Ensure strong password complexity requirements for all users.
389-AC-001 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-AC-001 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | IA-5(1) |
| DISA SRG | SRG-APP-000164 |
Rationale¶
Password syntax checking activates the 389 Directory Server complexity engine, which enforces minimum character-class requirements (uppercase, lowercase, digits, and special characters) before a password is accepted. Without this setting enabled, the individual character-class minimums configured in 389-AC-010 through 389-AC-013 are silently ignored by the server regardless of their values, leaving the directory vulnerable to weak, single-class passwords that are trivially cracked by brute-force and dictionary attacks. This control is the prerequisite gate for the entire password composition suite; disabling it invalidates all four character-class controls simultaneously. DISA SRG-APP-000164 and NIST IA-5(1) require enforcement of complexity rules for credentials stored in covered systems.
Check¶
Verify that password syntax checking (complexity enforcement) is enabled in the global password policy.
dsconf <instance> pwpolicy get | grep -i passwordchecksyntax
Expected: passwordCheckSyntax: on
Remediation¶
Enable password syntax checking in the global password policy.
dsconf <instance> pwpolicy set --pwdchecksyntax=on
References¶
Implementation Notes¶
Enable syntax checking via --pwdchecksyntax=on on the global password policy. The character-class floor controls (--pwdminuppers, --pwdminlowers, --pwdmindigits, --pwdminspecials, configured in 389-AC-010 through 389-AC-013) are silently ignored by the server until passwordCheckSyntax is set to on; always verify this control first. The global policy applies to all users unless a subtree- or user-level policy overrides it; audit subtree policies with dsconf <instance> pwpolicy list to confirm no override disables syntax checking. Changes to the password policy take effect for new password-set or password-change operations; existing passwords are not retroactively validated.