directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r1201362 [2/6] - in /directory/apacheds/branches/apacheds-osgi: interceptor-kerberos/ interceptor-kerberos/src/main/java/org/apache/directory/server/core/kerberos/ interceptors/admin/ interceptors/admin/src/main/java/org/apache/directory/se...
Date Sat, 12 Nov 2011 23:58:42 GMT
Modified: directory/apacheds/branches/apacheds-osgi/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-osgi/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java?rev=1201362&r1=1201361&r2=1201362&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-osgi/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java (original)
+++ directory/apacheds/branches/apacheds-osgi/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java Sat Nov 12 23:58:40 2011
@@ -43,20 +43,21 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
-import org.apache.directory.server.core.shared.DefaultCoreSession;
 import org.apache.directory.server.core.api.CoreSession;
 import org.apache.directory.server.core.api.DirectoryService;
+import org.apache.directory.server.core.api.InterceptorEnum;
 import org.apache.directory.server.core.api.LdapPrincipal;
+import org.apache.directory.server.core.api.authn.ppolicy.PasswordPolicyConfiguration;
+import org.apache.directory.server.core.api.authn.ppolicy.PasswordPolicyException;
 import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
 import org.apache.directory.server.core.api.interceptor.BaseInterceptor;
 import org.apache.directory.server.core.api.interceptor.Interceptor;
-import org.apache.directory.server.core.api.interceptor.NextInterceptor;
 import org.apache.directory.server.core.api.interceptor.context.AddOperationContext;
 import org.apache.directory.server.core.api.interceptor.context.BindOperationContext;
 import org.apache.directory.server.core.api.interceptor.context.CompareOperationContext;
 import org.apache.directory.server.core.api.interceptor.context.DeleteOperationContext;
-import org.apache.directory.server.core.api.interceptor.context.EntryOperationContext;
-import org.apache.directory.server.core.api.interceptor.context.GetRootDSEOperationContext;
+import org.apache.directory.server.core.api.interceptor.context.HasEntryOperationContext;
+import org.apache.directory.server.core.api.interceptor.context.GetRootDseOperationContext;
 import org.apache.directory.server.core.api.interceptor.context.ListOperationContext;
 import org.apache.directory.server.core.api.interceptor.context.LookupOperationContext;
 import org.apache.directory.server.core.api.interceptor.context.ModifyOperationContext;
@@ -66,9 +67,8 @@ import org.apache.directory.server.core.
 import org.apache.directory.server.core.api.interceptor.context.RenameOperationContext;
 import org.apache.directory.server.core.api.interceptor.context.SearchOperationContext;
 import org.apache.directory.server.core.api.interceptor.context.UnbindOperationContext;
-import org.apache.directory.server.core.api.authn.ppolicy.PasswordPolicyConfiguration;
-import org.apache.directory.server.core.api.authn.ppolicy.PasswordPolicyException;
 import org.apache.directory.server.core.authn.ppolicy.PpolicyConfigContainer;
+import org.apache.directory.server.core.shared.DefaultCoreSession;
 import org.apache.directory.server.i18n.I18n;
 import org.apache.directory.shared.ldap.extras.controls.ppolicy.PasswordPolicy;
 import org.apache.directory.shared.ldap.extras.controls.ppolicy.PasswordPolicyErrorEnum;
@@ -115,7 +115,7 @@ public class AuthenticationInterceptor e
 
     /** A Set of all the existing Authenticator to be used by the bind operation */
     private Set<Authenticator> authenticators = new HashSet<Authenticator>();
-    
+
     /** A map of authenticators associated with the authentication level required */
     private final Map<AuthenticationLevel, Collection<Authenticator>> authenticatorsMapByType = new HashMap<AuthenticationLevel, Collection<Authenticator>>();
 
@@ -150,6 +150,7 @@ public class AuthenticationInterceptor e
      */
     public AuthenticationInterceptor()
     {
+        super( InterceptorEnum.AUTHENTICATION_INTERCEPTOR );
     }
 
 
@@ -167,7 +168,7 @@ public class AuthenticationInterceptor e
         {
             setDefaultAuthenticators();
         }
-        
+
         // Register all authenticators
         for ( Authenticator authenticator : authenticators )
         {
@@ -187,7 +188,7 @@ public class AuthenticationInterceptor e
         {
             authenticators = new HashSet<Authenticator>();
         }
-        
+
         authenticators.clear();
         authenticators.add( new AnonymousAuthenticator() );
         authenticators.add( new SimpleAuthenticator() );
@@ -226,16 +227,16 @@ public class AuthenticationInterceptor e
         {
             throw new IllegalArgumentException( "The given authenticators set is null" );
         }
-        
+
         this.authenticators.clear();
 
-        for (Authenticator authenticator : authenticators) 
+        for (Authenticator authenticator : authenticators)
         {
             this.authenticators.add( authenticator );
         }
     }
-    
-    
+
+
     /**
      * Deinitializes and deregisters all {@link Authenticator}s from this service.
      */
@@ -296,7 +297,10 @@ public class AuthenticationInterceptor e
     }
 
 
-    public void add( NextInterceptor next, AddOperationContext addContext ) throws LdapException
+    /**
+     * {@inheritDoc}
+     */
+    public void add( AddOperationContext addContext ) throws LdapException
     {
         if ( IS_DEBUG )
         {
@@ -306,14 +310,14 @@ public class AuthenticationInterceptor e
         checkAuthenticated( addContext );
 
         Entry entry = addContext.getEntry();
-        
-        
+
+
         if ( !directoryService.isPwdPolicyEnabled() )
         {
-            next.add( addContext );
+            next( addContext );
             return;
         }
-        
+
         PasswordPolicyConfiguration policyConfig = getPwdPolicy( entry );
 
         boolean isPPolicyReqCtrlPresent = addContext.hasRequestControl( PasswordPolicy.OID );
@@ -335,7 +339,7 @@ public class AuthenticationInterceptor e
             {
                 if ( isPPolicyReqCtrlPresent )
                 {
-                    PasswordPolicyDecorator responseControl = 
+                    PasswordPolicyDecorator responseControl =
                         new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
                     responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.get( e.getErrorCode() ) );
                     addContext.addResponseControl( responseControl );
@@ -346,6 +350,7 @@ public class AuthenticationInterceptor e
             }
 
             String pwdChangedTime = DateUtils.getGeneralizedTime();
+
             if ( ( policyConfig.getPwdMinAge() > 0 ) || ( policyConfig.getPwdMaxAge() > 0 ) )
             {
                 Attribute pwdChangedTimeAt = new DefaultAttribute( AT_PWD_CHANGED_TIME );
@@ -369,360 +374,312 @@ public class AuthenticationInterceptor e
             }
         }
 
-        next.add( addContext );
+        next( addContext );
     }
 
 
-    public void delete( NextInterceptor next, DeleteOperationContext deleteContext ) throws LdapException
+    /**
+     * {@inheritDoc}
+     */
+    public void bind( BindOperationContext bindContext ) throws LdapException
     {
         if ( IS_DEBUG )
         {
-            LOG.debug( "Operation Context: {}", deleteContext );
+            LOG.debug( "Operation Context: {}", bindContext );
         }
 
-        checkAuthenticated( deleteContext );
-        checkPwdReset( deleteContext );
-        next.delete( deleteContext );
-        invalidateAuthenticatorCaches( deleteContext.getDn() );
-    }
+        if ( ( bindContext.getSession() != null ) && ( bindContext.getSession().getEffectivePrincipal() != null ) )
+        {
+            // null out the credentials
+            bindContext.setCredentials( null );
+        }
 
+        // pick the first matching authenticator type
+        AuthenticationLevel level = bindContext.getAuthenticationLevel();
 
