[Date Prev][Date Next]
Overlay supporting password syntax checking
- To: OpenLDAPfirstname.lastname@example.org
- Subject: Overlay supporting password syntax checking
- From: Mathieu <email@example.com>
- Date: Thu, 17 Mar 2011 12:59:52 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=iIN/JA4BXo7DKzZYO4tmDTx9a2gS/3Rg9U/1zL5TrgU=; b=YI3b2/+kTLviqDM3no1Kep7jstHPFKn98DBDHGruEpk7YUgdMBFui3Ss3/2c1YD49D TYENPLXt8DFlwI6Z7B0OhZlVnNqnPlG4KquFkeajbIfmDET2k24hQZSqz31GF0QdZLjb FRpxrLov/w7cthg0YqZL6oOuCCpyeSS71iMFw=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=DD2X9MOVnF0Z3utFMBS0PJOIBQOYTk0+vcupACUC/Rh1ficZX2hVzJ5RyLtH9Dezzh ukTwF9SKujzfRvwdGtx17QWswIRoAImho4q/jDSbkMedUkTsJFAhqPshxcoTABqfbokT eZ+gkzPquvrr7/1pkDCLuZHnRO166aGbPNi/o=
I am currently migrating a users database to an OpenLDAP solution. I
have to deal with some constraints for this project, namely password
policy and/or password syntax checking.
Fortunately the ppolicy overlay already implements the
draft-behera-ldap-password-policy, and offers the possibility to use
pwdCheckModule to check password via external modules.
Unfortunately, I did not find any module meeting all my requirements:
The check_password() function, as defined in ppolicy, provides
to the underlying module two parameters:
- The entry being modified
- The new password.
Now to support per user settings, which is one of these requirements,
I have to either store extra attributes among each entry, or the module
has to perform a ldapsearch against the db.
An option is to modify the check_password() function so it sends the
ppolicy object itself:
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry,
This way people using external modules would just need to store their
settings attributes in it.
As I don't want to break existing modules implementation, I have
developed a simple overlay which enforces password syntax
checking on a per user or per database basis. The overlay implements
also the check_password() function so it can be used in conjunction
I believe the code is clean enough to be contributed and
I will be glad to upload it if you think it can be of any interest.
However, I have some questions first.
The overlay allows me to define a default password constraints
object at a database level, or a subentry in the user entry, in a similar way
as the ppolicy_default setting and the pwdPolicySubentry attributes.
This is so similar that I think it would be more relevant to extend
the ppolicy overlay so it could support basic syntax checking. I
understand the need to have the pwdCheckModule functionality, for
those in need of exotics or platform dependent checks, but counting
the characters belonging to a class is not harder than checking the
min/max length of the password.
So to summarize:
- Could the check_password function be modified?
- Could basic syntax checking be integrated in ppolicy?
And If none of these options are acceptable, should I upload the
overlay I developed?
Of course I'm willing to help on the first two points.