<?xml version="1.0" encoding="UTF-8"?>
|
<!--
|
! CDDL HEADER START
|
!
|
! The contents of this file are subject to the terms of the
|
! Common Development and Distribution License, Version 1.0 only
|
! (the "License"). You may not use this file except in compliance
|
! with the License.
|
!
|
! You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
|
! or http://forgerock.org/license/CDDLv1.0.html.
|
! See the License for the specific language governing permissions
|
! and limitations under the License.
|
!
|
! When distributing Covered Code, include this CDDL HEADER in each
|
! file and include the License file at legal-notices/CDDLv1_0.txt.
|
! If applicable, add the following below this CDDL HEADER, with the
|
! fields enclosed by brackets "[]" replaced with your own identifying
|
! information:
|
! Portions Copyright [yyyy] [name of copyright owner]
|
!
|
! CDDL HEADER END
|
!
|
!
|
! Copyright 2007-2008 Sun Microsystems, Inc.
|
! Portions Copyright 2011-2012 ForgeRock AS
|
! -->
|
<adm:managed-object name="character-set-password-validator"
|
plural-name="character-set-password-validators"
|
package="org.opends.server.admin.std" extends="password-validator"
|
xmlns:adm="http://www.opends.org/admin"
|
xmlns:ldap="http://www.opends.org/admin-ldap">
|
<adm:synopsis>
|
The
|
<adm:user-friendly-name />
|
determines whether a proposed password is acceptable by
|
checking whether it contains a sufficient number of characters
|
from one or more user-defined character sets and ranges.
|
</adm:synopsis>
|
<adm:description>
|
For example,
|
the validator can ensure that passwords must
|
have at least one lowercase letter, one uppercase letter, one digit,
|
and one symbol.
|
</adm:description>
|
<adm:constraint>
|
<adm:synopsis>
|
The <adm:user-friendly-name/> must have at least one character set
|
or range specified.
|
</adm:synopsis>
|
<adm:condition>
|
<adm:or>
|
<adm:is-present property="character-set" />
|
<adm:is-present property="character-set-ranges" />
|
</adm:or>
|
</adm:condition>
|
</adm:constraint>
|
<adm:profile name="ldap">
|
<ldap:object-class>
|
<ldap:name>ds-cfg-character-set-password-validator</ldap:name>
|
<ldap:superior>ds-cfg-password-validator</ldap:superior>
|
</ldap:object-class>
|
</adm:profile>
|
<adm:property-override name="java-class" advanced="true">
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
org.opends.server.extensions.CharacterSetPasswordValidator
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
</adm:property-override>
|
<adm:property name="character-set" mandatory="false"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies a character set containing characters that a password
|
may contain and a value indicating the minimum number of
|
characters required from that set.
|
</adm:synopsis>
|
<adm:description>
|
Each value must be an integer (indicating the minimum required
|
characters from the set which may be zero, indicating that the
|
character set is optional) followed by a colon and the characters to
|
include in that set (for example, "3:abcdefghijklmnopqrstuvwxyz"
|
indicates that a user password must contain at least three
|
characters from the set of lowercase ASCII letters). Multiple
|
character sets can be defined in separate values, although no
|
character can appear in more than one character set.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>
|
If no sets are specified, the validator only uses the
|
defined character ranges.
|
</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string case-insensitive="false" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-character-set</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="character-set-ranges" mandatory="false"
|
multi-valued="true">
|
<adm:synopsis>
|
Specifies a character range containing characters that a password
|
may contain and a value indicating the minimum number of
|
characters required from that range.
|
</adm:synopsis>
|
<adm:description>
|
Each value must be an integer (indicating the minimum required
|
characters from the range which may be zero, indicating that the
|
character range is optional) followed by a colon and one or more
|
range specifications. A range specification is 3 characters: the
|
first character allowed, a minus, and the last character allowed.
|
For example, "3:A-Za-z0-9". The ranges in each value should not
|
overlap, and the characters in each range specification should be
|
ordered.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>
|
If no ranges are specified, the validator only uses the
|
defined character sets.
|
</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string case-insensitive="false" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-character-set-ranges</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-unclassified-characters" mandatory="true">
|
<adm:synopsis>
|
Indicates whether this password validator allows passwords to
|
contain characters outside of any of the user-defined character
|
sets and ranges.
|
</adm:synopsis>
|
<adm:description>
|
If this is "false", then only those characters in the user-defined
|
character sets and ranges may be used in passwords. Any password
|
containing a character not included in any character set or range
|
will be rejected.
|
</adm:description>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-unclassified-characters</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="min-character-sets" mandatory="false">
|
<adm:synopsis>
|
Specifies the minimum number of character sets and ranges that a
|
password must contain.
|
</adm:synopsis>
|
<adm:description>
|
This property should only be used in conjunction with optional character
|
sets and ranges (those requiring zero characters). Its value must
|
include any mandatory character sets and ranges (those requiring greater
|
than zero characters). This is useful in situations where a password
|
must contain characters from mandatory character sets and ranges, and
|
characters from at least N optional character sets and ranges. For
|
example, it is quite common to require that a password contains at
|
least one non-alphanumeric character as well as characters from two
|
alphanumeric character sets (lower-case, upper-case, digits). In this
|
case, this property should be set to 3.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>
|
The password must contain characters from each of the mandatory
|
character sets and ranges and, if there are optional character sets
|
and ranges, at least one character from one of the optional character
|
sets and ranges.
|
</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-min-character-sets</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
</adm:managed-object>
|
