[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to enforce strong passwords in Openldap?



Mike Partyka wrote:

Hello,

Our mail server authenticates against an LDAP directory. Is there a way to
enforce stronger passwords, like what can be done referencing the
pam_cracklib.so module to prevent the use of weak or bad passwords?

The mail web front end uses the pam_ldap.so modules to authenticate using
the ldap directory, is there another module i can stack before the
pam_ldap.so?

Placing this type of policy enforcement in the PAM stack is a bit wrong (in my opinion) since it has to be reproduced on every PAM client machine. The password policy module in OpenLDAP's CVS HEAD enforces policy centrally (on the server) and I believe this is the right place for this enforcement to occur. Also the ppolicy module allows you to dynamically load an external function for password quality checking, so you can hook in your cracklib check if you so desire. See the slapo-ppolicy(5) manpage for full details. The latest version is CVS HEAD has been modified for the new (OpenLDAP 2.3) slapd API, but revision 1.28 should still work with OpenLDAP 2.2.

Note that the specification that this module is based on is only in draft status and so is still undergoing revision. In fact the current code is already out of date, as it was implemented against draft 7 of the spec and draft 8 was recently published. But it works as documented.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support