Message: 5 Date: Thu, 19 Jan 2006 14:25:16 -0700 From: Richard
Megginson <rmeggins(a)redhat.com> Jo De Troy wrote: > Hello,
> > I was wondering if anyone was looking into enforcement of strong
> > passwords.
> > I'm not a hardcore C programmer but I'm willing to help. But first
> > I'll have to try in getting the current version compiled.
> > I'm certainly willing to do some testing.
Funny you should mention that. We're looking at that issue right now.
What sort of things would you want to check for?
min number of lower case
min number of upper case
min number of digits
min number of alphanumerics
min number of special chars
no user data in password
dictionary checking? If so, how? /usr/share/dict/words?
For OpenLDAP's password policy module we define an attribute in the
policy object that gives the pathname of a dynamically loaded module
that can perform further quality checks. We pass in the password that is
being set, an error string pointer, and the user's current entry and get
a yes/no result code back. I suggest a similar approach here; it's too
limiting to just hardcode one set of rules into the server. (Heck, if we
used SLAPI, we could write these modules interchangeably between
OpenLDAP and FDS.) Symas currently has a module that checks against
cracklib. You could bundle one or two standard modules and go from
there. Probably we should have extended our API to include a pointer to
the current policy object as well. The point is to make the API simple
enough and expressive enough that end-users can plug in whatever
constraints they want.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/