[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Overlay supporting password syntax checking

To: Mathieu <mathieu.baeumler@gmail.com>
Subject: Re: Overlay supporting password syntax checking
From: Howard Chu <hyc@symas.com>
Date: Thu, 17 Mar 2011 08:20:39 -0700
Cc: OpenLDAP-devel@openldap.org
In-reply-to: <AANLkTi=ZwWU=-tTu5bhhvJC9sxaJD46Gvu9mdR+jvEby@mail.gmail.com>
References: <AANLkTi=ZwWU=-tTu5bhhvJC9sxaJD46Gvu9mdR+jvEby@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b11pre) Gecko/20110130 Firefox/4.0b11pre SeaMonkey/2.1b2pre

Mathieu wrote:

Hi,

I am currently migrating a users database to an OpenLDAP solution. I
have to deal with some constraints for this project, namely password
policy and/or password syntax checking.

Fortunately the ppolicy overlay already implements the
draft-behera-ldap-password-policy, and offers the possibility to use
pwdCheckModule to check password via external modules.

Unfortunately, I did not find any module meeting all my requirements:

The check_password() function, as defined in ppolicy, provides
to the underlying module two parameters:
- The entry being modified
- The new password.
Now to support per user settings, which is one of these requirements,
I have to either store extra attributes among each entry, or the module
has to perform a ldapsearch against the db.

An option is to modify the check_password() function so it sends the
ppolicy object itself:
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry,
Entry *ppolicyEntry);
This way people using external modules would just need to store their
settings attributes in it.

As I don't want to break existing modules implementation, I have
developed a simple overlay which enforces password syntax
checking on a per user or per database basis. The overlay implements
also the check_password() function so it can be used in conjunction
with ppolicy.

I believe the code is clean enough to be contributed and
I will be glad to upload it if you think it can be of any interest.
However, I have some questions first.

The overlay allows me to define a default password constraints
object at a database level, or a subentry in the user entry, in a similar way
as the ppolicy_default setting and the pwdPolicySubentry attributes.
This is so similar that I think it would be more relevant to extend
the ppolicy overlay so it could support basic syntax checking. I
understand the need to have the pwdCheckModule functionality, for
those in need of exotics or platform dependent checks, but counting
the characters belonging to a class is not harder than checking the
min/max length of the password.

So to summarize:

- Could the check_password function be modified?


Yes, but we would not release this change until OpenLDAP 2.5.

- Could basic syntax checking be integrated in ppolicy?

Maybe; please give more details on how you propose to specify the nature ofeach check.

And If none of these options are acceptable, should I upload the
overlay I developed?


You're always free to submit code to the ITS.

Of course I'm willing to help on the first two points.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Overlay supporting password syntax checking
  - From: Mathieu <mathieu.baeumler@gmail.com>

References:
- Overlay supporting password syntax checking
  - From: Mathieu <mathieu.baeumler@gmail.com>

Prev by Date: Re: Generalize olcHidden -> olcLabel
Next by Date: Release testing
Index(es):
- Chronological
- Thread