forked from jpmens/ppolicy-check-password
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
197 lines (137 loc) · 6.43 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
check_password.c - OpenLDAP pwdChecker library
2007-06-06 Michael Steinmann <[email protected]>
2008-01-30 Pierre-Yves Bonnetain <[email protected]>
2009 Clement Oudot <[email protected]> - LTB-project
2009 Jerome HUET - LTB-project
2011 Trevor Vaughan <[email protected]> - Onyx Point, Inc.
check_password.c is an OpenLDAP pwdPolicyChecker module used to check the
strength and quality of user-provided passwords.
This module is used as an extension of the OpenLDAP password policy controls,
see slapo-ppolicy(5) section pwdCheckModule.
check_password.c will run a number of checks on the passwords to ensure minimum
strength and quality requirements are met. Passwords that do not meet these
requirements are rejected.
This was originally packaged as
ltb-project-openldap-ppolicy-check-password-1.1. However, Onyx Point made a
great number of changes and improvements and has re-labeled it
ppolicy-check-password. All original license restrictions and user
privileges apply.
The original code can be downloaded from https://ltb-project.org/wiki/download.
Password checks
---------------
- passwords shorter than 6 characters are rejected if cracklib is used (because
cracklib WILL reject them).
- syntactic checks controls how many different character classes are used
(lower, upper, digit and punctuation characters). The minimum number of
classes is defined in a configuration file. You can set the minimum for each
class.
- passwords are checked against cracklib if cracklib is enabled at compile
time. It can be disabled in configuration file.
- password checking can optionally be set to ensure that no more than a given
number of characters from a character set can be used in a row.
INSTALLATION
------------
Use the provided Makefile to build the module.
Compilation constants :
CONFIG_FILE : Path to the configuration file.
Defaults to /etc/openldap/check_password.conf
DEBUG : If defined, check_password will syslog() its actions.
LDEBUG : If defined, check_password will print its actions to the console.
Build dependencies
cracklib header files (link with -lcrack). The Makefile does not look for
cracklib; you may need to provide the paths manually.
Install into the slapd server module path. Change the installation
path to match with the OpenLDAP module path in the Makefile.
The module may be defined with slapd.conf parameter "modulepath".
On Red Hat systems, you will need to download the openldap source RPM that you want to build against and perform the following steps:
- rpm -i <openldap source RPM>
- rpmbuild -bc <rpm_build_dir>/SPECS/openldap.spec
- cd <openldap-password-module_dir>
- mkdir openldap-<version>
- cd openldap-<version>
- src_dir="<rpm_build_dir>/BUILD/openldap-<version>/openldap-<version>/"
- cp -r $src_dir/build-servers $src_dir/include \
$src_dir/libraries $src_dir/servers .
Then, the Makefile should work properly.
TESTING
-------
An application is provided to build tests for check_password.c. The Makefile
will produce 'cpass' which will run the tests defined in check_password_test.c.
It is highly suggested that you use this if you are going to modify
check_password.c.
You'll need to run cpass with: LD_LIBRARY_PATH=. ./cpass
USAGE
-----
To use this module you need to add objectClass pwdPolicyChecker with an
attribute 'pwdCheckModule: check_password.so' to a password policy entry.
The module depends on a working cracklib installation including wordlist files.
If the wordlist files are not readable, the cracklib check will be skipped
silently.
Note: pwdPolicyChecker modules are loaded on *every* password change operation.
Configuration
-------------
The configuration file (/etc/openldap/check_password.conf by default) contains
parameters for the module. If the file is not found, parameters are given their
default value.
The syntax of the file is :
parameter value
with spaces being delimiters. Parameter names ARE case sensitive (this may
change in the future).
Current parameters :
- use_cracklib: integer. Default value: 1. Set it to 0 to disable cracklib verification.
It has no effect if cracklib is not included at compile time.
- min_points: integer. Default value: 3. Minimum number of quality points a new
password must have to be accepted. One quality point is awarded for each character
class used in the password.
- min_upper: integer. Defaut value: 0. Minimum upper characters expected.
- min_lower: integer. Defaut value: 0. Minimum lower characters expected.
- min_digit: integer. Defaut value: 0. Minimum digit characters expected.
- min_punct: integer. Defaut value: 0. Minimum punctuation characters expected.
- max_consecutive_per_class: integer. Default value: 5. Maximum number of
characters that can appear consecutively from a given character class. 0
disables.
Logs
----
If a user password is rejected by an OpenLDAP pwdChecker module, the user will
*not* get a detailed error message, this is by design.
Typical user message from ldappasswd(5):
Result: Constraint violation (19)
Additional info: Password fails quality checking policy
A more detailed message is written to the server log.
Server log:
check_password_quality: module error: (check_password.so)
Password for dn=".." does not pass required number of strength checks (2 of 3)
Caveats
-------
Runtime errors with this module (such as cracklib configuration problems) may
bring down the slapd process.
Use at your own risk.
TODO
----
* use proper malloc function, see ITS#4998
* get rid of GOTO's
HISTORY
-------
* 2011-01-28 - Trevor Vaughan <[email protected]> - Onyx Point, Inc.
Version 1.2
- Ensure the the configuration file is only read once per run.
- Add max_consecutive_per_class.
- Add LDEBUG flag for local debugging.
- Add test code and update Makefile
* 2009-10-30 Clement OUDOT - LTB-project
Version 1.1
- Apply patch from Jerome HUET for minUpper/minLower/minDigit/minPunct
* 2009-02-05 Clement Oudot <[email protected]> - LINAGORA Group
Version 1.0.3
- Add useCracklib parameter in config file (with help of Pascal Pejac)
- Prefix log messages with "check_password: "
- Log what character type is found for quality checking
* 2008-01-31 Pierre-Yves Bonnetain <[email protected]>
Version 1.0.2
- Several bug fixes.
- Add external config file
* 2007-06-06 Michael Steinmann <[email protected]>
Version 1.0.1
- add dn to error messages
* 2007-06-02 Michael Steinmann <[email protected]>
Version 1.0