-    public Entry getRootDSE( NextInterceptor next, GetRootDSEOperationContext getRootDseContext ) throws LdapException
-    {
-        if ( IS_DEBUG )
+        if ( level == AuthenticationLevel.UNAUTHENT )
         {
-            LOG.debug( "Operation Context: {}", getRootDseContext );
+            // This is a case where the Bind request contains a Dn, but no password.
+            // We don't check the Dn, we just return a UnwillingToPerform error
+            // Cf RFC 4513, chap. 5.1.2
+            throw new LdapUnwillingToPerformException( ResultCodeEnum.UNWILLING_TO_PERFORM, "Cannot Bind for Dn "
+                + bindContext.getDn().getName() );
         }
 
-        checkAuthenticated( getRootDseContext );
-        checkPwdReset( getRootDseContext );
-        return next.getRootDSE( getRootDseContext );
-    }
-
+        Collection<Authenticator> authenticators = getAuthenticators( level );
 
-    public boolean hasEntry( NextInterceptor next, EntryOperationContext hasEntryContext ) throws LdapException
-    {
-        if ( IS_DEBUG )
+        if ( authenticators == null )
         {
-            LOG.debug( "Operation Context: {}", hasEntryContext );
-        }
+            LOG.debug( "No authenticators found, delegating bind to the nexus." );
 
-        checkAuthenticated( hasEntryContext );
-        checkPwdReset( hasEntryContext );
-        return next.hasEntry( hasEntryContext );
-    }
+            // as a last resort try binding via the nexus
+            next( bindContext );
 
+            LOG.debug( "Nexus succeeded on bind operation." );
 
-    public EntryFilteringCursor list( NextInterceptor next, ListOperationContext listContext ) throws LdapException
-    {
-        if ( IS_DEBUG )
-        {
-            LOG.debug( "Operation Context: {}", listContext );
+            // bind succeeded if we got this far
+            // TODO - authentication level not being set
+            LdapPrincipal principal = new LdapPrincipal( schemaManager, bindContext.getDn(), AuthenticationLevel.SIMPLE );
+            CoreSession session = new DefaultCoreSession( principal, directoryService );
+            bindContext.setSession( session );
+
+            // remove creds so there is no security risk
+            bindContext.setCredentials( null );
+            return;
         }
 
-        checkAuthenticated( listContext );
-        checkPwdReset( listContext );
-        return next.list( listContext );
-    }
+        boolean isPPolicyReqCtrlPresent = bindContext.hasRequestControl( PasswordPolicy.OID );
+        PasswordPolicyDecorator pwdRespCtrl =
+            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
 
+        boolean authenticated = false;
+        PasswordPolicyException ppe = null;
 
-    public Entry lookup( NextInterceptor next, LookupOperationContext lookupContext ) throws LdapException
-    {
-        if ( IS_DEBUG )
+        // TODO : we should refactor that.
+        // try each authenticator
+        for ( Authenticator authenticator : authenticators )
         {
-            LOG.debug( "Operation Context: {}", lookupContext );
-        }
+            try
+            {
+                // perform the authentication
+                LdapPrincipal principal = authenticator.authenticate( bindContext );
 
-        checkAuthenticated( lookupContext );
-        checkPwdReset( lookupContext );
-        
-        return next.lookup( lookupContext );
-    }
+                LdapPrincipal clonedPrincipal = ( LdapPrincipal ) ( principal.clone() );
+
+                // remove creds so there is no security risk
+                bindContext.setCredentials( null );
+                clonedPrincipal.setUserPassword( StringConstants.EMPTY_BYTES );
 
+                // authentication was successful
+                CoreSession session = new DefaultCoreSession( clonedPrincipal, directoryService );
+                bindContext.setSession( session );
 
-    private void invalidateAuthenticatorCaches( Dn principalDn )
-    {
-        for ( AuthenticationLevel authMech : authenticatorsMapByType.keySet() )
-        {
-            Collection<Authenticator> authenticators = getAuthenticators( authMech );
+                authenticated = true;
 
-            // try each authenticator
-            for ( Authenticator authenticator : authenticators )
+                // break out of the loop if the authentication succeeded
+                break;
+            }
+            catch ( PasswordPolicyException e )
             {
-                authenticator.invalidateCache( principalDn );
+                ppe = e;
+                break;
+            }
+            catch ( LdapAuthenticationException e )
+            {
+                // authentication failed, try the next authenticator
+                if ( LOG.isInfoEnabled() )
+                {
+                    LOG.info( "Authenticator {} failed to authenticate: {}", authenticator, bindContext );
+                }
+            }
+            catch ( Exception e )
+            {
+                // Log other exceptions than LdapAuthenticationException
+                if ( LOG.isWarnEnabled() )
+                {
+                    LOG.info( "Unexpected failure for Authenticator {} : {}", authenticator, bindContext );
+                }
             }
         }
-    }
 
-
-    public void modify( NextInterceptor next, ModifyOperationContext modifyContext ) throws LdapException
-    {
-        if ( IS_DEBUG )
+        if ( ppe != null )
         {
-            LOG.debug( "Operation Context: {}", modifyContext );
+            if ( isPPolicyReqCtrlPresent )
+            {
+                pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.get( ppe.getErrorCode() ) );
+                bindContext.addResponseControl( pwdRespCtrl );
+            }
+
+            throw ppe;
         }
 
-        checkAuthenticated( modifyContext );
+        Dn dn = bindContext.getDn();
+        Entry userEntry = bindContext.getEntry();
 
-        
-        if ( ! directoryService.isPwdPolicyEnabled() )
+        PasswordPolicyConfiguration policyConfig = getPwdPolicy( userEntry );
+
+        // check if the user entry is null, it will be null
+        // in cases of anonymous bind
+        if ( authenticated && ( userEntry == null ) && directoryService.isAllowAnonymousAccess() )
         {
-            next.modify( modifyContext );
-            invalidateAuthenticatorCaches( modifyContext.getDn() );
             return;
         }
 
-        // handle the case where pwdPolicySubentry AT is about to be deleted in thid modify()
-        PasswordPolicyConfiguration policyConfig = getPwdPolicy( modifyContext.getEntry() );
-        
-        boolean isPPolicyReqCtrlPresent = modifyContext.hasRequestControl( PasswordPolicy.OID );
-        Dn userDn = modifyContext.getSession().getAuthenticatedPrincipal().getDn();
-
-        PwdModDetailsHolder pwdModDetails = null;
-        
-        pwdModDetails = getPwdModDetails( modifyContext, policyConfig );
-
-        if ( pwdModDetails.isPwdModPresent() )
+        if ( !authenticated )
         {
-            if ( pwdResetSet.contains( userDn ) )
+            if ( LOG.isInfoEnabled() )
             {
-                if ( pwdModDetails.isOtherModExists() )
-                {
-                    if ( isPPolicyReqCtrlPresent )
-                    {
-                        PasswordPolicyDecorator responseControl = 
-                            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-                        responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.CHANGE_AFTER_RESET );
-                        modifyContext.addResponseControl( responseControl );
-                    }
-
-                    throw new LdapNoPermissionException();
-                }
+                LOG.info( "Cannot bind to the server " );
             }
 
-            if ( policyConfig.isPwdSafeModify() )
+            if ( ( policyConfig != null ) && ( userEntry != null ) )
             {
-                if ( pwdModDetails.isAddOrReplace() && !pwdModDetails.isDelete() )
-                {
-                    LOG.debug( "trying to update password attribute without the supplying the old password" );
-                    
-                    if ( isPPolicyReqCtrlPresent )
-                    {
-                        PasswordPolicyDecorator responseControl = 
-                            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-                        responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.MUST_SUPPLY_OLD_PASSWORD );
-                        modifyContext.addResponseControl( responseControl );
-                    }
+                Attribute pwdFailTimeAt = userEntry.get( PWD_FAILURE_TIME_AT );
 
