We are using ppolicy to manage the password policy on our LDAP server. It at least checks the minimum length and the minimum amount of time needed before a person can change their password again, but is there a way to get it to check for upper case, lower case, numbers, etc? We need to force our users to make complex passwords.
Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495
________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--On Tuesday, May 01, 2012 4:20 PM -0700 "Kline, Sara" SKline@tnsi.com wrote:
We are using ppolicy to manage the password policy on our LDAP server. It at least checks the minimum length and the minimum amount of time needed before a person can change their password again, but is there a way to get it to check for upper case, lower case, numbers, etc? We need to force our users to make complex passwords.
pwdCheckModule
This attribute names a user-defined loadable module that must instanti- ate the check_password() function. This function will be called to further check a new password if pwdCheckQuality is set to one (1) or two (2), after all of the built-in password compliance checks have been passed. This function will be called according to this function proto- type: int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); The pPasswd parameter contains the clear-text user password, the ppErrStr parameter contains a double pointer that allows the function to return human-readable details about any error it encounters. The optional pEntry parameter, if non-NULL, carries a pointer to the entry whose password is being checked. If ppErrStr is NULL, then funcName must NOT attempt to use it/them. A return value of LDAP_SUCCESS from the called function indicates that the password is ok, any other value indicates that the password is unacceptable. If the password is unac- ceptable, the server will return an error to the client, and ppErrStr may be used to return a human-readable textual explanation of the error. The error string must be dynamically allocated as it will be free()'d by slapd.
( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
Note: The user-defined loadable module named by pwdCheckModule must be in slapd's standard executable search PATH.
Note: pwdCheckModule is a non-standard extension to the LDAP password policy proposal.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
I saw this in the ppolicy pages but was unsure of how to use it? I understand that I can use pwdCheckModule and even how to turn it on, but I am uncertain as to how to actually tell it that we want to have for example, one upper case, one lower case and one numeral. Has anybody done that?
Thanks, Sara Kline
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Tuesday, May 01, 2012 4:36 PM To: Kline, Sara; openldap-technical@openldap.org Subject: Re: Tightening up ppolicy
--On Tuesday, May 01, 2012 4:20 PM -0700 "Kline, Sara" SKline@tnsi.com wrote:
We are using ppolicy to manage the password policy on our LDAP server. It at least checks the minimum length and the minimum amount of time needed before a person can change their password again, but is there a way to get it to check for upper case, lower case, numbers, etc? We need to force our users to make complex passwords.
pwdCheckModule
This attribute names a user-defined loadable module that must instanti- ate the check_password() function. This function will be called to further check a new password if pwdCheckQuality is set to one (1) or two (2), after all of the built-in password compliance checks have been passed. This function will be called according to this function proto- type: int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); The pPasswd parameter contains the clear-text user password, the ppErrStr parameter contains a double pointer that allows the function to return human-readable details about any error it encounters. The optional pEntry parameter, if non-NULL, carries a pointer to the entry whose password is being checked. If ppErrStr is NULL, then funcName must NOT attempt to use it/them. A return value of LDAP_SUCCESS from the called function indicates that the password is ok, any other value indicates that the password is unacceptable. If the password is unac- ceptable, the server will return an error to the client, and ppErrStr may be used to return a human-readable textual explanation of the error. The error string must be dynamically allocated as it will be free()'d by slapd.
( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
Note: The user-defined loadable module named by pwdCheckModule must be in slapd's standard executable search PATH.
Note: pwdCheckModule is a non-standard extension to the LDAP password policy proposal.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
--On Tuesday, May 01, 2012 4:39 PM -0700 "Kline, Sara" SKline@tnsi.com wrote:
I saw this in the ppolicy pages but was unsure of how to use it? I understand that I can use pwdCheckModule and even how to turn it on, but I am uncertain as to how to actually tell it that we want to have for example, one upper case, one lower case and one numeral. Has anybody done that?
