Configuring the Attribute Value Password Validator
Steps
-
To edit the existing default configuration for the Attribute Value Password Validator, run the
dsconfig
tool.Example:
In this example, the configuration change configures the validator to only examine a specified set of attributes.
$ bin/dsconfig set-password-validator-prop \ --validator-name "Attribute Value" \ --set match-attribute:cn \ --set match-attribute:sn \ --set match-attribute:telephonenumber \ --set match-attribute:uid
-
Update an existing password policy to use the Attribute Value Password Validator.
Example:
$ bin/dsconfig set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "password-validator:Attribute Value"
-
Test the Attribute Value Password Validator by submitting a password that is identical to one of the configured attributes (
cn
,sn
,telephonenumber
,uid
).Example:
$ bin/ldappasswordmodify --authzID "uid=user.0,ou=People,dc=example,dc=com" \ --newPassword user.0
Result:
The LDAP password modify operation failed with result code 53 Error Message: The provided new password failed the validation checks defined in the server: The provided password was found in another attribute in the user entry