-                    throw new LdapNoPermissionException();
+                if ( pwdFailTimeAt == null )
+                {
+                    pwdFailTimeAt = new DefaultAttribute( AT_PWD_FAILURE_TIME );
                 }
-            }
-
-            if ( !policyConfig.isPwdAllowUserChange() && !modifyContext.getSession().isAnAdministrator() )
-            {
-                if ( isPPolicyReqCtrlPresent )
+                else
                 {
-                    PasswordPolicyDecorator responseControl = 
-                        new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-                    responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.PASSWORD_MOD_NOT_ALLOWED );
-                    modifyContext.addResponseControl( responseControl );
+                    PasswordUtil.purgeFailureTimes( policyConfig, pwdFailTimeAt );
                 }
 
-                throw new LdapNoPermissionException();
-            }
-
-            Entry entry = modifyContext.getEntry();
+                String failureTime = DateUtils.getGeneralizedTime();
+                pwdFailTimeAt.add( failureTime );
+                Modification pwdFailTimeMod = new DefaultModification( ADD_ATTRIBUTE, pwdFailTimeAt );
 
-            if ( isPwdTooYoung( entry, policyConfig ) )
-            {
-                if ( isPPolicyReqCtrlPresent )
-                {
-                    PasswordPolicyDecorator responseControl = 
-                        new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-                    responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.PASSWORD_TOO_YOUNG );
-                    modifyContext.addResponseControl( responseControl );
-                }
+                List<Modification> mods = new ArrayList<Modification>();
+                mods.add( pwdFailTimeMod );
 
-                throw new LdapOperationException( ResultCodeEnum.CONSTRAINT_VIOLATION,
-                    "password is too young to update" );
-            }
+                int numFailures = pwdFailTimeAt.size();
 
-            byte[] newPassword = null;
-            
-            if ( ( pwdModDetails != null ) )
-            {
-                newPassword = pwdModDetails.getNewPwd();
-                
-                try
-                {
-                    String userName = entry.getDn().getRdn().getUpValue().getString();
-                    check( userName, newPassword, policyConfig );
-                }
-                catch ( PasswordPolicyException e )
+                if ( policyConfig.isPwdLockout() && ( numFailures >= policyConfig.getPwdMaxFailure() ) )
                 {
-                    if ( isPPolicyReqCtrlPresent )
+                    Attribute pwdAccountLockedTimeAt = new DefaultAttribute( AT_PWD_ACCOUNT_LOCKED_TIME );
+
+                    // if zero, lockout permanently, only admin can unlock it
+                    if ( policyConfig.getPwdLockoutDuration() == 0 )
                     {
-                        PasswordPolicyDecorator responseControl = 
-                            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-                        responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.get( e.getErrorCode() ) );
-                        modifyContext.addResponseControl( responseControl );
+                        pwdAccountLockedTimeAt.add( "000001010000Z" );
+                    }
+                    else
+                    {
+                        pwdAccountLockedTimeAt.add( failureTime );
                     }
 
-                    // throw exception if userPassword quality checks fail
-                    throw new LdapOperationException( ResultCodeEnum.CONSTRAINT_VIOLATION, e.getMessage(), e );
-                }
-            }
+                    Modification pwdAccountLockedMod = new DefaultModification( ADD_ATTRIBUTE, pwdAccountLockedTimeAt );
+                    mods.add( pwdAccountLockedMod );
 
-            int histSize = policyConfig.getPwdInHistory();
-            Modification pwdRemHistMod = null;
-            Modification pwdAddHistMod = null;
-            String pwdChangedTime = DateUtils.getGeneralizedTime();
-
-            if ( histSize > 0 )
-            {
-                Attribute pwdHistoryAt = entry.get( PWD_HISTORY_AT );
-                
-                if ( pwdHistoryAt == null )
-                {
-                    pwdHistoryAt = new DefaultAttribute( AT_PWD_HISTORY );
+                    pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.ACCOUNT_LOCKED );
                 }
-                
-                List<PasswordHistory> pwdHistLst = new ArrayList<PasswordHistory>();
-
-                for ( Value<?> value : pwdHistoryAt  )
+                else if ( policyConfig.getPwdMinDelay() > 0 )
                 {
-                    PasswordHistory pwdh = new PasswordHistory( Strings.utf8ToString( value.getBytes() ) );
-
-                    boolean matched = Arrays.equals( newPassword, pwdh.getPassword() );
-
-                    if ( matched )
+                    int numDelay = numFailures * policyConfig.getPwdMinDelay();
+                    int maxDelay = policyConfig.getPwdMaxDelay();
+                    if ( numDelay > maxDelay )
                     {
-                        if ( isPPolicyReqCtrlPresent )
-                        {
-                            PasswordPolicyDecorator responseControl = 
-                                new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-                            responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.PASSWORD_IN_HISTORY );
-                            modifyContext.addResponseControl( responseControl );
-                        }
-
-                        throw new LdapOperationException( ResultCodeEnum.CONSTRAINT_VIOLATION,
-                            "invalid reuse of password present in password history" );
+                        numDelay = maxDelay;
                     }
 
-                    pwdHistLst.add( pwdh );
+                    try
+                    {
+                        Thread.sleep( numDelay * 1000 );
+                    }
+                    catch ( InterruptedException e )
+                    {
+                        LOG.warn(
+                            "Interrupted while delaying to send the failed authentication response for the user {}",
+                            dn, e );
+                    }
                 }
 
-                if ( pwdHistLst.size() >= histSize )
-                {
-                    // see the javadoc of PasswordHistory
-                    Collections.sort( pwdHistLst );
-                   
-                    // remove the oldest value
-                    PasswordHistory remPwdHist = ( PasswordHistory ) pwdHistLst.toArray()[histSize - 1];
-                    Attribute tempAt = new DefaultAttribute( AT_PWD_HISTORY );
-                    tempAt.add( remPwdHist.getHistoryValue() );
-                    pwdRemHistMod = new DefaultModification( REMOVE_ATTRIBUTE, tempAt );
-                }
-                
-                pwdHistoryAt.clear();
-                PasswordHistory newPwdHist = new PasswordHistory( pwdChangedTime, newPassword );
-                pwdHistoryAt.clear();
-                pwdHistoryAt.add( newPwdHist.getHistoryValue() );
-                pwdAddHistMod = new DefaultModification( ADD_ATTRIBUTE, pwdHistoryAt );
+                //adminSession.modify( dn, Collections.singletonList( pwdFailTimeMod ) );
+                ModifyOperationContext bindModCtx = new ModifyOperationContext( adminSession );
+                bindModCtx.setDn( dn );
+                bindModCtx.setModItems( mods );
+                directoryService.getPartitionNexus().modify( bindModCtx );
             }
 
-            next.modify( modifyContext );
-            
-            invalidateAuthenticatorCaches( modifyContext.getDn() );
-
+            String upDn = ( dn == null ? "" : dn.getName() );
+            throw new LdapAuthenticationException( I18n.err( I18n.ERR_229, upDn ) );
+        }
+        else if ( policyConfig != null )
+        {
             List<Modification> mods = new ArrayList<Modification>();
-            
-            if ( ( policyConfig.getPwdMinAge() > 0 ) || ( policyConfig.getPwdMaxAge() > 0 ) )
+
+            if ( policyConfig.getPwdMaxIdle() > 0 )
             {
-                Attribute pwdChangedTimeAt = new DefaultAttribute( AT_PWD_CHANGED_TIME );
-                pwdChangedTimeAt.add( pwdChangedTime );
-                Modification pwdChangedTimeMod = new DefaultModification( REPLACE_ATTRIBUTE, pwdChangedTimeAt );
-                mods.add( pwdChangedTimeMod );
+                Attribute pwdLastSuccesTimeAt = new DefaultAttribute( AT_PWD_LAST_SUCCESS );
+                pwdLastSuccesTimeAt.add( DateUtils.getGeneralizedTime() );
+                Modification pwdLastSuccesTimeMod = new DefaultModification( REPLACE_ATTRIBUTE, pwdLastSuccesTimeAt );
+                mods.add( pwdLastSuccesTimeMod );
             }
 
