[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Tightening up ppolicy
I saw this in the ppolicy pages but was unsure of how to use it? I understand that I can use pwdCheckModule and even how to turn it on, but I am uncertain as to how to actually tell it that we want to have for example, one upper case, one lower case and one numeral. Has anybody done that?
Thanks,
Sara Kline
-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@zimbra.com]
Sent: Tuesday, May 01, 2012 4:36 PM
To: Kline, Sara; openldap-technical@openldap.org
Subject: Re: Tightening up ppolicy
--On Tuesday, May 01, 2012 4:20 PM -0700 "Kline, Sara" <SKline@tnsi.com>
wrote:
>
>
> We are using ppolicy to manage the password policy on our LDAP server.
> It at least checks the minimum length and the minimum amount of time
> needed before a person can change their password again, but is there a
> way to get it to check for upper case, lower case, numbers, etc? We
> need to force our users to make complex passwords.
<http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html>
pwdCheckModule
This attribute names a user-defined loadable module that must
instanti-
ate the check_password() function. This function will be called
to
further check a new password if pwdCheckQuality is set to one (1) or
two (2), after all of the built-in password compliance checks have been
passed. This function will be called according to this function
proto-
type:
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
The pPasswd parameter contains the clear-text user password,
the
ppErrStr parameter contains a double pointer that allows the function
to return human-readable details about any error it encounters.
The
optional pEntry parameter, if non-NULL, carries a pointer to the entry
whose password is being checked. If ppErrStr is NULL, then
funcName
must NOT attempt to use it/them. A return value of LDAP_SUCCESS from
the called function indicates that the password is ok, any other value
indicates that the password is unacceptable. If the password is
unac-
ceptable, the server will return an error to the client, and ppErrStr
may be used to return a human-readable textual explanation of
the
error. The error string must be dynamically allocated as it will be
free()'d by slapd.
( 1.3.6.1.4.1.4754.1.99.1
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )
Note: The user-defined loadable module named by pwdCheckModule must be
in slapd's standard executable search PATH.
Note: pwdCheckModule is a non-standard extension to the LDAP
password
policy proposal.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.