The requirements that the server will impose for a password change can be displayed to users. The get password quality requirements extended operation can be used to retrieve information about the requirements, which can then be sent to an end user before an attempted password change. These requirements can also be used to enable client-side validation, so that any password problems can be identified before it is sent to the server. The password validation details request control can be included in an add or modify request, or a password modify extended request, to identify which validation requirements were not met by the password provided in the request.

Password validators can be configured with user-friendly messages that describe the password requirements, and the messages that should be returned if a proposed password does not satisfy those requirements. The server will generate these messages if they are not provided in the configuration.

Password validator properties include validator-requirement-description and validator-failure message. The following is a simple password validator configuration that requires passwords to contain a minimum of five characters, and lists custom validator messages:
$ dsconfig create-password-validator \
  --validator-name "Minimum 5 Characters Password Validator" \
  --type length-based --set enabled:true \
  --set "validator-requirement-description:The password must contain
         at least 5 characters." \
  --set "validator-failure-message:The password did not contain
         at least 5 characters." \
  --set min-password-length:5
After the password validator is created, it should be assigned to a Password Policy to take affect:
$ dsconfig set-password-policy-prop \
  --policy-name "Default Password Policy" \
  --set "password-validator:Minimum 5 Characters Password Validator"
When a user authenticates, password validation processing is performed so that the server has access to the user's clear-text password. Password properties include the following:
  • bind-password-validator - Specifies which validators to invoke on bind.
  • password-validator - Specifies which validators to invoke during a password change.
  • minimum-bind-password-validation-frequency — Specifies how frequently the server should validate a user's password during bind. Although you can specify that the password should be validated during each bind, it is probably sufficient to only do so periodically (for example, once a week or once a month).
  • bind-password-validation-failure-action — Specifies the action the server should take if a user's password fails validation. By default, the account will be placed in a "must change password" state where the user is allowed to bind but any other operations the user attempts will fail until the user changes their password. Alternatively, the account can be locked so that the password needs to be reset by an administrator, or the server can generate an account status notification to recommend that the user choose a new password.