Password validators are responsible for determining whether a proposed password is acceptable for use and can run checks like ensuring the password meets minimum length requirements, that it has an appropriate range of characters, or that it is not in the history. OpenDJ directory server provides a variety of password validators.
$ dsconfig list-password-validators --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password Password Validator : Type : enabled ------------------------------------:---------------------:-------- Attribute Value : attribute-value : true Character Set : character-set : true Dictionary : dictionary : false Length-Based Password Validator : length-based : true Repeated Characters : repeated-characters : true Similarity-Based Password Validator : similarity-based : true Unique Characters : unique-characters : true
The password policy for a user specifies the set of password validators that should be used whenever that user provides a new password. By default no password validators are configured. You can see an example setting the Default Password Policy to use the Dictionary validator in Procedure 11.1, “To Adjust the Default Password Policy”. The following example shows how to set up a custom password validator and assign it to the default password policy.
The custom password validator ensures passwords meet at least three of the following four criteria. Passwords are composed of:
-
English lowercase characters (a through z)
-
English uppercase characters (A through Z)
-
Base 10 digits (0 through 9)
-
Non-alphabetic characters (for example, !, $, #, %)
Notice how the character-set values are constructed.
The initial 0: means the set is optional, whereas
1: would mean the set is required.
$ dsconfig
create-password-validator
--hostname opendj.example.com
--port 4444
--bindDN "cn=Directory Manager"
--bindPassword password
--validator-name "Custom Character Set Password Validator"
--set allow-unclassified-characters:true
--set enabled:true
--set character-set:0:abcdefghijklmnopqrstuvwxyz
--set character-set:0:ABCDEFGHIJKLMNOPQRSTUVWXYZ
--set character-set:0:0123456789
--set character-set:0:!\"#\$%&\'\(\)*+,-./:\;\\<=\>?@[\\]^_\`{\|}~
--set min-character-sets:3
--type character-set
--no-prompt
$ dsconfig
set-password-policy-prop
--hostname opendj.example.com
--port 4444
--bindDN "cn=Directory Manager"
--bindPassword password
--policy-name "Default Password Policy"
--set password-validator:"Custom Character Set Password Validator"
--no-prompt
$ ldappasswordmodify
--port 1389
--bindDN "cn=Directory Manager"
--bindPassword password
--authzID "u:bjensen"
--newPassword '!ABcd$%^'In the preceding example, the character set of ASCII punctuation,
!\"#\$%&\'\(\)*+,-./:\;\\<=\>?@[\\]^_\`{\|}~,
is hard to read because of all the escape characters. In practice it can
be easier to enter sequences like that by using dsconfig
in interactive mode, and letting it do the escaping for you. You can also
use the --commandFilePath {path} option to save the result
of your interactive session to a file for use in scripts later.
An attempt to set an invalid password fails as shown in the following example.
$ ldappasswordmodify
--port 1389
--bindDN "cn=Directory Manager"
--bindPassword password
--authzID "u:bjensen"
--newPassword hifalutin
The LDAP password modify operation failed with result code 19
Error Message: The provided new password failed the validation checks defined
in the server: The provided password did not contain characters from at least
3 of the following character sets or ranges: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
'!"#$%&'()*+,-./:;<=\>?@[\]^_`{|}~', '0123456789', 'abcdefghijklmnopqrstuvwxyz'Validation does not affect existing passwords, but only takes effect when the password is updated.
