PingDirectory

Configuring password validators

You can use the dsconfig configuration tool or the administrative console to configure or modify any password validators.

After you define your password validators, you can add them to an existing password policy. The following example procedures show the dsconfig non-interactive commands necessary to carry out such tasks. If you use dsconfig in interactive command-line mode, you can access the Password Validator menu in the Basic Objects menu. For more details on the password validator properties, see the PingDirectory server Configuration Reference.

Viewing the list of defined password validators

Steps

  • To view the set of password validators defined in the server, run the dsconfig tool.

Configuring the Attribute Value Password Validator

Steps

  1. To edit the existing default configuration for the Attribute Value Password Validator, run the dsconfig tool.

    Example:

    In this example, the configuration change configures the validator to only examine a specified set of attributes.

    $ bin/dsconfig set-password-validator-prop \
      --validator-name "Attribute Value" \
      --set match-attribute:cn \
      --set match-attribute:sn \
      --set match-attribute:telephonenumber \
      --set match-attribute:uid
  2. Update an existing password policy to use the Attribute Value Password Validator.

    Example:

    $ bin/dsconfig set-password-policy-prop \
      --policy-name "Default Password Policy" \
      --set "password-validator:Attribute Value"
  3. Test the Attribute Value Password Validator by submitting a password that is identical to one of the configured attributes (cn, sn, telephonenumber, uid).

    Example:

    $ bin/ldappasswordmodify --authzID "uid=user.0,ou=People,dc=example,dc=com" \
      --newPassword user.0

    Result:

    The LDAP password modify operation failed with result code 53
    Error Message: The provided new password failed the validation checks defined in the
    server: The provided password was found in another attribute in the user entry

Configuring the Character Set Password Validator

Steps

  1. To edit the existing default configuration, run the dsconfig tool.

    Example:

    This example changes the requirement for special characters by making them optional in a password and adds a requirement to include at least two digits in the password. In this example, all newly created passwords must have at least one lowercase letter, one uppercase letter, two digits, and optionally any special characters listed.

    $ bin/dsconfig set-password-validator-prop \
      --validator-name "Character Set" \
      --remove character-set:1:0123456789 \
      --remove "character-set:1:~\!@#\$\%^&*()-_=+[]{}\|;:,.<>/?" \
      --add character-set:2:0123456789 \
      --add "character-set:0:~\!@#\$\%^&*()-_=+[]{}\|;:,.<>/?" \
      --set allow-unclassified-characters:false
  2. Update an existing password policy to use the Character Set Password Validator.

    Example:

    $ bin/dsconfig set-password-policy-prop \
      --policy-name "Default Password Policy" \
      --set "password-validator:Character Set"
  3. Test the Character Set Password Validator by submitting a password that meets the requirements (one lowercase letter, one uppercase letter, two digits).

    Example:

    This example should reject the given password because it does not pass the Character Set Password Validator.

    $ bin/ldappasswordmodify \
      --authzID "uid=user.0,ou=People,dc=example,dc=com" --newPassword abab1

Configuring the Length-Based Password Validator

Steps

  1. To edit the existing default configuration, run the dsconfig tool.

    Example:

    In this example, the required minimum number of characters in a password is set to five.

    $ bin/dsconfig create-password-validator \
      --validator-name "Length-Based Password Validator" \
      --set max-password-length:5 --set min-password-length:5
  2. Update an existing password policy to use the Length-Based Password Validator.

    Example:

    $ bin/dsconfig set-password-policy-prop \
      --policy-name "Default Password Policy" \
      --set "password-validator:Length-Based Password Policy"
  3. Test the Length-Based Password Validator by submitting a password that has fewer than the minimum number of required characters.

    Example:

    $ bin/ldappasswordmodify \
      --authzID "uid=user.0,ou=People,dc=example,dc=com" --newPassword abcd

    Result:

    The LDAP password modify operation failed with result code 53
    Error Message: The provided new password failed the validation checks defined in
    the server: The provided password is shorter than the minimum required length of
    5 characters

Configuring the Pwned Passwords Password Validator

The server is preconfigured with an instance of the Pwned Passwords Password Validator.

About this task

Use the dsconfig tool to configure the Pwned Passwords Password Validator.

Steps

  1. Run the dsconfig tool to update an existing password policy to use the Pwned Passwords Password Validator, replacing [PASSWORD_POLICY_NAME] with the name of your password policy.

    dsconfig set-password-policy-prop \
             --policy-name "[PASSWORD_POLICY_NAME]" \
             --add "password-validator:Pwned Passwords"
  2. Test the validator by submitting a password that is known to be compromised; for example, password.

Configuring the Regular Expression Password Validator

About this task

Use the dsconfig tool to configure the Regular Expression Password Validator.

Steps

  1. Use dsconfig to create a regular expression password validator.

    Example:

    The following password validator checks that the password contains at least one number, one lowercase letter, and one uppercase letter with no restrictions on password length. If the password matches the regular expression, then it is accepted. When using the following command, remember to include the LDAP/LDAPS connection parameters (host name and port), bind DN, and bind password.

    $ bin/dsconfig create-password-validator \
      --validator-name "Regular Expression" \
      --type regular-expression --set enabled:true \
      --set "match-pattern:^\\w*(?=\\w*\\d)(?=\\w*[a-z])(?=\\w*[A-Z])\\w*\$" \
      --set match-behavior:require-match
  2. Update an existing password policy to use the regular expression password validator.

