[Date Prev][Date Next]
Re: How to enforce strong passwords in Openldap?
- To: firstname.lastname@example.org
- Subject: Re: How to enforce strong passwords in Openldap?
- From: Howard Chu <email@example.com>
- Date: Tue, 30 Nov 2004 15:53:26 -0800
- Cc: openldap-software@OpenLDAP.org
- In-reply-to: <004101c4d72d$a9823740$3b14a8c0@stonetop>
- References: <004101c4d72d$a9823740$3b14a8c0@stonetop>
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041101
Mike Partyka wrote:
Placing this type of policy enforcement in the PAM stack is a bit wrong
(in my opinion) since it has to be reproduced on every PAM client
machine. The password policy module in OpenLDAP's CVS HEAD enforces
policy centrally (on the server) and I believe this is the right place
for this enforcement to occur. Also the ppolicy module allows you to
dynamically load an external function for password quality checking, so
you can hook in your cracklib check if you so desire. See the
slapo-ppolicy(5) manpage for full details. The latest version is CVS
HEAD has been modified for the new (OpenLDAP 2.3) slapd API, but
revision 1.28 should still work with OpenLDAP 2.2.
Our mail server authenticates against an LDAP directory. Is there a way to
enforce stronger passwords, like what can be done referencing the
pam_cracklib.so module to prevent the use of weak or bad passwords?
The mail web front end uses the pam_ldap.so modules to authenticate using
the ldap directory, is there another module i can stack before the
Note that the specification that this module is based on is only in
draft status and so is still undergoing revision. In fact the current
code is already out of date, as it was implemented against draft 7 of
the spec and draft 8 was recently published. But it works as documented.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support