Password Validator Ignores min-substring-length and Triggers Only on Full Attribute Match #566
Description
When using the Attribute Value Password Validator in OpenDJ with check-substrings set to true and min-substring-length set (e.g., to 3), the validator appears to only reject passwords that contain the entire value of the referenced attribute (e.g., uid), rather than any substring of that length or greater.
This seems to contradict the expected behavior — that passwords containing any substring (≥ min-substring-length) of the attribute should be rejected.
I have tested this across multiple OpenDJ versions and consistently observed this behavior.
I'm not sure if I’m misunderstanding the intended configuration or if this is a bug. Any guidance or clarification would be appreciated.
Steps to Reproduce:
- Configure the Attribute Value Password Validator with the following properties:
`Property Value
check-substrings true
enabled true
match-attribute uid
min-substring-length 3
test-reversed-password true`
-
Attach the validator to a password policy.
-
Create a user with the following DN and UID:
dn: uid=USN123,ou=people,dc=example,dc=com -
Attempt to change the password using values that contain substrings of the UID but not the full UID.
Expected Behavior:
Passwords that contain any substring of the UID (of length ≥ 3) — whether directly, in reverse, or within padding — should be rejected.
Example password test results for uid=USN123:
USN123aa -> BLOCK (forward match: N12)
aaUSN123 -> BLOCK (forward match: N12)
U1sn123b -> BLOCK (forward match: 123)
NsU321ab -> BLOCK (reverse-password match: 123)
A9USN12z -> BLOCK (forward match: N12)
xx123USN -> BLOCK (forward match: USN)
NSU123xy -> BLOCK (reverse-password match: USN)
z9nUSN12 -> BLOCK (forward match: N12)
usN321AA -> BLOCK (reverse-password match: 123)
1USN2abc -> BLOCK (forward match: USN)
Sun3RiseA -> PASS (no username substrings detected)
Rock7fall -> PASS (no username substrings detected)
Tree9Bark -> PASS (no username substrings detected)
Wave4Deep -> PASS (no username substrings detected)
Glow5Star -> PASS (no username substrings detected)
Rain8Drop -> PASS (no username substrings detected)
Fire6Ash -> PASS (no username substrings detected)
Mist2Hill -> PASS (no username substrings detected)
Frog1Lake -> PASS (no username substrings detected)
Dust7Moon -> PASS (no username substrings detected)
Actual Behavior:
Only passwords that contain the full UID value are rejected. Substrings (even those ≥ 3 characters long) are accepted.
Observed results:
uid on server: USN123
USN123aa -> REJECTED [constraintViolation] The provided new password failed the validation checks defined in the server: The provided password was found in another attribute in the user entry
aaUSN123 -> REJECTED [constraintViolation] The provided new password failed the validation checks defined in the server: The provided password was found in another attribute in the user entry
U1sn123b -> ACCEPTED [success]
NsU321ab -> ACCEPTED [success]
A9USN12z -> ACCEPTED [success]
xx123USN -> ACCEPTED [success]
NSU123xy -> ACCEPTED [success]
z9nUSN12 -> ACCEPTED [success]
usN321AA -> ACCEPTED [success]
1USN2abc -> ACCEPTED [success]
Sun3RiseA -> ACCEPTED [success]
Rock7fall -> ACCEPTED [success]
Tree9Bark -> ACCEPTED [success]
Wave4Deep -> ACCEPTED [success]
Glow5Star -> ACCEPTED [success]
Rain8Drop -> ACCEPTED [success]
Fire6Ash -> ACCEPTED [success]
Mist2Hill -> ACCEPTED [success]
Frog1Lake -> ACCEPTED [success]
Dust7Moon -> ACCEPTED [success]
This indicates that substring checks are not functioning as expected, or min-substring-length is not being honoured.
Environment:
OpenDJ versions tested:
4.10.2
4.9
4.6.2
OS: Ubuntu 22.04 (also tested on macOS Ventura) Used docker and k8s deployments for opendj
Additional Context:
The test-reversed-password property appears to have no effect either — reversed substrings are not detected.
This behavior significantly reduces the strength of the validator, as users can include recognizable fragments of usernames in their passwords.
I would be happy to test further or assist in debugging.