Configuring password validators
You can use the dsconfig
configuration tool or the administrative console to configure or modify any password validators.
After you define your password validators, you can add them to an existing password policy. The following example procedures show the dsconfig
non-interactive commands necessary to carry out such tasks. If you use dsconfig
in interactive command-line mode, you can access the Password Validator menu
in the Basic Objects menu
. For more details on the password validator properties, see the PingDirectory server Configuration Reference.
Viewing the list of defined password validators
Steps
-
To view the set of password validators defined in the server, run the
dsconfig
tool.
Configuring the Attribute Value Password Validator
Steps
-
To edit the existing default configuration for the Attribute Value Password Validator, run the
dsconfig
tool.Example:
In this example, the configuration change configures the validator to only examine a specified set of attributes.
$ bin/dsconfig set-password-validator-prop \ --validator-name "Attribute Value" \ --set match-attribute:cn \ --set match-attribute:sn \ --set match-attribute:telephonenumber \ --set match-attribute:uid
-
Update an existing password policy to use the Attribute Value Password Validator.
Example:
$ bin/dsconfig set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "password-validator:Attribute Value"
-
Test the Attribute Value Password Validator by submitting a password that is identical to one of the configured attributes (
cn
,sn
,telephonenumber
,uid
).Example:
$ bin/ldappasswordmodify --authzID "uid=user.0,ou=People,dc=example,dc=com" \ --newPassword user.0
Result:
The LDAP password modify operation failed with result code 53 Error Message: The provided new password failed the validation checks defined in the server: The provided password was found in another attribute in the user entry
Configuring the Character Set Password Validator
Steps
-
To edit the existing default configuration, run the
dsconfig
tool.Example:
This example changes the requirement for special characters by making them optional in a password and adds a requirement to include at least two digits in the password. In this example, all newly created passwords must have at least one lowercase letter, one uppercase letter, two digits, and optionally any special characters listed.
$ bin/dsconfig set-password-validator-prop \ --validator-name "Character Set" \ --remove character-set:1:0123456789 \ --remove "character-set:1:~\!@#\$\%^&*()-=+[]{}\|;:,.<>/?" \ --add character-set:2:0123456789 \ --add "character-set:0:~\!@#\$\%^&*()-=+[]{}\|;:,.<>/?" \ --set allow-unclassified-characters:false
-
Update an existing password policy to use the Character Set Password Validator.
Example:
$ bin/dsconfig set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "password-validator:Character Set"
-
Test the Character Set Password Validator by submitting a password that meets the requirements (one lowercase letter, one uppercase letter, two digits).
Example:
This example should reject the given password because it does not pass the Character Set Password Validator.
$ bin/ldappasswordmodify \ --authzID "uid=user.0,ou=People,dc=example,dc=com" --newPassword abab1
Configuring the Length-Based Password Validator
Steps
-
To edit the existing default configuration, run the
dsconfig
tool.Example:
In this example, the required minimum number of characters in a password is set to five.
$ bin/dsconfig create-password-validator \ --validator-name "Length-Based Password Validator" \ --set max-password-length:5 --set min-password-length:5
-
Update an existing password policy to use the Length-Based Password Validator.
Example:
$ bin/dsconfig set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "password-validator:Length-Based Password Policy"
-
Test the Length-Based Password Validator by submitting a password that has fewer than the minimum number of required characters.
Example:
$ bin/ldappasswordmodify \ --authzID "uid=user.0,ou=People,dc=example,dc=com" --newPassword abcd
Result:
The LDAP password modify operation failed with result code 53 Error Message: The provided new password failed the validation checks defined in the server: The provided password is shorter than the minimum required length of 5 characters
Configuring the Pwned Passwords Password Validator
The server is preconfigured with an instance of the Pwned Passwords Password Validator.
About this task
Use the dsconfig
tool to configure the Pwned Passwords Password Validator.
Steps
-
Run the
dsconfig
tool to update an existing password policy to use the Pwned Passwords Password Validator, replacing [PASSWORD_POLICY_NAME] with the name of your password policy.dsconfig set-password-policy-prop \ --policy-name "[PASSWORD_POLICY_NAME]" \ --add "password-validator:Pwned Passwords"
-
Test the validator by submitting a password that is known to be compromised; for example,
password
.
Configuring the Regular Expression Password Validator
About this task
Use the dsconfig
tool to configure the Regular Expression Password Validator.
Steps
-
Use
dsconfig
to create a regular expression password validator.Example:
The following password validator checks that the password contains at least one number, one lowercase letter, and one uppercase letter with no restrictions on password length. If the password matches the regular expression, then it is accepted. When using the following command, remember to include the LDAP/LDAPS connection parameters (host name and port), bind DN, and bind password.
$ bin/dsconfig create-password-validator \ --validator-name "Regular Expression" \ --type regular-expression --set enabled:true \ --set "match-pattern:^\\w*(?=\\w*\\d)(?=\\w*[a-z])(?=\\w*[A-Z])\\w*\$" \ --set match-behavior:require-match
-
Update an existing password policy to use the regular expression password validator.