-            if ( pwdAddHistMod != null )
+            Attribute pwdFailTimeAt = userEntry.get( AT_PWD_FAILURE_TIME );
+
+            if ( pwdFailTimeAt != null )
             {
-                mods.add( pwdAddHistMod );
+                Modification pwdFailTimeMod = new DefaultModification( REMOVE_ATTRIBUTE, pwdFailTimeAt );
+                mods.add( pwdFailTimeMod );
             }
 
-            if ( pwdRemHistMod != null )
+            Attribute pwdAccLockedTimeAt = userEntry.get( AT_PWD_ACCOUNT_LOCKED_TIME );
+
+            if ( pwdAccLockedTimeAt != null )
             {
-                mods.add( pwdRemHistMod );
+                Modification pwdAccLockedTimeMod = new DefaultModification( REMOVE_ATTRIBUTE, pwdAccLockedTimeAt );
+                mods.add( pwdAccLockedTimeMod );
             }
 
-            boolean removeFromPwdResetSet = false;
-            
-            if ( policyConfig.isPwdMustChange() )
+            // checking the expiration time *after* performing authentication, do we need to care about millisecond precision?
+            if ( ( policyConfig.getPwdMaxAge() > 0 ) && ( policyConfig.getPwdGraceAuthNLimit() > 0 ) )
             {
-                Attribute pwdMustChangeAt = new DefaultAttribute( AT_PWD_RESET );
-                Modification pwdMustChangeMod = null;
+                Attribute pwdChangeTimeAttr = userEntry.get( PWD_CHANGED_TIME_AT );
 
-                if ( modifyContext.getSession().isAnAdministrator() )
-                {
-                    pwdMustChangeAt.add( "TRUE" );
-                    pwdMustChangeMod = new DefaultModification( REPLACE_ATTRIBUTE, pwdMustChangeAt );
-                }
-                else
+                if ( pwdChangeTimeAttr != null )
                 {
-                    pwdMustChangeMod = new DefaultModification( REMOVE_ATTRIBUTE, pwdMustChangeAt );
-                    removeFromPwdResetSet = true;
-                }
+                    boolean expired = PasswordUtil.isPwdExpired( pwdChangeTimeAttr.getString(),
+                        policyConfig.getPwdMaxAge() );
 
-                mods.add( pwdMustChangeMod );
-            }
+                    if ( expired )
+                    {
+                        Attribute pwdGraceUseAttr = userEntry.get( PWD_GRACE_USE_TIME_AT );
+                        int numGraceAuth = 0;
 
-            Attribute pwdFailureTimeAt = entry.get( PWD_FAILURE_TIME_AT );
-            
-            if ( pwdFailureTimeAt != null )
-            {
-                mods.add( new DefaultModification( REMOVE_ATTRIBUTE, pwdFailureTimeAt ) );
+                        if ( pwdGraceUseAttr != null )
+                        {
+                            numGraceAuth = policyConfig.getPwdGraceAuthNLimit() - ( pwdGraceUseAttr.size() + 1 );
+                        }
+                        else
+                        {
+                            pwdGraceUseAttr = new DefaultAttribute( AT_PWD_GRACE_USE_TIME );
+                            numGraceAuth = policyConfig.getPwdGraceAuthNLimit() - 1;
+                        }
+
+                        pwdRespCtrl.getResponse().setGraceAuthNsRemaining( numGraceAuth );
+
+                        pwdGraceUseAttr.add( DateUtils.getGeneralizedTime() );
+                        Modification pwdGraceUseMod = new DefaultModification( ADD_ATTRIBUTE, pwdGraceUseAttr );
+                        mods.add( pwdGraceUseMod );
+                    }
+                }
             }
 
-            Attribute pwdGraceUseTimeAt = entry.get( PWD_GRACE_USE_TIME_AT );
-            
-            if ( pwdGraceUseTimeAt != null )
+            if ( !mods.isEmpty() )
             {
-                mods.add( new DefaultModification( REMOVE_ATTRIBUTE, pwdGraceUseTimeAt ) );
+                //adminSession.modify( dn, mods );
+                ModifyOperationContext bindModCtx = new ModifyOperationContext( adminSession );
+                bindModCtx.setDn( dn );
+                bindModCtx.setModItems( mods );
+                directoryService.getPartitionNexus().modify( bindModCtx );
             }
 
-            directoryService.getAdminSession().modify( modifyContext.getDn(), mods );
-
-            if ( removeFromPwdResetSet )
+            if ( isPPolicyReqCtrlPresent )
             {
-                pwdResetSet.remove( userDn );
-            }
-        }
-        else
-        {
-            next.modify( modifyContext );
-            invalidateAuthenticatorCaches( modifyContext.getDn() );
-        }
-    }
+                int expiryWarnTime = getPwdTimeBeforeExpiry( userEntry, policyConfig );
 
+                if ( expiryWarnTime > 0 )
+                {
+                    pwdRespCtrl.getResponse().setTimeBeforeExpiration( expiryWarnTime );
+                }
 
-    public void rename( NextInterceptor next, RenameOperationContext renameContext ) throws LdapException
-    {
-        if ( IS_DEBUG )
-        {
-            LOG.debug( "Operation Context: {}", renameContext );
-        }
+                if ( isPwdMustReset( userEntry ) )
+                {
+                    pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.CHANGE_AFTER_RESET );
+                    pwdResetSet.add( dn );
+                }
 
-        checkAuthenticated( renameContext );
-        checkPwdReset( renameContext );
-        next.rename( renameContext );
-        invalidateAuthenticatorCaches( renameContext.getDn() );
+                bindContext.addResponseControl( pwdRespCtrl );
+            }
+        }
     }
 
 
     /**
      * {@inheritDoc}
      */
-    public boolean compare( NextInterceptor next, CompareOperationContext compareContext ) throws LdapException
+    public boolean compare( CompareOperationContext compareContext ) throws LdapException
     {
         if ( IS_DEBUG )
         {
@@ -731,373 +688,440 @@ public class AuthenticationInterceptor e
 
         checkAuthenticated( compareContext );
         checkPwdReset( compareContext );
-        boolean result = next.compare( compareContext );
+        boolean result = next( compareContext );
         invalidateAuthenticatorCaches( compareContext.getDn() );
 
         return result;
     }
 
 
-    public void moveAndRename( NextInterceptor next, MoveAndRenameOperationContext moveAndRenameContext )
-        throws LdapException
+    /**
+     * {@inheritDoc}
+     */
+    public void delete( DeleteOperationContext deleteContext ) throws LdapException
     {
         if ( IS_DEBUG )
         {
-            LOG.debug( "Operation Context: {}", moveAndRenameContext );
+            LOG.debug( "Operation Context: {}", deleteContext );
         }
 
-        checkAuthenticated( moveAndRenameContext );
-        checkPwdReset( moveAndRenameContext );
-        next.moveAndRename( moveAndRenameContext );
-        invalidateAuthenticatorCaches( moveAndRenameContext.getDn() );
+        checkAuthenticated( deleteContext );
+        checkPwdReset( deleteContext );
+        next( deleteContext );
+        invalidateAuthenticatorCaches( deleteContext.getDn() );
     }
 
 
     /**
      * {@inheritDoc}
      */
-    public void move( NextInterceptor next, MoveOperationContext moveContext ) throws LdapException
+    public Entry getRootDse( GetRootDseOperationContext getRootDseContext ) throws LdapException
     {
         if ( IS_DEBUG )
         {
-            LOG.debug( "Operation Context: {}", moveContext );
+            LOG.debug( "Operation Context: {}", getRootDseContext );
         }
 
-        checkAuthenticated( moveContext );
-        checkPwdReset( moveContext );
-        next.move( moveContext );
-        invalidateAuthenticatorCaches( moveContext.getDn() );
+        checkAuthenticated( getRootDseContext );
+        checkPwdReset( getRootDseContext );
+
+        return next( getRootDseContext );
     }
 
