On Thu, Mar 17, 2011 at 4:20 PM, Howard Chu hyc@symas.com wrote:
Yes, but we would not release this change until OpenLDAP 2.5.
Perfect, that will leave some time to define exactly how to change it without breaking any existing implementation.
Maybe; please give more details on how you propose to specify the nature of each check.
I've filled an ITS with the pwdconstraint overlay which implements such checks, it could be used as an example to enhance ppolicy.
Basically it relies on LDAP attributes associated with Posix-style character classes.
For example:
'pwdConstraintAlpha' is associated with the class [:alpha:], 'pwdConstraintDigit' is associated with the class [:digit:], and so on for all needed character classes. Of course these attributes would have to be adapted to fit in pwdPolicy.
Now there are two ways of specifying the checks: - either the attributes contain a Boolean, in which case a value of 'TRUE' means the password MUST contain at least one character belonging to the associated class, and a value of 'FALSE' forbid such a character in the password. - or the attributes contain an integer, in which case a value n > 0 means the password MUST contain at least n character(s) belonging to the associated class, and a value n <= 0 forbid such a character in the password.
Then another attribute is needed, 'pwdConstraintQuality'. This attribute contains the minimal number of syntactic constraints a password must respect in order to be accepted.
Finally the password is checked against all defined constraints: - If the password contains a forbidden character, it is always rejected. - If the password respects all (or at least n) constraints, it is accepted.
Note: The second method is implemented in the overlay (using the regcomp function), however the first method is probably the most common use-case for everyone.