server/config/CharacterSetPasswordValidatorConfiguration.xml

	CharacterSetPasswordValidatorConfiguration.xml revision d70586b00b9530ab99ab4b8f003e9a54793e419f
<?xml version="1.0" encoding="UTF-8"?>
<!--
  ! CDDL HEADER START
  !
  ! The contents of this file are subject to the terms of the
  ! Common Development and Distribution License, Version 1.0 only
  ! (the "License").  You may not use this file except in compliance
  ! with the License.
  !
  ! You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
  ! or http://forgerock.org/license/CDDLv1.0.html.
  ! See the License for the specific language governing permissions
  ! and limitations under the License.
  !
  ! When distributing Covered Code, include this CDDL HEADER in each
  ! file and include the License file at legal-notices/CDDLv1_0.txt.
  ! If applicable, add the following below this CDDL HEADER, with the
  ! fields enclosed by brackets "[]" replaced with your own identifying
  ! information:
  !      Portions Copyright [yyyy] [name of copyright owner]
  !
  ! CDDL HEADER END
  !
  !
  !      Copyright 2007-2008 Sun Microsystems, Inc.
  !      Portions Copyright 2011-2012 ForgeRock AS
  ! -->
<adm:managed-object name="character-set-password-validator"
  plural-name="character-set-password-validators"
  package="org.forgerock.opendj.server.config" extends="password-validator"
  xmlns:adm="http://opendj.forgerock.org/admin"
  xmlns:ldap="http://opendj.forgerock.org/admin-ldap">
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    determines whether a proposed password is acceptable by
    checking whether it contains a sufficient number of characters
    from one or more user-defined character sets and ranges.
  </adm:synopsis>
  <adm:description>
    For example,
    the validator can ensure that passwords must
    have at least one lowercase letter, one uppercase letter, one digit,
    and one symbol.
  </adm:description>
  <adm:constraint>
    <adm:synopsis>
      The <adm:user-friendly-name/> must have at least one character set
      or range specified.
    </adm:synopsis>
    <adm:condition>
      <adm:or>
      	<adm:is-present property="character-set" />
      	<adm:is-present property="character-set-ranges" />
      </adm:or>
    </adm:condition>
  </adm:constraint>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-character-set-password-validator</ldap:name>
      <ldap:superior>ds-cfg-password-validator</ldap:superior>
    </ldap:object-class>
  </adm:profile>
  <adm:property-override name="java-class" advanced="true">
    <adm:default-behavior>
      <adm:defined>
        <adm:value>
          org.opends.server.extensions.CharacterSetPasswordValidator
        </adm:value>
      </adm:defined>
    </adm:default-behavior>
  </adm:property-override>
  <adm:property name="character-set" mandatory="false"
    multi-valued="true">
    <adm:synopsis>
      Specifies a character set containing characters that a password
      may contain and a value indicating the minimum number of
      characters required from that set.
    </adm:synopsis>
    <adm:description>
      Each value must be an integer (indicating the minimum required
      characters from the set which may be zero, indicating that the
      character set is optional) followed by a colon and the characters to
      include in that set (for example, "3:abcdefghijklmnopqrstuvwxyz"
      indicates that a user password must contain at least three
      characters from the set of lowercase ASCII letters). Multiple
      character sets can be defined in separate values, although no
      character can appear in more than one character set.
    </adm:description>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          If no sets are specified, the validator only uses the
          defined character ranges.
        </adm:synopsis>
      </adm:alias>
    </adm:default-behavior>
    <adm:syntax>
      <adm:string case-insensitive="false" />
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
        <ldap:name>ds-cfg-character-set</ldap:name>
      </ldap:attribute>
    </adm:profile>
  </adm:property>
  <adm:property name="character-set-ranges" mandatory="false"
    multi-valued="true">
    <adm:synopsis>
      Specifies a character range containing characters that a password
      may contain and a value indicating the minimum number of
      characters required from that range.
    </adm:synopsis>
    <adm:description>
      Each value must be an integer (indicating the minimum required
      characters from the range which may be zero, indicating that the
      character range is optional) followed by a colon and one or more
      range specifications. A range specification is 3 characters: the
      first character allowed, a minus, and the last character allowed.
      For example, "3:A-Za-z0-9". The ranges in each value should not
      overlap, and the characters in each range specification should be
      ordered.
    </adm:description>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          If no ranges are specified, the validator only uses the
          defined character sets.
        </adm:synopsis>
      </adm:alias>
    </adm:default-behavior>
    <adm:syntax>
      <adm:string case-insensitive="false" />
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
        <ldap:name>ds-cfg-character-set-ranges</ldap:name>
      </ldap:attribute>
    </adm:profile>
  </adm:property>
  <adm:property name="allow-unclassified-characters" mandatory="true">
    <adm:synopsis>
      Indicates whether this password validator allows passwords to
      contain characters outside of any of the user-defined character
      sets and ranges.
    </adm:synopsis>
    <adm:description>
      If this is "false", then only those characters in the user-defined
      character sets and ranges may be used in passwords. Any password
      containing a  character not included in any character set or range
      will be rejected.
    </adm:description>
    <adm:syntax>
      <adm:boolean />
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
        <ldap:name>ds-cfg-allow-unclassified-characters</ldap:name>
      </ldap:attribute>
    </adm:profile>
  </adm:property>
  <adm:property name="min-character-sets" mandatory="false">
    <adm:synopsis>
      Specifies the minimum number of character sets and ranges that a
      password must contain.
    </adm:synopsis>
    <adm:description>
      This property should only be used in conjunction with optional character
      sets and ranges (those requiring zero characters). Its value must
      include any mandatory character sets and ranges (those requiring greater
      than zero characters). This is useful in situations where a password
      must contain characters from mandatory character sets and ranges, and
      characters from at least N optional character sets and ranges. For
      example, it is quite common to require that a password contains at
      least one non-alphanumeric character as well as characters from two
      alphanumeric character sets (lower-case, upper-case, digits). In this
      case, this property should be set to 3.
    </adm:description>
  <adm:default-behavior>
    <adm:alias>
      <adm:synopsis>
        The password must contain characters from each of the mandatory
        character sets and ranges and, if there are optional character sets
        and ranges, at least one character from one of the optional character
        sets and ranges.
      </adm:synopsis>
    </adm:alias>
  </adm:default-behavior>
  <adm:syntax>
      <adm:integer />
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
        <ldap:name>ds-cfg-min-character-sets</ldap:name>
      </ldap:attribute>
    </adm:profile>
  </adm:property>
</adm:managed-object>