 
-    public EntryFilteringCursor search( NextInterceptor next, SearchOperationContext searchContext )
-        throws LdapException
+    /**
+     * {@inheritDoc}
+     */
+    public boolean hasEntry( HasEntryOperationContext hasEntryContext ) throws LdapException
     {
         if ( IS_DEBUG )
         {
-            LOG.debug( "Operation Context: {}", searchContext );
+            LOG.debug( "Operation Context: {}", hasEntryContext );
         }
 
-        checkAuthenticated( searchContext );
-        checkPwdReset( searchContext );
-        return next.search( searchContext );
+        checkAuthenticated( hasEntryContext );
+        checkPwdReset( hasEntryContext );
+
+        return next( hasEntryContext );
     }
 
 
     /**
-     * Check if the current operation has a valid PrincipalDN or not.
-     *
-     * @param operation the operation type
-     * @throws Exception
+     * {@inheritDoc}
      */
-    private void checkAuthenticated( OperationContext operation ) throws LdapException
+    public EntryFilteringCursor list( ListOperationContext listContext ) throws LdapException
     {
-        if ( operation.getSession().isAnonymous() && !directoryService.isAllowAnonymousAccess()
-            && !operation.getDn().isEmpty() )
+        if ( IS_DEBUG )
         {
-            String msg = I18n.err( I18n.ERR_5, operation.getName() );
-            LOG.error( msg );
-            throw new LdapNoPermissionException( msg );
+            LOG.debug( "Operation Context: {}", listContext );
         }
+
+        checkAuthenticated( listContext );
+        checkPwdReset( listContext );
+
+        return next( listContext );
     }
 
 
-    public void bind( NextInterceptor next, BindOperationContext bindContext ) throws LdapException
+    /**
+     * {@inheritDoc}
+     */
+    public Entry lookup( LookupOperationContext lookupContext ) throws LdapException
     {
         if ( IS_DEBUG )
         {
-            LOG.debug( "Operation Context: {}", bindContext );
+            LOG.debug( "Operation Context: {}", lookupContext );
         }
 
-        if ( ( bindContext.getSession() != null ) && ( bindContext.getSession().getEffectivePrincipal() != null ) )
-        {
-            // null out the credentials
-            bindContext.setCredentials( null );
-        }
+        checkAuthenticated( lookupContext );
+        checkPwdReset( lookupContext );
 
-        // pick the first matching authenticator type
-        AuthenticationLevel level = bindContext.getAuthenticationLevel();
+        return next( lookupContext );
+    }
 
-        if ( level == AuthenticationLevel.UNAUTHENT )
+
+    private void invalidateAuthenticatorCaches( Dn principalDn )
+    {
+        for ( AuthenticationLevel authMech : authenticatorsMapByType.keySet() )
         {
-            // This is a case where the Bind request contains a Dn, but no password.
-            // We don't check the Dn, we just return a UnwillingToPerform error
-            // Cf RFC 4513, chap. 5.1.2
-            throw new LdapUnwillingToPerformException( ResultCodeEnum.UNWILLING_TO_PERFORM, "Cannot Bind for Dn "
-                + bindContext.getDn().getName() );
+            Collection<Authenticator> authenticators = getAuthenticators( authMech );
+
+            // try each authenticator
+            for ( Authenticator authenticator : authenticators )
+            {
+                authenticator.invalidateCache( principalDn );
+            }
         }
+    }
 
-        Collection<Authenticator> authenticators = getAuthenticators( level );
 
-        if ( authenticators == null )
+    /**
+     * {@inheritDoc}
+     */
+    public void modify( ModifyOperationContext modifyContext ) throws LdapException
+    {
+        if ( IS_DEBUG )
         {
-            LOG.debug( "No authenticators found, delegating bind to the nexus." );
-
-            // as a last resort try binding via the nexus
-            next.bind( bindContext );
+            LOG.debug( "Operation Context: {}", modifyContext );
+        }
 
-            LOG.debug( "Nexus succeeded on bind operation." );
+        checkAuthenticated( modifyContext );
 
-            // bind succeeded if we got this far
-            // TODO - authentication level not being set
-            LdapPrincipal principal = new LdapPrincipal( schemaManager, bindContext.getDn(), AuthenticationLevel.SIMPLE );
-            CoreSession session = new DefaultCoreSession( principal, directoryService );
-            bindContext.setSession( session );
 
-            // remove creds so there is no security risk
-            bindContext.setCredentials( null );
+        if ( ! directoryService.isPwdPolicyEnabled() )
+        {
+            next( modifyContext );
+            invalidateAuthenticatorCaches( modifyContext.getDn() );
             return;
         }
 
-        boolean isPPolicyReqCtrlPresent = bindContext.hasRequestControl( PasswordPolicy.OID );
-        PasswordPolicyDecorator pwdRespCtrl = 
-            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
-
-        boolean authenticated = false;
-        PasswordPolicyException ppe = null;
+        // handle the case where pwdPolicySubentry AT is about to be deleted in thid modify()
+        PasswordPolicyConfiguration policyConfig = getPwdPolicy( modifyContext.getEntry() );
 
-        // TODO : we should refactor that.
-        // try each authenticator
-        for ( Authenticator authenticator : authenticators )
-        {
-            try
-            {
-                // perform the authentication
-                LdapPrincipal principal = authenticator.authenticate( bindContext );
-                
-                LdapPrincipal clonedPrincipal = ( LdapPrincipal ) ( principal.clone() );
+        boolean isPPolicyReqCtrlPresent = modifyContext.hasRequestControl( PasswordPolicy.OID );
+        Dn userDn = modifyContext.getSession().getAuthenticatedPrincipal().getDn();
 
-                // remove creds so there is no security risk
-                bindContext.setCredentials( null );
-                clonedPrincipal.setUserPassword( StringConstants.EMPTY_BYTES );
+        PwdModDetailsHolder pwdModDetails = null;
 
-                // authentication was successful
-                CoreSession session = new DefaultCoreSession( clonedPrincipal, directoryService );
-                bindContext.setSession( session );
+        pwdModDetails = getPwdModDetails( modifyContext, policyConfig );
 
-                authenticated = true;
-                
-                // break out of the loop if the authentication succeeded
-                break;
-            }
-            catch ( PasswordPolicyException e )
-            {
-                ppe = e;
-                break;
-            }
-            catch ( LdapAuthenticationException e )
+        if ( pwdModDetails.isPwdModPresent() )
+        {
+            if ( pwdResetSet.contains( userDn ) )
             {
-                // authentication failed, try the next authenticator
-                if ( LOG.isInfoEnabled() )
+                if ( pwdModDetails.isOtherModExists() )
                 {
-                    LOG.info( "Authenticator {} failed to authenticate: {}", authenticator, bindContext );
+                    if ( isPPolicyReqCtrlPresent )
+                    {
+                        PasswordPolicyDecorator responseControl =
+                            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+                        responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.CHANGE_AFTER_RESET );
+                        modifyContext.addResponseControl( responseControl );
+                    }
+
+                    throw new LdapNoPermissionException();
                 }
             }
-            catch ( Exception e )
+
+            if ( policyConfig.isPwdSafeModify() )
             {
-                // Log other exceptions than LdapAuthenticationException
-                if ( LOG.isWarnEnabled() )
+                if ( pwdModDetails.isAddOrReplace() && !pwdModDetails.isDelete() )
                 {
-                    LOG.info( "Unexpected failure for Authenticator {} : {}", authenticator, bindContext );
+                    LOG.debug( "trying to update password attribute without the supplying the old password" );
+
+                    if ( isPPolicyReqCtrlPresent )
+                    {
+                        PasswordPolicyDecorator responseControl =
+                            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+                        responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.MUST_SUPPLY_OLD_PASSWORD );
+                        modifyContext.addResponseControl( responseControl );
+                    }
+
+                    throw new LdapNoPermissionException();
                 }
             }
-        }
 
