Re: Tightening up ppolicy

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Tuesday, May 01, 2012 4:20 PM -0700 "Kline, Sara" <SKline@tnsi.com> 
wrote:

> We are using ppolicy to manage the password policy on our LDAP server. It
> at least checks the minimum length and the minimum amount of time needed
> before a person can change their password again, but is there a way to
> get it to check for  upper case, lower case, numbers, etc? We need to
> force our users to make complex passwords.

<http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html>

      pwdCheckModule

      This attribute names a user-defined loadable module that must 
instanti-
      ate  the  check_password()  function.   This function will be called 
to
      further check a new password if pwdCheckQuality is set to  one  (1) 
or
      two (2), after all of the built-in password compliance checks have 
been
      passed.	This function will be called according to this function 
proto-
      type:
	   int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
      The pPasswd  parameter  contains  the  clear-text  user	password, 
the
      ppErrStr  parameter  contains a double pointer that allows the 
function
      to return human-readable details about any error  it  encounters. 
The
      optional  pEntry parameter, if non-NULL, carries a pointer to the 
entry
      whose password is being checked.  If ppErrStr is  NULL,	then 
funcName
      must  NOT  attempt to use it/them.  A return value of LDAP_SUCCESS 
from
      the called function indicates that the password is ok, any other 
value
      indicates  that the password is unacceptable.  If the password is 
unac-
      ceptable, the server will return an error to the client,  and 
ppErrStr
      may  be	used  to  return  a  human-readable textual explanation of 
the
      error. The error string must be dynamically allocated  as  it  will 
be
      free()'d by slapd.

	   (  1.3.6.1.4.1.4754.1.99.1
	      NAME 'pwdCheckModule'
	      EQUALITY caseExactIA5Match
	      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
	      SINGLE-VALUE )

      Note:  The user-defined loadable module named by pwdCheckModule must 
be
      in slapd's standard executable search PATH.

      Note: pwdCheckModule is a non-standard extension to the	LDAP 
password
      policy proposal.


--Quanah



--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration