[Date Prev][Date Next]
RE: How to enforce strong passwords in Openldap?
I've been searching the web and in particular www.openldap.org and finding
very little on the slapo-ppolicy module.
Does anyone know of a good link for some more info or maybe someone who uses
this module or overlay, could just decribe briefly what it takes to
With the popularity of ldap being used as an authentication backend, it
seems that many other people much be using this feature to comply with their
own corporate password policy.
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Mike Partyka
Sent: Wednesday, December 01, 2004 11:34 AM
Subject: RE: How to enforce strong passwords in Openldap?
Yes, i understand what you mean, I was pretty sure that PAM was the wrong
place to do this, but it let me describe what i was looking for in an easy
I don't have a man page for slapo-ppolicy on the server running openldap nor
can i find it on the net. Can you point me elsewhere for an online version
of the page or more details?
From: Howard Chu [mailto:firstname.lastname@example.org]
Sent: Tuesday, November 30, 2004 5:53 PM
Subject: Re: How to enforce strong passwords in Openldap?
Mike Partyka wrote:
>Our mail server authenticates against an LDAP directory. Is there a way to
>enforce stronger passwords, like what can be done referencing the
>pam_cracklib.so module to prevent the use of weak or bad passwords?
>The mail web front end uses the pam_ldap.so modules to authenticate using
>the ldap directory, is there another module i can stack before the
Placing this type of policy enforcement in the PAM stack is a bit wrong
(in my opinion) since it has to be reproduced on every PAM client
machine. The password policy module in OpenLDAP's CVS HEAD enforces
policy centrally (on the server) and I believe this is the right place
for this enforcement to occur. Also the ppolicy module allows you to
dynamically load an external function for password quality checking, so
you can hook in your cracklib check if you so desire. See the
slapo-ppolicy(5) manpage for full details. The latest version is CVS
HEAD has been modified for the new (OpenLDAP 2.3) slapd API, but
revision 1.28 should still work with OpenLDAP 2.2.
Note that the specification that this module is based on is only in
draft status and so is still undergoing revision. In fact the current
code is already out of date, as it was implemented against draft 7 of
the spec and draft 8 was recently published. But it works as documented.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support