-        if ( ppe != null )
-        {
-            if ( isPPolicyReqCtrlPresent )
+            if ( !policyConfig.isPwdAllowUserChange() && !modifyContext.getSession().isAnAdministrator() )
             {
-                pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.get( ppe.getErrorCode() ) );
-                bindContext.addResponseControl( pwdRespCtrl );
-            }
+                if ( isPPolicyReqCtrlPresent )
+                {
+                    PasswordPolicyDecorator responseControl =
+                        new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+                    responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.PASSWORD_MOD_NOT_ALLOWED );
+                    modifyContext.addResponseControl( responseControl );
+                }
 
-            throw ppe;
-        }
+                throw new LdapNoPermissionException();
+            }
 
-        Dn dn = bindContext.getDn();
-        Entry userEntry = bindContext.getEntry();
-        
-        PasswordPolicyConfiguration policyConfig = getPwdPolicy( userEntry );
-        
-        // check if the user entry is null, it will be null
-        // in cases of anonymous bind
-        if ( authenticated && ( userEntry == null ) && directoryService.isAllowAnonymousAccess() ) 
-        {
-            return;
-        }
+            Entry entry = modifyContext.getEntry();
 
-        if ( !authenticated )
-        {
-            if ( LOG.isInfoEnabled() )
+            if ( isPwdTooYoung( entry, policyConfig ) )
             {
-                LOG.info( "Cannot bind to the server " );
+                if ( isPPolicyReqCtrlPresent )
+                {
+                    PasswordPolicyDecorator responseControl =
+                        new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+                    responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.PASSWORD_TOO_YOUNG );
+                    modifyContext.addResponseControl( responseControl );
+                }
+
+                throw new LdapOperationException( ResultCodeEnum.CONSTRAINT_VIOLATION,
+                    "password is too young to update" );
             }
 
-            if ( ( policyConfig != null ) && ( userEntry != null ) )
+            byte[] newPassword = null;
+
+            if ( ( pwdModDetails != null ) )
             {
-                Attribute pwdFailTimeAt = userEntry.get( PWD_FAILURE_TIME_AT );
-                if ( pwdFailTimeAt == null )
+                newPassword = pwdModDetails.getNewPwd();
+
+                try
                 {
-                    pwdFailTimeAt = new DefaultAttribute( AT_PWD_FAILURE_TIME );
+                    String userName = entry.getDn().getRdn().getUpValue().getString();
+                    check( userName, newPassword, policyConfig );
                 }
-                else
+                catch ( PasswordPolicyException e )
                 {
-                    PasswordUtil.purgeFailureTimes( policyConfig, pwdFailTimeAt );
+                    if ( isPPolicyReqCtrlPresent )
+                    {
+                        PasswordPolicyDecorator responseControl =
+                            new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+                        responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.get( e.getErrorCode() ) );
+                        modifyContext.addResponseControl( responseControl );
+                    }
+
+                    // throw exception if userPassword quality checks fail
+                    throw new LdapOperationException( ResultCodeEnum.CONSTRAINT_VIOLATION, e.getMessage(), e );
                 }
+            }
 
-                String failureTime = DateUtils.getGeneralizedTime();
-                pwdFailTimeAt.add( failureTime );
-                Modification pwdFailTimeMod = new DefaultModification( ADD_ATTRIBUTE, pwdFailTimeAt );
+            int histSize = policyConfig.getPwdInHistory();
+            Modification pwdRemHistMod = null;
+            Modification pwdAddHistMod = null;
+            String pwdChangedTime = DateUtils.getGeneralizedTime();
 
-                List<Modification> mods = new ArrayList<Modification>();
-                mods.add( pwdFailTimeMod );
+            if ( histSize > 0 )
+            {
+                Attribute pwdHistoryAt = entry.get( PWD_HISTORY_AT );
 
-                int numFailures = pwdFailTimeAt.size();
+                if ( pwdHistoryAt == null )
+                {
+                    pwdHistoryAt = new DefaultAttribute( AT_PWD_HISTORY );
+                }
 
-                if ( policyConfig.isPwdLockout() && ( numFailures >= policyConfig.getPwdMaxFailure() ) )
+                List<PasswordHistory> pwdHistLst = new ArrayList<PasswordHistory>();
+
+                for ( Value<?> value : pwdHistoryAt  )
                 {
-                    Attribute pwdAccountLockedTimeAt = new DefaultAttribute( AT_PWD_ACCOUNT_LOCKED_TIME );
+                    PasswordHistory pwdh = new PasswordHistory( Strings.utf8ToString( value.getBytes() ) );
 
-                    // if zero, lockout permanently, only admin can unlock it
-                    if ( policyConfig.getPwdLockoutDuration() == 0 )
-                    {
-                        pwdAccountLockedTimeAt.add( "000001010000Z" );
-                    }
-                    else
+                    boolean matched = Arrays.equals( newPassword, pwdh.getPassword() );
+
+                    if ( matched )
                     {
-                        pwdAccountLockedTimeAt.add( failureTime );
+                        if ( isPPolicyReqCtrlPresent )
+                        {
+                            PasswordPolicyDecorator responseControl =
+                                new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
+                            responseControl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.PASSWORD_IN_HISTORY );
+                            modifyContext.addResponseControl( responseControl );
+                        }
+
+                        throw new LdapOperationException( ResultCodeEnum.CONSTRAINT_VIOLATION,
+                            "invalid reuse of password present in password history" );
                     }
-                    
-                    Modification pwdAccountLockedMod = new DefaultModification( ADD_ATTRIBUTE, pwdAccountLockedTimeAt );
-                    mods.add( pwdAccountLockedMod );
 
-                    pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.ACCOUNT_LOCKED );
+                    pwdHistLst.add( pwdh );
                 }
-                else if ( policyConfig.getPwdMinDelay() > 0 )
+
+                if ( pwdHistLst.size() >= histSize )
                 {
-                    int numDelay = numFailures * policyConfig.getPwdMinDelay();
-                    int maxDelay = policyConfig.getPwdMaxDelay();
-                    if ( numDelay > maxDelay )
-                    {
-                        numDelay = maxDelay;
-                    }
+                    // see the javadoc of PasswordHistory
+                    Collections.sort( pwdHistLst );
 
-                    try
-                    {
-                        Thread.sleep( numDelay * 1000 );
-                    }
-                    catch ( InterruptedException e )
-                    {
-                        LOG.warn(
-                            "Interrupted while delaying to send the failed authentication response for the user {}",
-                            dn, e );
-                    }
+                    // remove the oldest value
+                    PasswordHistory remPwdHist = ( PasswordHistory ) pwdHistLst.toArray()[histSize - 1];
+                    Attribute tempAt = new DefaultAttribute( AT_PWD_HISTORY );
+                    tempAt.add( remPwdHist.getHistoryValue() );
+                    pwdRemHistMod = new DefaultModification( REMOVE_ATTRIBUTE, tempAt );
                 }
 
-                //adminSession.modify( dn, Collections.singletonList( pwdFailTimeMod ) );
-                ModifyOperationContext bindModCtx = new ModifyOperationContext( adminSession );
-                bindModCtx.setDn( dn );
-                bindModCtx.setModItems( mods );
-                directoryService.getPartitionNexus().modify( bindModCtx );
+                pwdHistoryAt.clear();
+                PasswordHistory newPwdHist = new PasswordHistory( pwdChangedTime, newPassword );
+                pwdHistoryAt.clear();
+                pwdHistoryAt.add( newPwdHist.getHistoryValue() );
+                pwdAddHistMod = new DefaultModification( ADD_ATTRIBUTE, pwdHistoryAt );
             }
 
-            String upDn = ( dn == null ? "" : dn.getName() );
-            throw new LdapAuthenticationException( I18n.err( I18n.ERR_229, upDn ) );
-        }
-        else if ( policyConfig != null )
-        {
+            next( modifyContext );
+
+            invalidateAuthenticatorCaches( modifyContext.getDn() );
+
             List<Modification> mods = new ArrayList<Modification>();
 
