On Thu, Mar 17, 2011 at 4:20 PM, Howard Chu <hyc(a)symas.com> wrote:
Yes, but we would not release this change until OpenLDAP 2.5.
Perfect, that will leave some time to define exactly how to change it
without breaking any existing implementation.
Maybe; please give more details on how you propose to specify the
I've filled an ITS with the pwdconstraint overlay which implements
such checks, it could be used as an example to enhance ppolicy.
Basically it relies on LDAP attributes associated with Posix-style
'pwdConstraintAlpha' is associated with the class [:alpha:],
'pwdConstraintDigit' is associated with the class [:digit:],
and so on for all needed character classes. Of course these attributes
would have to be adapted to fit in pwdPolicy.
Now there are two ways of specifying the checks:
- either the attributes contain a Boolean, in which case a value of
'TRUE' means the password MUST contain at least one character
belonging to the associated class, and a value of 'FALSE' forbid such
a character in the password.
- or the attributes contain an integer, in which case a value n > 0
means the password MUST contain at least n character(s) belonging to
the associated class, and a value n <= 0 forbid such a character in
Then another attribute is needed, 'pwdConstraintQuality'.
This attribute contains the minimal number of syntactic constraints a
password must respect in order to be accepted.
Finally the password is checked against all defined constraints:
- If the password contains a forbidden character, it is always rejected.
- If the password respects all (or at least n) constraints, it is accepted.
The second method is implemented in the overlay (using the regcomp
function), however the first method is probably the most common
use-case for everyone.