[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How to enforce strong passwords in Openldap?

I've been searching the web and in particular www.openldap.org and finding
very little on the slapo-ppolicy module.

Does anyone know of a good link for some more info or maybe someone who uses
this module or overlay, could just decribe briefly what it takes to

With the popularity of ldap being used as an authentication backend, it
seems that many other people much be using this feature to comply with their
own corporate password policy.


Mike Partyka
Stonepath Logistics
Systems Administrator
(651)405-4300 Desk
(651)208-5734 Cell
(651)405-4342 Fax

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Mike Partyka
Sent: Wednesday, December 01, 2004 11:34 AM
Cc: openldap-software@OpenLDAP.org
Subject: RE: How to enforce strong passwords in Openldap?

Yes, i understand what you mean, I was pretty sure that PAM was the wrong
place to do this, but it let me describe what i was looking for in an easy

I don't have a man page for slapo-ppolicy on the server running openldap nor
can i find it on the net. Can you point me elsewhere for an online version
of the page or more details?


Mike Partyka
Stonepath Logistics
Systems Administrator
(651)405-4300 Desk
(651)208-5734 Cell
(651)405-4342 Fax

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Tuesday, November 30, 2004 5:53 PM
To: mike.partyka@stonepath.com
Cc: openldap-software@OpenLDAP.org
Subject: Re: How to enforce strong passwords in Openldap?

Mike Partyka wrote:

>Our mail server authenticates against an LDAP directory. Is there a way to
>enforce stronger passwords, like what can be done referencing the
>pam_cracklib.so module to prevent the use of weak or bad passwords?
>The mail web front end uses the pam_ldap.so modules to authenticate using
>the ldap directory, is there another module i can stack before the
Placing this type of policy enforcement in the PAM stack is a bit wrong
(in my opinion) since it has to be reproduced on every PAM client
machine. The password policy module in OpenLDAP's CVS HEAD enforces
policy centrally (on the server) and I believe this is the right place
for this enforcement to occur. Also the ppolicy module allows you to
dynamically load an external function for password quality checking, so
you can hook in your cracklib check if you so desire. See the
slapo-ppolicy(5) manpage for full details. The latest version is CVS
HEAD has been modified for the new (OpenLDAP 2.3) slapd API, but
revision 1.28 should still work with OpenLDAP 2.2.

Note that the specification that this module is based on is only in
draft status and so is still undergoing revision. In fact the current
code is already out of date, as it was implemented against draft 7 of
the spec and draft 8 was recently published. But it works as documented.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support