Linux repositories inspector

ppolicy-check-password(5)

OpenLDAP password quality check
2016/02/18

openldap2-ppolicy-check-password

Password quality check module for OpenLDAP

NAME

ppolicy-check-password - Password quality checker for OpenLDAP ppolicy overlay

SYNOPSIS

pwdCheckModule ppolicy-check-password.so

DESCRIPTION

ppolicy-check-password is an implementation of password quality check module, it can be plugged into OpenLDAP slapo-ppolicy(5) overlay to enforce organisational password strength policies for password-change operations.

PREREQUISITES

In order to use the module, you should enable and configure slapo-ppolicy(5) overlay on the OpenLDAP server. You may use the following example to enable ppolicy overlay:
Enable ppolicy overlay
To enable ppolicy overlay on the server using static configuration file slapd.conf(5) , first enable ppolicy schema by adding line:
include /etc/openldap/schema/ppolicy.schema
and then append the following lines to the database definition in which password policy should be enforced:
overlay ppolicy
ppolicy_default "cn=PolicyContainer,dc=my-domain,dc=com"
Save slapd.conf and (re)start OpenLDAP server.
If you use cn=config (online configuration) instead of static configuration file, add the schema /etc/openldap/schema/ppolicy.ldif to cn=schema,cn=config, then enable ppolicy overlay in olcDatabase.
Create ppolicy container entry
The ppolicy container entry stores attributes that describe the password policy in detail, create the entry with
dn: cn=PolicyContainer,dc=my-domain,dc=com
cn: PolicyContainer
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval:
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure:
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value
The password policy becomes effective immediately, there is no need to restart OpenLDAP server.
Enable ppolicy-check-password.so module
Modify the ppolicy container entry with ldapmodify(1) :
dn: cn=PolicyContainer,dc=my-domain,dc=com
changeType: modify
add: objectClass
objectClass: pwdPolicyChecker
-
add: pwdCheckModule
pwdCheckModule: ppolicy-check-password.so
The password check module becomes effective immediately, there is no need to restart OpenLDAP server.

CONFIGURATION

The password check module reads configuration parameters from /etc/openldap/check_password.conf
Edits made to the configuration file become effective immediately, there is no need to restart OpenLDAP server.
List of parameters:
use_cracklib 1|0
CrackLib is a library for checking that a password is not easily crackable, making sure that the password is not based on simple patterns or dictionary words. If the parameter is set to 1, cracklib will be involved and new passwords must pass cracklib quality check in addition to all other policies such as min_points
min_points <integer>
The parameter holds an integer value in between 0 and 4. The value denotes "quality points" that a password must acquire in order to pass the check. Usage of each character class awards one quality point. If the parameeter is set to 0, the check is disabled.
The character classes are: upper case letters, lower case letters, numeric digits, punctuations.
min_upper <integer>
The minimal number of upper case characters a password must contain. If the parameter is set to 0, the check is disabled.
min_lower <integer>
The minimal number of lower case characters a password must contain. If the parameter is set to 0, the check is disabled.
min_digit <integer>
The minimal number of numeric digit characters a password must contain. If the parameter is set to 0, the check is disabled.
min_punct <integer>
The minimal number of punctuation characters a password must contain. If the parameter is set to 0, the check is disabled.
max_consecutive_per_class <integer>
The maximum number of characters from each character class that may appear consecutively. If the parameter is set to 0, the check is disabled.

USAGE

After the module is enabled, the OpenLDAP server will invoke the password checker module on every user password change, the new user password must pass all quality checks before it is accepted. If the new password does not pass quality checks, the detailed reason will be logged on the OpenLDAP server, and the client will receive a Constraint Violation and a generic error message "Password fails quality checking policy" - the lack of details is by design.
If the password change is carried out by RootDN, password checker module will not enforce the quality checks, and any password is acceptable.

FILES

/etc/openldap/check_password.conf
Define the password strength policy.

ACKNOWLEDGEMENTS

The module was originally authored by LTB-project (ltb-project.org), and further maintained by Onyx Point (onyxpoint.com).
⇧ Top