Howard Chu wrote:
Message: 5 Date: Thu, 19 Jan 2006 14:25:16 -0700 From: Richard Megginson <rmeggins@xxxxxxxxxx> Jo De Troy wrote: > Hello,>> I was wondering if anyone was looking into enforcement of strong > passwords. > I'm not a hardcore C programmer but I'm willing to help. But first > I'll have to try in getting the current version compiled.> I'm certainly willing to do some testing.Funny you should mention that. We're looking at that issue right now. What sort of things would you want to check for?min number of lower case min number of upper case min number of digits min number of alphanumerics min number of special chars no user data in password dictionary checking? If so, how? /usr/share/dict/words?For OpenLDAP's password policy module we define an attribute in the policy object that gives the pathname of a dynamically loaded module that can perform further quality checks. We pass in the password that is being set, an error string pointer, and the user's current entry and get a yes/no result code back. I suggest a similar approach here; it's too limiting to just hardcode one set of rules into the server. (Heck, if we used SLAPI, we could write these modules interchangeably between OpenLDAP and FDS.) Symas currently has a module that checks against cracklib. You could bundle one or two standard modules and go from there. Probably we should have extended our API to include a pointer to the current policy object as well. The point is to make the API simple enough and expressive enough that end-users can plug in whatever constraints they want.
Yes. That's the intention - make password policy pluggable. It's going to be a bit more work to add the entry points to the code. We should support the attribute that you described.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
