[Date Prev][Date Next] [Chronological] [Thread] [Top]

Ppolicy overlay password checking module

To: openldap-software@OpenLDAP.org
Subject: Ppolicy overlay password checking module
From: John Allman <allmanj@cp.dias.ie>
Date: Wed, 19 Jul 2006 15:53:47 +0100
User-agent: Thunderbird 1.5.0.2 (X11/20060521)

Hi all,

I don't know if this is the right list, but i'm hoping the author of the
overlay or somebody equally knowledgeable is on this list and will be
able to help me.

I'm attempting to use the password policy overlay with a custom password
strength checker. The docs say the following on the subject:

"pwdCheckModule This attribute names a user-defined loadable module that
must instantiate the check_password() function. This function will be
called to further check a new password if pwdCheckQuality is set to one
(1) or two (2), after all of the built-in password compliance checks
have been passed. This function will be called according to this
function prototype:

    int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);

...

Note: The user-defined loadable module named by pwdCheckModule must be
in slapd's standard executable search PATH. Note: pwdCheckModule is a
non-standard extension to the LDAP password policy proposal

Now, i'm a little unclear on how exactly to compile such a module or
where to place it so as to load it. "standard executable search PATH"
seems to imply it should go where binaries go (for example
/usr/local/bin) but i'm wondering if maybe it's the modulepath in the
slapd.conf. I've tried both so i'm assuming i'm not compiling it up
correctly

The following is my simple program using cracklib (untested but i
believe should work). The file is called ldap_cracklib.c

#include <portable.h>
#include <slap.h>
#include <packer.h>

int  check_password  (char  *pPasswd, char **ppErrStr, Entry *pEntry);

int check_password( char *pPasswd, char **ppErrStr, Entry *pentry)
{
        char *ret;
        ret = (char *) FascistCheck( pPasswd,
'/usr/local/libdata/cracklib/pw_dict' );
        if (ret == NULL)
        {
                return 0;
        }
        *ppErrStr = ret;
        return 1;
}

I've compiled it to an object file with gcc -c (and a whole bunch of
other arguments for includes, etc) and also to a library using libtool
(i took the makefile for smbk5pwd and modified it). I've then tried
modifying the pwdCheckModule to ldap_cracklib.o and ldap_cracklib.so
respectively (after copying the relevant files to both /usr/local/bin
and our module path, /usr/local/libexec/openldap).

I'm using the following command to try and change my password:

ldappasswd -x -W -A -H ldaps://ldapservername.fully.qualified.domain -D
"uid=allmanj,ou=people,dc=fully,dc=qualified,dc=domain"

It prompts me for my old password twice, once for my new and then says:

ldap_bind: Invalid credentials (49)

I can confirm that my (old) password is correct by using ldapwhoami.

So should i be making a library? Should i be making a basic compiled
object? Should i be making something else? Please bear in mind that i'm
an administrator not a programmer so i am a little ignorant.

I've tried boosting the ldap log level and looking for errors but i dont
see anything.

Any help would be greatly appreciated.

Thanks,

John

Prev by Date: Re: syncrepl refresh not finished after consumer restart
Next by Date: HowTO
Index(es):
- Chronological
- Thread