Use the dsconfig
tool to configure the Similarity-Based Password
Validator.
-
To edit the existing default configuration, run the dsconfig
tool.
In this example, we set the minimum number of differences to 2.
$ bin/dsconfig set-password-validator-prop \ --validator-name "Similarity-Based Password Validator" \ --set min-password-difference:2
-
Update an existing password policy to use the Similarity-Based Password
Validator.
Note:
The
password-change-requires-current-password
property must be set totrue
so that the password policy will ensure that the user’s current password is available when that user is choosing a new password.$ bin/dsconfig set-password-policy-prop \ --policy-name "Default Password Policy" \ --set "password-validator:Similarity-Based Password Validator" \ --set password-change-requires-current-password:true
-
Test the Similarity-Based Password Validator by submitting a password that has
fewer than the minimum number of changes, such as 2.
Note:
The ldappasswordmodify command requires the --currentPassword option when testing the Similarity-Based Password Validator.
$ bin/ldappasswordmodify \ --authzID "uid=user.0,ou=People,dc=example,dc=com" \ --currentPassword abcde --newPassword abcdd
The LDAP password modify operation failed with result code 49.