PingDirectory

Configuring the Similarity-Based Password Validator

Use the dsconfig tool to configure the Similarity-Based Password Validator.

Steps

  1. To edit the existing default configuration, run the dsconfig tool.

    Example:

    In this example, we set the minimum number of differences to 2.

    $ bin/dsconfig set-password-validator-prop \
      --validator-name "Similarity-Based Password Validator" \
      --set min-password-difference:2
  2. Update an existing password policy to use the Similarity-Based Password Validator.

    The password-change-requires-current-password property must be set to true so that the password policy will ensure that the user’s current password is available when that user is choosing a new password.

    Example:

    $ bin/dsconfig set-password-policy-prop \
      --policy-name "Default Password Policy" \
      --set "password-validator:Similarity-Based Password Validator" \
      --set password-change-requires-current-password:true
  3. Test the Similarity-Based Password Validator by submitting a password that has fewer than the minimum number of changes, such as 2.

    The ldappasswordmodify command requires the --currentPassword option when testing the Similarity-Based Password Validator.

    Example:

    $ bin/ldappasswordmodify \
      --authzID "uid=user.0,ou=People,dc=example,dc=com" \
      --currentPassword abcde --newPassword abcdd

    Result:

    The LDAP password modify operation failed with result code 49.