A new password is valid if it:
- Meets the server's password requirements
- Is assigned a password policy
- Passes user authentication
The server can display requirements for a password change to users. You can use the
get-password-quality-requirements
extended operation to retrieve
information about the requirements, which you can forward to an end user before an
attempted password change. You can also use these requirements to enable client-side
validation so that any password problems can be identified before it is sent to the
server. The password validation details request control can be included in an
add
or modify
request, or a password
modify
extended request, to identify which validation requirements were not
met by the password provided in the request.
You can configure password validators with user-friendly messages that describe the password requirements, and error messages that display if a proposed password does not satisfy those requirements. The server will automatically generate these messages if they are not provided in the configuration.
Password properties include the following:
bind-password-validator
- Specifies which validators to invoke on bind.
password-validator
- Specifies which validators to invoke during a password change.
minimum-bind-password-validation-frequency
- Specifies how frequently the server should validate a user's password during bind. Although you can specify that the password should be validated during each bind, it's probably sufficient to only do so periodically (for example, once a week or once a month).
bind-password-validation-failure-action
- Specifies the action the server should take if a user's password fails validation. By default, the account is placed in a "must change password" state where the user is allowed to bind, but any other operations the user attempts fail until the user changes their password. Alternatively, the account can be locked so that the password needs to be reset by an administrator, or the server can generate an account status notification to recommend that the user choose a new password.