AuthenticationInterceptor authenticationInterceptor = (AuthenticationInterceptor)directoryService.getInterceptor( AuthenticationInterceptor.class.getName() );
PasswordPolicyConfiguration pPolicyConfig = authenticationInterceptor.getPwdPolicy( userEntry );
// check for locked out account
if( pPolicyConfig.isPwdLockout() )
LOG.debug( "checking if account with the Dn {} is locked", userEntry.getDn() );
Attribute accountLockAttr = userEntry.get( PWD_ACCOUNT_LOCKED_TIME_AT );
if( accountLockAttr != null )
String lockedTime = accountLockAttr.getString();
if( lockedTime.equals( "000001010000Z" ) )
throw new PasswordPolicyException( "account was permanently locked", ACCOUNT_LOCKED.getValue() );
Date lockedDate = DateUtils.getDate( lockedTime );
long time = pPolicyConfig.getPwdLockoutDuration() * 1000;
time += lockedDate.getTime();
Date unlockedDate = new Date( time );
if( lockedDate.before( unlockedDate ) )
throw new PasswordPolicyException( "account will remain locked till " + unlockedDate, ACCOUNT_LOCKED.getValue() );
// remove pwdAccountLockedTime attribute
Modification pwdAccountLockMod = new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, accountLockAttr );
// DO NOT bypass the interceptor chain, otherwise the changes can't be replicated
directoryService.getAdminSession().modify( userEntry.getDn(), pwdAccountLockMod );
Attribute pwdStartTimeAttr = userEntry.get( PWD_START_TIME_AT );
if( pwdStartTimeAttr != null )
Date pwdStartTime = DateUtils.getDate( pwdStartTimeAttr.getString() );
if( System.currentTimeMillis() < pwdStartTime.getTime() )
throw new PasswordPolicyException( "account is locked, will be activated after " + pwdStartTime, ACCOUNT_LOCKED.getValue() );
Attribute pwdEndTimeAttr = userEntry.get( PWD_END_TIME_AT );
if( pwdEndTimeAttr != null )
Date pwdEndTime = DateUtils.getDate( pwdEndTimeAttr.getString() );
if( System.currentTimeMillis() >= pwdEndTime.getTime() )
throw new PasswordPolicyException( "password end time reached, will be locked till administrator activates it", ACCOUNT_LOCKED.getValue() );
if( pPolicyConfig.getPwdMaxIdle() > 0 )
Attribute pwdLastSuccessTimeAttr = userEntry.get( PWD_LAST_SUCCESS_AT );
long time = pPolicyConfig.getPwdMaxIdle() * 1000;
time += DateUtils.getDate( pwdLastSuccessTimeAttr.getString() ).getTime();
if( System.currentTimeMillis() >= time )
throw new PasswordPolicyException( "account locked due to the max idle time of the password was exceeded", ACCOUNT_LOCKED.getValue() );
if ( pPolicyConfig.getPwdMaxAge() > 0 )
if( pPolicyConfig.getPwdGraceAuthNLimit() > 0 )
Attribute pwdGraceUseAttr = userEntry.get( PWD_GRACE_USE_TIME_AT );
// check for grace authentication count
if( pwdGraceUseAttr != null )
if( pwdGraceUseAttr.size() >= pPolicyConfig.getPwdGraceAuthNLimit() )
throw new PasswordPolicyException( "paasword expired and max grace logins were used", PASSWORD_EXPIRED.getValue() );
Attribute pwdChangeTimeAttr = userEntry.get( PWD_CHANGED_TIME_AT );
boolean expired = PasswordUtil.isPwdExpired( pwdChangeTimeAttr.getString(), pPolicyConfig.getPwdMaxAge() );
if( expired )
throw new PasswordPolicyException( "paasword expired", PASSWORD_EXPIRED.getValue() );