Example:
$ bin/dsconfig set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "password-validator:Regular Expression"
-
Test the regular expression password validator by submitting a password that meets the requirements.
To meet the password requirements, make sure your password contains one number, one lowercase letter, and one uppercase letter.
Example:
$ bin/ldappasswordmodify \ --authzID "uid=user.0,ou=People,dc=example,dc=com" --newPassword baaA1
Result:
The LDAP password modify operation was successful
-
Test a password that does not meet the password requirements.
Example:
The following password should fail because no uppercase letter is present.
$ bin/ldappasswordmodify \ --authzID "uid=user.0,ou=People,dc=example,dc=com" --newPassword baaa1
Result:
Error Message: The provided new password failed the validation checks defined in the server: The provided password is not acceptable because it does not match regular expression pattern '^\w*(?=\w*\d)(?=\w*[a-z])(?=\w*[A-Z])\w*$'
Configuring the Repeated Character Password Validator
You can configure the Repeated Character Password Validator with the dsconfig
command. This validator ensures that user passwords don’t contain character fragments, such as strings of repeated characters like "aaaaaa" or "aaabbb."
Steps
-
To edit the existing default configuration, run the
dsconfig
tool.Choose from:
-
Set the maximum consecutive length of any character.
For the following example, the maximum consecutive length of any character is set to 3. The validator rejects any passwords with 4 or more consecutive characters, such as "baaaa1" or "4eeeeb", etc.
$ bin/dsconfig set-password-validator-prop \ --validator-name "Repeated Characters" \ --set max-consecutive-length:3
-
Configure the validator to reject any character from a pre-defined character set that appears more than the specified number of times in a row (2).
You can specify more than one character set. For example, the following validator defines two characters sets:
abc
and123
. It rejects any passwords with more than two consecutive characters from a character set, such as "aaa", "bbb", "ccc", "abc", or "123". However, a password, such as "12a3", is acceptable.$ bin/dsconfig set-password-validator-prop \ --validator-name "Repeated Characters" \ --set character-set:123 --set character-set:abc
-
-
Update an existing password policy to use the Repeated Character Password Validator.
Example:
$ bin/dsconfig --no-prompt set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "password-validator:Repeated Characters"
-
To test the Repeated Character Validator, submit a password that has more than the maximum allowable length of consecutive characters.
Example:
For this example, the faulty password submitted is
baaa1
.$ bin/ldappasswordmodify \ --authzID "uid=user.0,ou=People,dc=example,dc=com" \ --newPassword baaa1
Result:
The LDAP password modify operation failed with result code 53 Error Message: The provided new password failed the validation checks defined in the server: The provided password contained too many instances of the same character appearing consecutively. The maximum number of times the same character may appear consecutively in a password is 2
Configuring the Similarity-Based Password Validator
Use the dsconfig
tool to configure the Similarity-Based Password Validator.
Steps
-
To edit the existing default configuration, run the
dsconfig
tool.Example:
In this example, we set the minimum number of differences to 2.
$ bin/dsconfig set-password-validator-prop \ --validator-name "Similarity-Based Password Validator" \ --set min-password-difference:2
-
Update an existing password policy to use the Similarity-Based Password Validator.
The
password-change-requires-current-password
property must be set totrue
so that the password policy will ensure that the user’s current password is available when that user is choosing a new password.Example:
$ bin/dsconfig set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "password-validator:Similarity-Based Password Validator" \ --set password-change-requires-current-password:true
-
Test the Similarity-Based Password Validator by submitting a password that has fewer than the minimum number of changes, such as 2.
The
ldappasswordmodify
command requires the--currentPassword
option when testing the Similarity-Based Password Validator.Example:
$ bin/ldappasswordmodify \ --authzID "uid=user.0,ou=People,dc=example,dc=com" \ --currentPassword abcde --newPassword abcdd
Result:
The LDAP password modify operation failed with result code 49.
Configuring the Unique Characters Password Validator
Use the dsconfig
tool to configure, update, and test the Unique Characters Password Validator.
Steps
-
To edit the existing default configuration, run the
dsconfig
tool.Example:
In this example, we set the minimum number of unique characters that a password is allowed to contain to 3.
$ bin/dsconfig set-password-validator-prop \ --validator-name "Unique Characters" --set min-unique-characters:3
-
Update an existing password policy to use the Unique Characters Password Validator.
Example:
$ bin/dsconfig set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "password-validator:Unique Characters"
-
Test the Unique Characters Password Validator by submitting a password that has fewer than the minimum number of unique characters, such as 3.
Example:
$ bin/ldappasswordmodify \ --authzID "uid=user.0,ou=People,dc=example,dc=com" \ --newPassword aaaaa
Result:
The LDAP password modify operation failed with result code 53 Error Message: The provided new password failed the validation checks defined in the server: The provided password does not contain enough unique characters. The minimum number of unique characters that may appear in a user password is 3