> > Message: 5 Date: Thu, 19 Jan 2006 14:25:16 -0700 From: Richard > Megginson <rmeggins at redhat.com> Jo De Troy wrote: > Hello, >> > >> > I was wondering if anyone was looking into enforcement of strong >> > passwords. >> > I'm not a hardcore C programmer but I'm willing to help. But first >> > I'll have to try in getting the current version compiled. >> > I'm certainly willing to do some testing. >> > > Funny you should mention that. We're looking at that issue right now. > What sort of things would you want to check for? > min number of lower case > min number of upper case > min number of digits > min number of alphanumerics > min number of special chars > no user data in password > dictionary checking? If so, how? /usr/share/dict/words? > > For OpenLDAP's password policy module we define an attribute in the policy object that gives the pathname of a dynamically loaded module that can perform further quality checks. We pass in the password that is being set, an error string pointer, and the user's current entry and get a yes/no result code back. I suggest a similar approach here; it's too limiting to just hardcode one set of rules into the server. (Heck, if we used SLAPI, we could write these modules interchangeably between OpenLDAP and FDS.) Symas currently has a module that checks against cracklib. You could bundle one or two standard modules and go from there. Probably we should have extended our API to include a pointer to the current policy object as well. The point is to make the API simple enough and expressive enough that end-users can plug in whatever constraints they want. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