You write a checking module, and in that module, you do the strength tests that you require. As noted in the text from the man page.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
I am not a programmer. I am just starting to learn Perl, but am not much beyond Hello World. Does anyone have an example that I could work from? I have some very rudimentary programming skills in a few languages but I have not found any examples online thus far that look like what I need.
Thanks, Sara Kline
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Tuesday, May 01, 2012 4:42 PM To: Kline, Sara; openldap-technical@openldap.org Subject: RE: Tightening up ppolicy
--On Tuesday, May 01, 2012 4:39 PM -0700 "Kline, Sara" SKline@tnsi.com wrote:
I saw this in the ppolicy pages but was unsure of how to use it? I understand that I can use pwdCheckModule and even how to turn it on, but I am uncertain as to how to actually tell it that we want to have for example, one upper case, one lower case and one numeral. Has anybody done that?
You write a checking module, and in that module, you do the strength tests that you require. As noted in the text from the man page.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
On Tue, 1 May 2012, Kline, Sara wrote:
I am not a programmer. I am just starting to learn Perl, but am not much beyond Hello World. Does anyone have an example that I could work from? I have some very rudimentary programming skills in a few languages but I have not found any examples online thus far that look like what I need.
This project is licensed under the OpenLDAP Public License (so it's hopefully compatible with your organization's philosophy if you're already using slapd) and might be a starting point:
http://open.calivia.com/projects/openldap
blog entry with config file details:
http://www.calivia.com/blog/mike/openldap-check_password-password-policy-mod...
Another example is found in OpenLDAP ITS #6884.
I've used neither of these options and cannot vouch for (nor against) them in any way.
Thanks, Sara Kline
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Tuesday, May 01, 2012 4:42 PM To: Kline, Sara; openldap-technical@openldap.org Subject: RE: Tightening up ppolicy
--On Tuesday, May 01, 2012 4:39 PM -0700 "Kline, Sara" SKline@tnsi.com wrote:
I saw this in the ppolicy pages but was unsure of how to use it? I understand that I can use pwdCheckModule and even how to turn it on, but I am uncertain as to how to actually tell it that we want to have for example, one upper case, one lower case and one numeral. Has anybody done that?
You write a checking module, and in that module, you do the strength tests that you require. As noted in the text from the man page.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
2012/5/2 Aaron Richton richton@nbcs.rutgers.edu:
On Tue, 1 May 2012, Kline, Sara wrote:
I am not a programmer. I am just starting to learn Perl, but am not much beyond Hello World. Does anyone have an example that I could work from? I have some very rudimentary programming skills in a few languages but I have not found any examples online thus far that look like what I need.
This project is licensed under the OpenLDAP Public License (so it's hopefully compatible with your organization's philosophy if you're already using slapd) and might be a starting point:
http://open.calivia.com/projects/openldap
blog entry with config file details:
http://www.calivia.com/blog/mike/openldap-check_password-password-policy-mod...
Another example is found in OpenLDAP ITS #6884.
I've used neither of these options and cannot vouch for (nor against) them in any way.
You can also use the password checker module from LTB project: http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password
It is based on the calivia module.
Clément.
I found this: http://open.calivia.com/projects/openldap/browser/check_password/check_passw...
Has anyone used this gentleman's template? I think it should work with a little tweaking. It looks like the whole module, he said that it can enforce upper and lower case and numerals. Hopefully this is good, and it helps others in the future as well.
Thanks, Sara Kline
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Tuesday, May 01, 2012 4:42 PM To: Kline, Sara; openldap-technical@openldap.org Subject: RE: Tightening up ppolicy
--On Tuesday, May 01, 2012 4:39 PM -0700 "Kline, Sara" SKline@tnsi.com wrote:
I saw this in the ppolicy pages but was unsure of how to use it? I understand that I can use pwdCheckModule and even how to turn it on, but I am uncertain as to how to actually tell it that we want to have for example, one upper case, one lower case and one numeral. Has anybody done that?
You write a checking module, and in that module, you do the strength tests that you require. As noted in the text from the man page.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
openldap-technical@openldap.org
-
Aaron Richton -
Clément OUDOT -
Kline, Sara -
Quanah Gibson-Mount