Howard Chu wrote:
>
> Message: 5 Date: Thu, 19 Jan 2006 14:25:16 -0700 From: Richard
> Megginson <rmeggins(a)redhat.com> Jo De Troy wrote: > Hello,
>
>> >
>> > I was wondering if anyone was looking into enforcement of strong >
>> passwords.
>> > I'm not a hardcore C programmer but I'm willing to help. But first
>> > I'll have to try in getting the current version compiled.
>> > I'm certainly willing to do some testing.
>>
>
>
> Funny you should mention that. We're looking at that issue right
> now. What sort of things would you want to check for?
> min number of lower case
> min number of upper case
> min number of digits
> min number of alphanumerics
> min number of special chars
> no user data in password
> dictionary checking? If so, how? /usr/share/dict/words?
>
>
For OpenLDAP's password policy module we define an attribute in the
policy object that gives the pathname of a dynamically loaded module
that can perform further quality checks. We pass in the password that
is being set, an error string pointer, and the user's current entry
and get a yes/no result code back. I suggest a similar approach here;
it's too limiting to just hardcode one set of rules into the server.
(Heck, if we used SLAPI, we could write these modules interchangeably
between OpenLDAP and FDS.) Symas currently has a module that checks
against cracklib. You could bundle one or two standard modules and go
from there. Probably we should have extended our API to include a
pointer to the current policy object as well. The point is to make the
API simple enough and expressive enough that end-users can plug in
whatever constraints they want.
Yes. That's the intention - make password policy pluggable. It's going
to be a bit more work to add the entry points to the code. We should
support the attribute that you described.