-            if ( policyConfig.getPwdMaxIdle() > 0 )
+            if ( ( policyConfig.getPwdMinAge() > 0 ) || ( policyConfig.getPwdMaxAge() > 0 ) )
             {
-                Attribute pwdLastSuccesTimeAt = new DefaultAttribute( AT_PWD_LAST_SUCCESS );
-                pwdLastSuccesTimeAt.add( DateUtils.getGeneralizedTime() );
-                Modification pwdLastSuccesTimeMod = new DefaultModification( REPLACE_ATTRIBUTE, pwdLastSuccesTimeAt );
-                mods.add( pwdLastSuccesTimeMod );
+                Attribute pwdChangedTimeAt = new DefaultAttribute( AT_PWD_CHANGED_TIME );
+                pwdChangedTimeAt.add( pwdChangedTime );
+                Modification pwdChangedTimeMod = new DefaultModification( REPLACE_ATTRIBUTE, pwdChangedTimeAt );
+                mods.add( pwdChangedTimeMod );
             }
 
-            Attribute pwdFailTimeAt = userEntry.get( AT_PWD_FAILURE_TIME );
-            if ( pwdFailTimeAt != null )
+            if ( pwdAddHistMod != null )
             {
-                Modification pwdFailTimeMod = new DefaultModification( REMOVE_ATTRIBUTE, pwdFailTimeAt );
-                mods.add( pwdFailTimeMod );
+                mods.add( pwdAddHistMod );
             }
 
-            Attribute pwdAccLockedTimeAt = userEntry.get( AT_PWD_ACCOUNT_LOCKED_TIME );
-            if ( pwdAccLockedTimeAt != null )
+            if ( pwdRemHistMod != null )
             {
-                Modification pwdAccLockedTimeMod = new DefaultModification( REMOVE_ATTRIBUTE, pwdAccLockedTimeAt );
-                mods.add( pwdAccLockedTimeMod );
+                mods.add( pwdRemHistMod );
             }
 
-            // checking the expiration time *after* performing authentication, do we need to care about millisecond precision?
-            if ( ( policyConfig.getPwdMaxAge() > 0 ) && ( policyConfig.getPwdGraceAuthNLimit() > 0 ) )
+            boolean removeFromPwdResetSet = false;
+
+            if ( policyConfig.isPwdMustChange() )
             {
-                Attribute pwdChangeTimeAttr = userEntry.get( PWD_CHANGED_TIME_AT );
-                
-                if ( pwdChangeTimeAttr != null )
-                {
-                    boolean expired = PasswordUtil.isPwdExpired( pwdChangeTimeAttr.getString(),
-                        policyConfig.getPwdMaxAge() );
-                    
-                    if ( expired )
-                    {
-                        Attribute pwdGraceUseAttr = userEntry.get( PWD_GRACE_USE_TIME_AT );
-                        int numGraceAuth = 0;
-                        
-                        if ( pwdGraceUseAttr != null )
-                        {
-                            numGraceAuth = policyConfig.getPwdGraceAuthNLimit() - ( pwdGraceUseAttr.size() + 1 );
-                        }
-                        else
-                        {
-                            pwdGraceUseAttr = new DefaultAttribute( AT_PWD_GRACE_USE_TIME );
-                            numGraceAuth = policyConfig.getPwdGraceAuthNLimit() - 1;
-                        }
-                        
-                        pwdRespCtrl.getResponse().setGraceAuthNsRemaining( numGraceAuth );
+                Attribute pwdMustChangeAt = new DefaultAttribute( AT_PWD_RESET );
+                Modification pwdMustChangeMod = null;
 
-                        pwdGraceUseAttr.add( DateUtils.getGeneralizedTime() );
-                        Modification pwdGraceUseMod = new DefaultModification( ADD_ATTRIBUTE, pwdGraceUseAttr );
-                        mods.add( pwdGraceUseMod );
-                    }
+                if ( modifyContext.getSession().isAnAdministrator() )
+                {
+                    pwdMustChangeAt.add( "TRUE" );
+                    pwdMustChangeMod = new DefaultModification( REPLACE_ATTRIBUTE, pwdMustChangeAt );
+                }
+                else
+                {
+                    pwdMustChangeMod = new DefaultModification( REMOVE_ATTRIBUTE, pwdMustChangeAt );
+                    removeFromPwdResetSet = true;
                 }
+
+                mods.add( pwdMustChangeMod );
             }
 
-            if ( !mods.isEmpty() )
+            Attribute pwdFailureTimeAt = entry.get( PWD_FAILURE_TIME_AT );
+
+            if ( pwdFailureTimeAt != null )
             {
-                //adminSession.modify( dn, mods );
-                ModifyOperationContext bindModCtx = new ModifyOperationContext( adminSession );
-                bindModCtx.setDn( dn );
-                bindModCtx.setModItems( mods );
-                directoryService.getPartitionNexus().modify( bindModCtx );
+                mods.add( new DefaultModification( REMOVE_ATTRIBUTE, pwdFailureTimeAt ) );
             }
 
-            if ( isPPolicyReqCtrlPresent )
+            Attribute pwdGraceUseTimeAt = entry.get( PWD_GRACE_USE_TIME_AT );
+
+            if ( pwdGraceUseTimeAt != null )
             {
-                int expiryWarnTime = getPwdTimeBeforeExpiry( userEntry, policyConfig );
-                
-                if ( expiryWarnTime > 0 )
-                {
-                    pwdRespCtrl.getResponse().setTimeBeforeExpiration( expiryWarnTime );
-                }
+                mods.add( new DefaultModification( REMOVE_ATTRIBUTE, pwdGraceUseTimeAt ) );
+            }
 
-                if ( isPwdMustReset( userEntry ) )
-                {
-                    pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.CHANGE_AFTER_RESET );
-                    pwdResetSet.add( dn );
-                }
+            directoryService.getAdminSession().modify( modifyContext.getDn(), mods );
 
-                bindContext.addResponseControl( pwdRespCtrl );
+            if ( removeFromPwdResetSet )
+            {
+                pwdResetSet.remove( userDn );
             }
         }
+        else
+        {
+            next( modifyContext );
+            invalidateAuthenticatorCaches( modifyContext.getDn() );
+        }
+    }
+
+
+    /**
+     * {@inheritDoc}
+     */
+    public void move( MoveOperationContext moveContext ) throws LdapException
+    {
+        if ( IS_DEBUG )
+        {
+            LOG.debug( "Operation Context: {}", moveContext );
+        }
+
+        checkAuthenticated( moveContext );
+        checkPwdReset( moveContext );
+        next( moveContext );
+        invalidateAuthenticatorCaches( moveContext.getDn() );
+    }
+
+
+    /**
+     * {@inheritDoc}
+     */
+    public void moveAndRename( MoveAndRenameOperationContext moveAndRenameContext ) throws LdapException
+    {
+        if ( IS_DEBUG )
+        {
+            LOG.debug( "Operation Context: {}", moveAndRenameContext );
+        }
+
+        checkAuthenticated( moveAndRenameContext );
+        checkPwdReset( moveAndRenameContext );
+        next( moveAndRenameContext );
+        invalidateAuthenticatorCaches( moveAndRenameContext.getDn() );
+    }
+
+
+    /**
+     * {@inheritDoc}
+     */
+    public void rename( RenameOperationContext renameContext ) throws LdapException
+    {
+        if ( IS_DEBUG )
+        {
+            LOG.debug( "Operation Context: {}", renameContext );
+        }
+
+        checkAuthenticated( renameContext );
+        checkPwdReset( renameContext );
+        next( renameContext );
+        invalidateAuthenticatorCaches( renameContext.getDn() );
+    }
+
+
+    /**
+     * {@inheritDoc}
+     */
+    public EntryFilteringCursor search( SearchOperationContext searchContext ) throws LdapException
+    {
+        if ( IS_DEBUG )
+        {
+            LOG.debug( "Operation Context: {}", searchContext );
+        }
+
+        checkAuthenticated( searchContext );
+        checkPwdReset( searchContext );
+
+        return next( searchContext );
     }
 
