Dictionary Password Validator

The Dictionary Password Validator determines whether a proposed password is acceptable based on whether the given password value appears in a provided dictionary file.

A large dictionary file is provided with the server, but the administrator can supply an alternate dictionary. In this case, then the dictionary must be a plain-text file with one word per line.

Parent Component Properties dsconfig Usage

Parent Component

The Dictionary Password Validator component inherits from the Password Validator

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 enabled
 validator-requirement-description
 validator-failure-message
 dictionary-file
 case-sensitive-validation
 test-reversed-password
 ignore-leading-non-alphabetic-characters
 ignore-trailing-non-alphabetic-characters
 strip-diacritical-marks
 alternative-password-character-mapping
 maximum-allowed-percent-of-password

Basic Properties

description

Description
A description for this Password Validator
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the password validator is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

validator-requirement-description

Description
Specifies a message that can be used to describe the requirements imposed by this password validator to end users. If a value is provided for this property, then it will override any description that may have otherwise been generated by the validator.
Default Value
The requirement description will be automatically generated by the password validator.
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

validator-failure-message

Description
Specifies a message that may be provided to the end user in the event that a proposed password is rejected by this validator. If a value is provided for this property, then it will override any failure message that may have otherwise been generated by the validator.
Default Value
The requirement description will be automatically generated by the password validator.
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

dictionary-file

Description
Specifies the path to the file containing a list of words that cannot be used as passwords. It should be formatted with one word per line. The value can be an absolute path or a path that is relative to the Directory Server instance root.
Default Value
For Unix and Linux systems: config/wordlist.txt. For Windows systems: config\wordlist.txt
Allowed Values
A filesystem path
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

case-sensitive-validation

Description
Indicates whether this password validator is to treat password characters in a case-sensitive manner. If it is set to true, then the validator rejects a password only if it appears in the dictionary with exactly the same capitalization as provided by the user.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

test-reversed-password

Description
Indicates whether this password validator is to test the reversed value of the provided password as well as the order in which it was given. For example, if the user provides a new password of "password" and this configuration attribute is set to true, then the value "drowssap" is also tested against attribute values in the user's entry.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

ignore-leading-non-alphabetic-characters

Description
Indicates whether to ignore any digits, symbols, or other non-alphabetic characters that may appear at the beginning of a proposed password. For example, if this property is set to true, then a proposed password of "1234password" will be treated as if it were just "password".
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

ignore-trailing-non-alphabetic-characters

Description
Indicates whether to ignore any digits, symbols, or other non-alphabetic characters that may appear at the end of a proposed password. For example, if this property is set to true, then a proposed password of "password1234" will be treated as if it were just "password".
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

strip-diacritical-marks

Description
Indicates whether to strip characters of any diacritical marks (like accents, cedillas, circumflexes, diaereses, tildes, and umlauts) they may contain. Any characters with a diacritical mark would be replaced with a base version If this property is set to true, then any character with a diacritical mark will be replaced with the base version of that character without the mark. For example, a lowercase letter n with a tilde over it would be replaced with just a lowercase letter n.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

alternative-password-character-mapping

Description
Provides a set of character substitutions that can be applied to the proposed password when checking to see if it is in the provided dictionary. Each mapping should consist of a single character followed by a colon and a list of the alternative characters that may be used in place of that character. For example, a value of "1:il" indicates that if the proposed character contains the digit "1", then that digit may be replaced with either "i" or "l". As such, if a client requests to use "p1ng" as a password, the server will actually check to see if the dictionary contains any of "p1ng", "ping", or "plng".

This property may be provided to define multiple mappings. The same character may appear on the right side of multiple mappings. For example, you can define both "5:s" and "$:s" to indicate that the letter s may be substituted for both the number 5 and the dollar sign, so the string "pa$5word" would be rejected if the dictionary contains the word "password".

Suggested mappings include:

  • 0:o
  • 1:il
  • 2:z
  • 3:be
  • 4:ah
  • 5:s
  • 6:g
  • 7:lt
  • 8:b
  • 9:g
  • @:a
  • (:c
  • ):d
  • <:ck
  • >:d
  • !:il
  • $:s
  • |:il

Default Value
None
Allowed Values
A mapping from a single character to a set of alternative characters that may be substituted for that character when checking to see if the proposed password is contained in the dictionary. The character to substitute must be separated from its alternatives by a colon.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

maximum-allowed-percent-of-password

Description
The maximum allowed percent of a proposed password that any single dictionary word is allowed to comprise. A value of 100 indicates that a proposed password will only be rejected if the dictionary contains the entire proposed password (after any configured transformations have been applied). For example, if this is set to 50, then a proposed password will be rejected if the provided dictionary contains any word that makes up more than 50 percent of that password. So if the dictionary contains the word "banned", then a proposed password of "bannedana" would be rejected because the word "banned" makes up approximately 67% of the proposed password, which is more than 50%.

Note that this will apply to the proposed password after any of the configured transformations have been applied. For example, if both ignore-leading-non-alphabetic-characters and ignore-trailing-non-alphabetic-characters are both true, then they would be stripped off before making the determination. So in that case with the conditions listed in the previous paragraph, "1234bannedana5678" would still be rejected because even though the word "banned" is only about 35% of the complete provided password, the leading "1234" and trailing "5678" would be stripped off to leave just "bannedana", and "banned" makes up about 67% of that password.

Default Value
100
Allowed Values
An integer value. Lower limit is 1. Upper limit is 100 .
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Password Validators:

dsconfig list-password-validators
     [--property {propertyName}] ...

To view the configuration for an existing Password Validator:

dsconfig get-password-validator-prop
     --validator-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Password Validator:

dsconfig set-password-validator-prop
     --validator-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Dictionary Password Validator:

dsconfig create-password-validator
     --validator-name {name}
     --type dictionary
     --set enabled:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Password Validator:

dsconfig delete-password-validator
     --validator-name {name}