[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6082) ppolicy password checker module should make possible to return error to the client

Full_Name: Guillaume Rousse
Version: 2.4.16
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

Current implementation of password checker doesn't allow exact errors returned
by the external module to be returned to the client, for security reason. They
are only available in server logs. Quoting man page:

If the password is unacceptable, the server will return an error to the client,
and  ppErrStr may be used to return a human-readable textual explanation of the

As it is already difficult to have strong password policies accepted by users,
making this behaviour configurable, exactly the same way the ppolicy_use_lockout
option allows the servers to return more information if wanted to the client,
would be desirable.