The Dictionary Password Validator determines whether a proposed password is acceptable based on whether the given password value appears in a provided dictionary file.
A large dictionary file is provided with the server, but the administrator can supply an alternate dictionary. In this case, then the dictionary must be a plain-text file with one word per line.
The Dictionary Password Validator component inherits from the Password Validator
The properties supported by this managed object are as follows:
| Description | A description for this Password Validator |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the password validator is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
validator-requirement-description
| Description | Specifies a message that can be used to describe the requirements imposed by this password validator to end users. If a value is provided for this property, then it will override any description that may have otherwise been generated by the validator. |
| Default Value | The requirement description will be automatically generated by the password validator. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies a message that may be provided to the end user in the event that a proposed password is rejected by this validator. If a value is provided for this property, then it will override any failure message that may have otherwise been generated by the validator. |
| Default Value | The requirement description will be automatically generated by the password validator. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the path to the file containing a list of words that cannot be used as passwords. It should be formatted with one word per line. The value can be an absolute path or a path that is relative to the Directory Server instance root. |
| Default Value | For Unix and Linux systems: config/wordlist.txt. For Windows systems: config\wordlist.txt |
| Allowed Values | A filesystem path |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether this password validator is to treat password characters in a case-sensitive manner. If it is set to true, then the validator rejects a password only if it appears in the dictionary with exactly the same capitalization as provided by the user. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether this password validator is to test the reversed value of the provided password as well as the order in which it was given. For example, if the user provides a new password of "password" and this configuration attribute is set to true, then the value "drowssap" is also tested against attribute values in the user's entry. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
ignore-leading-non-alphabetic-characters
| Description | Indicates whether to ignore any digits, symbols, or other non-alphabetic characters that may appear at the beginning of a proposed password. For example, if this property is set to true, then a proposed password of "1234password" will be treated as if it were just "password". |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
ignore-trailing-non-alphabetic-characters
| Description | Indicates whether to ignore any digits, symbols, or other non-alphabetic characters that may appear at the end of a proposed password. For example, if this property is set to true, then a proposed password of "password1234" will be treated as if it were just "password". |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether to strip characters of any diacritical marks (like accents, cedillas, circumflexes, diaereses, tildes, and umlauts) they may contain. Any characters with a diacritical mark would be replaced with a base version If this property is set to true, then any character with a diacritical mark will be replaced with the base version of that character without the mark. For example, a lowercase letter n with a tilde over it would be replaced with just a lowercase letter n. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
alternative-password-character-mapping
| Description | Provides a set of character substitutions that can be applied to the proposed password when checking to see if it is in the provided dictionary. Each mapping should consist of a single character followed by a colon and a list of the alternative characters that may be used in place of that character. For example, a value of "1:il" indicates that if the proposed character contains the digit "1", then that digit may be replaced with either "i" or "l". As such, if a client requests to use "p1ng" as a password, the server will actually check to see if the dictionary contains any of "p1ng", "ping", or "plng". This property may be provided to define multiple mappings. The same character may appear on the right side of multiple mappings. For example, you can define both "5:s" and "$:s" to indicate that the letter s may be substituted for both the number 5 and the dollar sign, so the string "pa$5word" would be rejected if the dictionary contains the word "password". Suggested mappings include:
|
| Default Value | None |
| Allowed Values | A mapping from a single character to a set of alternative characters that may be substituted for that character when checking to see if the proposed password is contained in the dictionary. The character to substitute must be separated from its alternatives by a colon. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-allowed-percent-of-password
| Description | The maximum allowed percent of a proposed password that any single dictionary word is allowed to comprise. A value of 100 indicates that a proposed password will only be rejected if the dictionary contains the entire proposed password (after any configured transformations have been applied). For example, if this is set to 50, then a proposed password will be rejected if the provided dictionary contains any word that makes up more than 50 percent of that password. So if the dictionary contains the word "banned", then a proposed password of "bannedana" would be rejected because the word "banned" makes up approximately 67% of the proposed password, which is more than 50%. Note that this will apply to the proposed password after any of the configured transformations have been applied. For example, if both ignore-leading-non-alphabetic-characters and ignore-trailing-non-alphabetic-characters are both true, then they would be stripped off before making the determination. So in that case with the conditions listed in the previous paragraph, "1234bannedana5678" would still be rejected because even though the word "banned" is only about 35% of the complete provided password, the leading "1234" and trailing "5678" would be stripped off to leave just "bannedana", and "banned" makes up about 67% of that password. |
| Default Value | 100 |
| Allowed Values | An integer value. Lower limit is 1. Upper limit is 100 . |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Password Validators:
dsconfig list-password-validators
[--property {propertyName}] ...
To view the configuration for an existing Password Validator:
dsconfig get-password-validator-prop
--validator-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Password Validator:
dsconfig set-password-validator-prop
--validator-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Dictionary Password Validator:
dsconfig create-password-validator
--validator-name {name}
--type dictionary
--set enabled:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Password Validator:
dsconfig delete-password-validator
--validator-name {name}