OpenLDAP Password Policy Module: the password policy overlay in OpenLDAP provides the option for calling an external module to check the passwords complexity requirements. We modified this custom module in order to implement Active Directory compatibility.
This open source OpenLDAP ppolicy module is available on GitHub : https://bitbucket.org/januadev/ppm. You can test it, use it and even upgrade it to suit your needs.
For more information, you can read about the pwdCheckModule attribute in slapo-ppolicy(5) – Linux man page :
This attribute names a user-defined loadable module that must instantiate the check_password() function. This function will be called to further check a new password if <b>pwdCheckQuality</b> is set to one (1) or two (2), after all of the built-in password compliance checks have been passed. This function will be called according to this function prototype:
int <i>check_password</i> (char *pPasswd, char **ppErrStr, Entry *pEntry);
The <b>pPasswd</b> parameter contains the clear-text user password, the <b>ppErrStr</b> parameter contains a double pointer that allows the function to return human-readable details about any error it encounters. The optional <b>pEntry</b> parameter, if non-NULL, carries a pointer to the entry whose password is being checked. If <b>ppErrStr</b> is NULL, then <i>funcName</i> must NOT attempt to use it/them. A return value of LDAP_SUCCESS from the called function indicates that the password is ok, any other value indicates that the password is unacceptable. If the password is unacceptable, the server will return an error to the client, and <b>ppErrStr</b> may be used to return a human-readable textual explanation of the error. The error string must be dynamically allocated as it will be free()'d by slapd.
( 220.127.116.11.4.1.4718.104.22.168 NAME 'pwdCheckModule' EQUALITY caseExactIA5Match SYNTAX 22.214.171.124.4.1.14126.96.36.199.26 SINGLE-VALUE )
Note: The user-defined loadable module named by <b>pwdCheckModule</b> must be in <b>slapd's</b> standard executable search PATH.
Note: <b>pwdCheckModule</b> is a non-standard extension to the LDAP password policy proposal.