Configuring the Similarity-Based Password Validator
Use the dsconfig
tool to configure the Similarity-Based Password Validator.
Steps
-
To edit the existing default configuration, run the
dsconfig
tool.Example:
In this example, we set the minimum number of differences to 2.
$ bin/dsconfig set-password-validator-prop \ --validator-name "Similarity-Based Password Validator" \ --set min-password-difference:2
-
Update an existing password policy to use the Similarity-Based Password Validator.
The
password-change-requires-current-password
property must be set totrue
so that the password policy will ensure that the user’s current password is available when that user is choosing a new password.Example:
$ bin/dsconfig set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "password-validator:Similarity-Based Password Validator" \ --set password-change-requires-current-password:true
-
Test the Similarity-Based Password Validator by submitting a password that has fewer than the minimum number of changes, such as 2.
The
ldappasswordmodify
command requires the--currentPassword
option when testing the Similarity-Based Password Validator.Example:
$ bin/ldappasswordmodify \ --authzID "uid=user.0,ou=People,dc=example,dc=com" \ --currentPassword abcde --newPassword abcdd
Result:
The LDAP password modify operation failed with result code 49.