Mime
View raw message