    Example:

    $ bin/dsconfig set-password-policy-prop \
      --policy-name "Default Password Policy" \
      --set "password-validator:Regular Expression"
  3. Test the regular expression password validator by submitting a password that meets the requirements.

    To meet the password requirements, make sure your password contains one number, one lowercase letter, and one uppercase letter.

    Example:

    $ bin/ldappasswordmodify \
      --authzID "uid=user.0,ou=People,dc=example,dc=com" --newPassword baaA1

    Result:The LDAP password modify operation was successful

  4. Test a password that does not meet the password requirements.

    Example:

    The following password should fail because no uppercase letter is present.

    $ bin/ldappasswordmodify \
      --authzID "uid=user.0,ou=People,dc=example,dc=com" --newPassword baaa1

    Result:

    Error Message: The provided new password failed the validation checks
    defined in the server: The provided password is not acceptable because it does
    not match regular expression pattern '^\w*(?=\w*\d)(?=\w*[a-z])(?=\w*[A-Z])\w*$'

Configuring the Repeated Character Password Validator

You can configure the Repeated Character Password Validator with the dsconfig command. This validator ensures that user passwords don’t contain character fragments, such as strings of repeated characters like "aaaaaa" or "aaabbb."

Steps

  1. To edit the existing default configuration, run the dsconfig tool.

    Choose from:

    • Set the maximum consecutive length of any character.

      For the following example, the maximum consecutive length of any character is set to 3. The validator rejects any passwords with 4 or more consecutive characters, such as "baaaa1" or "4eeeeb", etc.

      $ bin/dsconfig set-password-validator-prop \
        --validator-name "Repeated Characters" \
        --set max-consecutive-length:3
    • Configure the validator to reject any character from a pre-defined character set that appears more than the specified number of times in a row (2).

      You can specify more than one character set. For example, the following validator defines two characters sets: abc and 123. It rejects any passwords with more than two consecutive characters from a character set, such as "aaa", "bbb", "ccc", "abc", or "123". However, a password, such as "12a3", is acceptable.

      $ bin/dsconfig set-password-validator-prop \
        --validator-name "Repeated Characters" \
        --set character-set:123 --set character-set:abc
  2. Update an existing password policy to use the Repeated Character Password Validator.

    Example:

    $ bin/dsconfig --no-prompt set-password-policy-prop \
      --policy-name "Default Password Policy" \
      --set "password-validator:Repeated Characters"
  3. To test the Repeated Character Validator, submit a password that has more than the maximum allowable length of consecutive characters.

    Example:

    For this example, the faulty password submitted is baaa1.

    $ bin/ldappasswordmodify \
      --authzID "uid=user.0,ou=People,dc=example,dc=com" \
      --newPassword baaa1

    Result:

    The LDAP password modify operation failed with result code 53 Error Message: The provided new password failed the validation checks defined in the server: The provided password contained too many instances of the same character appearing consecutively. The maximum number of times the same character may appear consecutively in a password is 2

Configuring the Similarity-Based Password Validator

Use the dsconfig tool to configure the Similarity-Based Password Validator.

Steps

  1. To edit the existing default configuration, run the dsconfig tool.

    Example:

    In this example, we set the minimum number of differences to 2.

    $ bin/dsconfig set-password-validator-prop \
      --validator-name "Similarity-Based Password Validator" \
      --set min-password-difference:2
  2. Update an existing password policy to use the Similarity-Based Password Validator.

    The password-change-requires-current-password property must be set to true so that the password policy will ensure that the user’s current password is available when that user is choosing a new password.

    Example:

    $ bin/dsconfig set-password-policy-prop \
      --policy-name "Default Password Policy" \
      --set "password-validator:Similarity-Based Password Validator" \
      --set password-change-requires-current-password:true
  3. Test the Similarity-Based Password Validator by submitting a password that has fewer than the minimum number of changes, such as 2.

    The ldappasswordmodify command requires the --currentPassword option when testing the Similarity-Based Password Validator.

    Example:

    $ bin/ldappasswordmodify \
      --authzID "uid=user.0,ou=People,dc=example,dc=com" \
      --currentPassword abcde --newPassword abcdd

    Result:

    The LDAP password modify operation failed with result code 49.

Configuring the Unique Characters Password Validator

Use the dsconfig tool to configure, update, and test the Unique Characters Password Validator.

Steps

  1. To edit the existing default configuration, run the dsconfig tool.

    Example:

    In this example, we set the minimum number of unique characters that a password is allowed to contain to 3.

    $ bin/dsconfig set-password-validator-prop \
      --validator-name "Similarity-Based" --set min-unique-characters:3
  2. Update an existing password policy to use the Unique Characters Password Validator.

    Example:

    $ bin/dsconfig set-password-policy-prop \
      --policy-name "Default Password Policy" \
      --set "password-validator:Unique Characters"
  3. Test the Unique Characters Password Validator by submitting a password that has fewer than the minimum number of unique characters, such as 3.

    Example:

    $ bin/ldappasswordmodify \
      --authzID "uid=user.0,ou=People,dc=example,dc=com" \
      --newPassword aaaaa

    Result:

    The LDAP password modify operation failed with result code 53 Error Message: The provided new password failed the validation checks defined in the server: The provided password does not contain enough unique characters. The minimum number of unique characters that may appear in a user password is 3