Use the dsconfig tool to configure the Regular Expression Password Validator.

  1. Use dsconfig to create a regular expression password validator.

    The following password validator checks that the password contains at least one number, one lowercase letter, and one uppercase letter with no restrictions on password length. If the password matches the regular expression, then it is accepted. When using the following command, remember to include the LDAP/LDAPS connection parameters (host name and port), bind DN, and bind password.

    $ bin/dsconfig create-password-validator \ 
      --validator-name "Regular Expression" \ 
      --type regular-expression --set enabled:true \ 
      --set "match-pattern:^\\w*(?=\\w*\\d)(?=\\w*[a-z])(?=\\w*[A-Z])\\w*\$" \ 
      --set match-behavior:require-match
  2. Update an existing password policy to use the regular expression password validator.
    $ bin/dsconfig set-password-policy-prop \ 
      --policy-name "Default Password Policy" \
      --set "password-validator:Regular Expression"
  3. Test the regular expression password validator by submitting a password that meets the requirements.

    To meet the password requirements, make sure your password contains one number, one lowercase letter, and one uppercase letter.

    $ bin/ldappasswordmodify \ 
      --authzID "uid=user.0,ou=People,dc=example,dc=com" --newPassword baaA1
    The LDAP password modify operation was successful
  4. Test a password that does not meet the password requirements.

    The following password should fail because no uppercase letter is present.

    $ bin/ldappasswordmodify \ 
      --authzID "uid=user.0,ou=People,dc=example,dc=com" --newPassword baaa1
    Error Message: The provided new password failed the validation checks 
    defined in the server: The provided password is not acceptable because it does 
    not match regular expression pattern '^\w*(?=\w*\d)(?=\w*[a-z])(?=\w*[A-Z])\w*$'