This topic has 4 replies, 2 voices, and was last updated 5 years, 5 months ago by Mark Craig.
-
AuthorPosts
-
January 17, 2017 at 3:37 pm #15381
sixart
ParticipantHi,
I enable this password validator with “ds-cfg-min-password-difference: 3”, how to check if it works??
Regards,
DarioJanuary 17, 2017 at 3:47 pm #15382Mark Craig
ParticipantHi,
In the documentation for the Similarity Based Password Validator, https://backstage.forgerock.com/static/docs/opendj/3.5/configref/similarity-based-password-validator.html, there’s a description of how it works, and how you need to change the password policy configuration when you use it:
it uses the Levenshtein Distance algorithm to determine the minimum number of changes (where a change may be inserting, deleting, or replacing a character) to transform one string into the other. It can be used to prevent users from making only minor changes to their current password when setting a new password. Note that for this password validator to be effective, it is necessary to have access to the user’s current password. Therefore, if this password validator is to be enabled, the password-change-requires-current-password attribute in the password policy configuration must also be set to true.
January 18, 2017 at 2:44 pm #15405sixart
ParticipantHi Mark,
thanks for reply.
I set password-change-requires-current-password at true, for updating password with this configuration what kind of operation should I do client side??Regards,
DarioJanuary 31, 2017 at 3:36 pm #15624sixart
ParticipantHow test if this configuration work??
Regards,
DarioJanuary 31, 2017 at 4:12 pm #15625Mark Craig
ParticipantFor example, update the Default Password Policy to use the default configuration of the Similarity-Based Password Validator. The default setting for
min-password-difference
is 3.Then try some examples.
Confirm the initial password:
# Babs Jensen's first password is hifalutin: $ ldapsearch -D uid=bjensen,ou=people,dc=example,dc=com -w hifalutin -p 1389 -b dc=example,dc=com uid=bjensen userPassword dn: uid=bjensen,ou=People,dc=example,dc=com userPassword: {SSHA}Ow5mYXV6uvB29dQJnQV3VSP/bAMEnERgHMZ3Kw==
Check that a password modify with a very similar password fails:
$ ldappasswordmodify -p 1389 --authzID dn:uid=bjensen,ou=people,dc=example,dc=com --currentPassword hifalutin --newPassword hifailutin The LDAP password modify operation failed: 19 (Constraint Violation) Additional Information: The provided new password failed the validation checks defined in the server: The provided password differs less than the minimum required difference of 3 characters
Try again with a password that differs by at least 3 characters:
$ ldappasswordmodify -p 1389 --authzID dn:uid=bjensen,ou=people,dc=example,dc=com --currentPassword hifalutin --newPassword hifalutin123 The LDAP password modify operation was successful
-
This reply was modified 5 years, 5 months ago by
Mark Craig.
-
This reply was modified 5 years, 5 months ago by
-
AuthorPosts
You must be logged in to reply to this topic.