Metcalf, Roger wrote:
Hi John,
I didn't find a response to your query (pasted below). I'm about to try cooking up something similar. Did you ever get help or find the magic combination of ingredients to get pwdCheckModule working? If so, please share the recipe!
Yes, it depends on the modulepath. And yes, a module is a DLL or shared library, just like a backend module or overlay module, and building it with libtool is probably the smartest approach.
Unlike other modules which are loaded once and then stay loaded, this module is loaded when referenced, then unloaded again after the call completes.
Thanks, Roger Metcalf
# # # # #
Hi all,
I don't know if this is the right list, but i'm hoping the author of the overlay or somebody equally knowledgeable is on this list and will be able to help me.
I'm attempting to use the password policy overlay with a custom password strength checker. The docs say the following on the subject:
"pwdCheckModule This attribute names a user-defined loadable module that must instantiate the check_password() function. This function will be called to further check a new password if pwdCheckQuality is set to one (1) or two (2), after all of the built-in password compliance checks have been passed. This function will be called according to this function prototype:
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
...
Note: The user-defined loadable module named by pwdCheckModule must be in slapd's standard executable search PATH. Note: pwdCheckModule is a non-standard extension to the LDAP password policy proposal
Now, i'm a little unclear on how exactly to compile such a module or where to place it so as to load it. "standard executable search PATH" seems to imply it should go where binaries go (for example /usr/local/bin) but i'm wondering if maybe it's the modulepath in the slapd.conf. I've tried both so i'm assuming i'm not compiling it up correctly
The following is my simple program using cracklib (untested but i believe should work). The file is called ldap_cracklib.c
#include <portable.h> #include <slap.h> #include <packer.h>
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
int check_password( char *pPasswd, char **ppErrStr, Entry *pentry) { char *ret; ret = (char *) FascistCheck( pPasswd, '/usr/local/libdata/cracklib/pw_dict' ); if (ret == NULL) { return 0; } *ppErrStr = ret; return 1; }
I've compiled it to an object file with gcc -c (and a whole bunch of other arguments for includes, etc) and also to a library using libtool (i took the makefile for smbk5pwd and modified it). I've then tried modifying the pwdCheckModule to ldap_cracklib.o and ldap_cracklib.so respectively (after copying the relevant files to both /usr/local/bin and our module path, /usr/local/libexec/openldap).
I'm using the following command to try and change my password:
ldappasswd -x -W -A -H ldaps://ldapservername.fully.qualified.domain -D "uid=allmanj,ou=people,dc=fully,dc=qualified,dc=domain"
It prompts me for my old password twice, once for my new and then says:
ldap_bind: Invalid credentials (49)
I can confirm that my (old) password is correct by using ldapwhoami.
So should i be making a library? Should i be making a basic compiled object? Should i be making something else? Please bear in mind that i'm an administrator not a programmer so i am a little ignorant.
I've tried boosting the ldap log level and looking for errors but i dont see anything.
Any help would be greatly appreciated.
Thanks,
John