OpenLDAP Password Policy Module: the password policy overlay in OpenLDAP provides the option for calling an external module to check the passwords complexity requirements. We modified this custom module in order to implement Active Directory compatibility.
This open source OpenLDAP ppolicy module is available on GitHub : https://bitbucket.org/januadev/ppm. You can test it, use it and even upgrade it to suit your needs.
For more information, you can read about the pwdCheckModule attribute in slapo-ppolicy(5) – Linux man page :
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<b>pwdCheckModule</b> This attribute names a user-defined loadable module that must instantiate the check_password() function. This function will be called to further check a new password if <b>pwdCheckQuality</b> is set to one (1) or two (2), after all of the built-in password compliance checks have been passed. This function will be called according to this function prototype: int <i>check_password</i> (char *pPasswd, char **ppErrStr, Entry *pEntry); The <b>pPasswd</b> parameter contains the clear-text user password, the <b>ppErrStr</b> parameter contains a double pointer that allows the function to return human-readable details about any error it encounters. The optional <b>pEntry</b> parameter, if non-NULL, carries a pointer to the entry whose password is being checked. If <b>ppErrStr</b> is NULL, then <i>funcName</i> must NOT attempt to use it/them. A return value of LDAP_SUCCESS from the called function indicates that the password is ok, any other value indicates that the password is unacceptable. If the password is unacceptable, the server will return an error to the client, and <b>ppErrStr</b> may be used to return a human-readable textual explanation of the error. The error string must be dynamically allocated as it will be free()'d by slapd. ( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) Note: The user-defined loadable module named by <b>pwdCheckModule</b> must be in <b>slapd's</b> standard executable search PATH. Note: <b>pwdCheckModule</b> is a non-standard extension to the LDAP password policy proposal. |
Daly
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Les derniers articles par Daly (tout voir)
- OpenAM : Saving OAuth2 consent - 14 avril 2016
- OpenAM : Login with email on OpenID Connect provider - 14 octobre 2015
- OpenID Connect with OpenAM - 3 septembre 2015