PingDirectory

Configuring the Attribute Value Password Validator

Steps

  1. To edit the existing default configuration for the Attribute Value Password Validator, run the dsconfig tool.

    Example:

    In this example, the configuration change configures the validator to only examine a specified set of attributes.

    $ bin/dsconfig set-password-validator-prop \
      --validator-name "Attribute Value" \
      --set match-attribute:cn \
      --set match-attribute:sn \
      --set match-attribute:telephonenumber \
      --set match-attribute:uid
  2. Update an existing password policy to use the Attribute Value Password Validator.

    Example:

    $ bin/dsconfig set-password-policy-prop \
      --policy-name "Default Password Policy" \
      --set "password-validator:Attribute Value"
  3. Test the Attribute Value Password Validator by submitting a password that is identical to one of the configured attributes (cn, sn, telephonenumber, uid).

    Example:

    $ bin/ldappasswordmodify --authzID "uid=user.0,ou=People,dc=example,dc=com" \
      --newPassword user.0

    Result:

    The LDAP password modify operation failed with result code 53
    Error Message: The provided new password failed the validation checks defined in the
    server: The provided password was found in another attribute in the user entry