OpenLDAP Password Policy Module: the password policy overlay in OpenLDAP provides the option for calling an external module to check the passwords complexity requirements. We modified this custom module in order to implement Active Directory compatibility.

This open source OpenLDAP ppolicy module is available on GitHub : https://bitbucket.org/januadev/ppm. You can test it, use it and even upgrade it to suit your needs.

For more information, you can read about the pwdCheckModule attribute in slapo-ppolicy(5) – Linux man page :

pwdCheckModule

    This attribute names a user-defined loadable module that must instantiate the check_password() function. This function will be called to further check a new password if pwdCheckQuality is set to one (1) or two (2), after all of the built-in password compliance checks have been passed. This function will be called according to this function prototype:

    int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);

    The pPasswd parameter contains the clear-text user password, the ppErrStr parameter contains a double pointer that allows the function to return human-readable details about any error it encounters. The optional pEntry parameter, if non-NULL, carries a pointer to the entry whose password is being checked. If ppErrStr is NULL, then funcName must NOT attempt to use it/them. A return value of LDAP_SUCCESS from the called function indicates that the password is ok, any other value indicates that the password is unacceptable. If the password is unacceptable, the server will return an error to the client, and ppErrStr may be used to return a human-readable textual explanation of the error. The error string must be dynamically allocated as it will be free()'d by slapd.

    ( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

    Note: The user-defined loadable module named by pwdCheckModule must be in slapd's standard executable search PATH.

    Note: pwdCheckModule is a non-standard extension to the LDAP password policy proposal.
janua