 
-    @Override
-    public void unbind( NextInterceptor next, UnbindOperationContext unbindContext ) throws LdapException
+    /**
+     * {@inheritDoc}
+     */
+    public void unbind( UnbindOperationContext unbindContext ) throws LdapException
     {
-        super.unbind( next, unbindContext );
+        next( unbindContext );
 
         // remove the Dn from the password reset Set
         // we do not perform a check to see if the reset flag in the associated ppolicy is enabled
@@ -1110,6 +1134,24 @@ public class AuthenticationInterceptor e
 
 
     /**
+     * Check if the current operation has a valid PrincipalDN or not.
+     *
+     * @param operation the operation type
+     * @throws Exception
+     */
+    private void checkAuthenticated( OperationContext operation ) throws LdapException
+    {
+        if ( operation.getSession().isAnonymous() && !directoryService.isAllowAnonymousAccess()
+            && !operation.getDn().isEmpty() )
+        {
+            String msg = I18n.err( I18n.ERR_5, operation.getName() );
+            LOG.error( msg );
+            throw new LdapNoPermissionException( msg );
+        }
+    }
+
+
+    /**
      * Initialize the PasswordPolicy attributeTypes
      * 
      * @throws LdapException If the initialization failed
@@ -1143,7 +1185,6 @@ public class AuthenticationInterceptor e
 
 
     // ---------- private methods ----------------
-
     private void check( String username, byte[] password, PasswordPolicyConfiguration policyConfig ) throws LdapException
     {
         final int qualityVal = policyConfig.getPwdCheckQuality();
@@ -1171,10 +1212,10 @@ public class AuthenticationInterceptor e
         }
 
         String strPassword = Strings.utf8ToString(password);
-        
+
         // perform the length validation
         validatePasswordLength( strPassword, policyConfig );
-        
+
         policyConfig.getPwdValidator().validate( strPassword, username );
     }
 
@@ -1217,7 +1258,7 @@ public class AuthenticationInterceptor e
         }
 
         int warningAge = policyConfig.getPwdExpireWarning();
-        
+
         if ( warningAge <= 0 )
         {
             return 0;
@@ -1228,14 +1269,14 @@ public class AuthenticationInterceptor e
 
         long currentTime = DateUtils.getDate( DateUtils.getGeneralizedTime() ).getTime();
         int pwdAge = ( int ) ( currentTime - changedTime ) / 1000;
-        
+
         if ( pwdAge > policyConfig.getPwdMaxAge() )
         {
             return 0;
         }
 
         warningAge = policyConfig.getPwdMaxAge() - warningAge;
-        
+
         if ( pwdAge >= warningAge )
         {
             return policyConfig.getPwdMaxAge() - pwdAge;
@@ -1260,14 +1301,14 @@ public class AuthenticationInterceptor e
         }
 
         Attribute pwdChangedTimeAt = userEntry.get( PWD_CHANGED_TIME_AT );
-        
+
         if ( pwdChangedTimeAt != null )
         {
             long changedTime = DateUtils.getDate( pwdChangedTimeAt.getString() ).getTime();
             changedTime += policyConfig.getPwdMinAge() * 1000;
-        
+
             long currentTime = DateUtils.getDate( DateUtils.getGeneralizedTime() ).getTime();
-            
+
             if ( changedTime > currentTime )
             {
                 return true;
@@ -1290,6 +1331,7 @@ public class AuthenticationInterceptor e
         boolean mustChange = false;
 
         Attribute pwdResetAt = userEntry.get( PWD_RESET_AT );
+
         if ( pwdResetAt != null )
         {
             mustChange = Boolean.parseBoolean( pwdResetAt.getString() );
@@ -1304,6 +1346,7 @@ public class AuthenticationInterceptor e
         PwdModDetailsHolder pwdModDetails = new PwdModDetailsHolder();
 
         List<Modification> mods = modifyContext.getModItems();
+
         for ( Modification m : mods )
         {
             Attribute at = m.getAttribute();
@@ -1354,7 +1397,7 @@ public class AuthenticationInterceptor e
                     .hasRequestControl( PasswordPolicy.OID );
                 if ( isPPolicyReqCtrlPresent )
                 {
-                    PasswordPolicyDecorator pwdRespCtrl = 
+                    PasswordPolicyDecorator pwdRespCtrl =
                         new PasswordPolicyDecorator( directoryService.getLdapCodecService(), true );
                     pwdRespCtrl.getResponse().setPasswordPolicyError( PasswordPolicyErrorEnum.CHANGE_AFTER_RESET );
                     opContext.addResponseControl( pwdRespCtrl );
@@ -1365,7 +1408,7 @@ public class AuthenticationInterceptor e
         }
     }
 
-    
+
     private static class PwdModDetailsHolder
     {
         private boolean pwdModPresent = false;
@@ -1438,10 +1481,10 @@ public class AuthenticationInterceptor e
             this.newPwd = newPwd;
         }
     }
-    
+
 
     /**
-     * Gets the effective password policy of the given entry. 
+     * Gets the effective password policy of the given entry.
      * If the entry has defined a custom password policy by setting "pwdPolicySubentry" attribute
      * then the password policy associated with the Dn specified at the above attribute's value will be returned.
      * Otherwise the default password policy will be returned (if present)
@@ -1456,27 +1499,27 @@ public class AuthenticationInterceptor e
         {
             return null;
         }
-        
+
         if ( pwdPolicyContainer.hasCustomConfigs() )
         {
             Attribute pwdPolicySubentry = userEntry.get( pwdPolicySubentryAT );
-            
+
             if ( pwdPolicySubentry != null )
             {
                 Dn configDn = adminSession.getDirectoryService().getDnFactory().create( pwdPolicySubentry.getString() );
-                
+
                 return pwdPolicyContainer.getPolicyConfig( configDn );
             }
         }
-        
+
         return pwdPolicyContainer.getDefaultPolicy();
     }
-    
-    
+
+
     /**
      * set all the password policies to be used by the server.
      * This includes a default(i.e applicable to all entries) and custom(a.k.a per user) password policies
-     *  
+     * 
      * @param policyContainer the container holding all the password policies
      */
     public void setPwdPolicies( PpolicyConfigContainer policyContainer )
@@ -1490,8 +1533,8 @@ public class AuthenticationInterceptor e
      */
     public boolean isPwdPolicyEnabled()
     {
-        return ( ( pwdPolicyContainer != null ) 
-                && ( ( pwdPolicyContainer.getDefaultPolicy() != null ) 
+        return ( ( pwdPolicyContainer != null )
+            && ( ( pwdPolicyContainer.getDefaultPolicy() != null )
                 || ( pwdPolicyContainer.hasCustomConfigs() ) ) );
     }
 

Propchange: directory/apacheds/branches/apacheds-osgi/interceptors/authz/
------------------------------------------------------------------------------
--- svn:mergeinfo (added)
+++ svn:mergeinfo Sat Nov 12 23:58:40 2011
@@ -0,0 +1,10 @@
+/directory/apacheds/branches/apacheds-codec-merge/interceptors/authz:982369-987590
+/directory/apacheds/branches/apacheds-config/interceptors/authz:1023442-1029077
+/directory/apacheds/branches/apacheds-kerberos-codec-2.0/interceptors/authz:1040956-1043765
+/directory/apacheds/branches/apacheds-replication/interceptors/authz:749790-764110
+/directory/apacheds/branches/apacheds-schema/interceptors/authz:806623-896441
+/directory/apacheds/branches/apacheds-subtree/interceptors/authz:965203-965686
+/directory/apacheds/branches/milestones/interceptors/authz:1072812-1075328
+/directory/apacheds/branches/xdbm-refactoring/interceptors/authz:945827-946347
+/directory/apacheds/trunk/interceptors/authz:1066126-1067785,1068026-1072718,1072800-1075329,1185681-1201349
+/directory/studio/trunk/interceptors/authz:1067786-1067997



Mime
View raw message