Context Navigation

OpenLDAP check_password pwdChecker module

check_password.c is an OpenLDAP pwdPolicyChecker module used to check the strength and quality of user-provided passwords.

This module is used as an extension of the OpenLDAP password policy controls, see slapo-ppolicy(5) section pwdCheckModule.

check_password.c will run a number of checks on the passwords to ensure minimum strength and quality requirements are met. Passwords that do not meet these requirements are rejected.

Password checks

passwords shorter than 6 characters are rejected

passwords need to contain at least three out of four of lower, upper, digit and punctuation characters

passwords are checked against cracklib if cracklib is enabled at compile time

INSTALLATION

Use the provided Makefile to build the module.

Copy the resulting check_password.so into the OpenLDAP modulepath.

Or, change the installation path to match with the OpenLDAP module path in the Makefile and use 'make install'.

Build dependencies

cracklib header files (link with -lcrack). The Makefile does not look for cracklib; you may need to provide the paths manually.

USAGE

Add objectClass pwdPolicyChecker with an attribute pwdCheckModule: check_password.so to a password policy entry.

The module depends on a working cracklib installation including wordlist files. If the wordlist files are not readable, the cracklib check will be skipped silently.

Note: pwdPolicyChecker modules are loaded on every password change operation.

Logs

If a user password is rejected by an OpenLDAP pwdChecker module, the user will not get a detailed error message, this is by design.

Typical user message from ldappasswd(5):

  Result: Constraint violation (19)
  Additional info: Password fails quality checking policy

A more detailed message is written to the server log.

Server log

  check_password_quality: module error: (check_password.so)
  Password does not pass required number of strength checks (2 of 3).[1]

Caveats

Runtime errors with this module (such as cracklib configuration problems) may bring down the slapd process.

Use at your own risk.

Download in other formats:

Plain Text