Home Contact Download

Search




Ohloh statistics

Sponsored by

Hosted by

LDAP Tool Box project: even LDAP administrators need help



OpenLDAP pwdChecker library

Presentation

check_password.c is an OpenLDAP pwdPolicyChecker module used to check the strength and quality of user-provided passwords.

This module is used as an extension of the OpenLDAP password policy controls.

check_password.c will run a number of checks on the passwords to ensure minimum strength and quality requirements are met. Passwords that do not meet these requirements are rejected.

Password checks

  • Passwords shorter than 6 characters are rejected (because cracklib WILL reject them).
  • Syntactic checks controls how many different character classes are used (lower, upper, digit and punctuation characters). The minimum number of classes is defined in a configuration file.
  • Passwords are checked against cracklib if cracklib is enabled at compile time. It can be disabled in configuration file.

INSTALLATION

Build dependencies:

  • cracklib header files (link with -lcrack). The Makefile does not look for cracklib; you may need to provide the paths manually.
  • OpenLDAP header files

Copy check_password.c and Makefile in OpenLDAP source directory and use the provided Makefile to build the module:

$ make PARAM1=VALUE PARAM2=VALUE ...

You can use those compilation parameters:

  • CC: compiler (default: gcc)
  • CC_FLAGS: compiler flags (default: -g -O2 -Wall -fpic)
  • CONFIG_FILE: path to target configuration file (default: /etc/openldap/check_password.conf)
  • CONFIG_OPT: compiler config option (default: -DCONFIG_FILE=“\”$(CONFIG)\””)
  • DEBUG_OPT: compiler debug option (default: -DDEBUG)
  • CRACKLIB: path to cracklib dictionaries (default: /usr/share/cracklib/pw_dict)
  • CRACKLIB_LIB: link to cracklib library (default: -lcrack)
  • CRACKLIB_OPT: compiler cracklib option (default: -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH=“\”$(CRACKLIB)\””)
  • LDAP_INC: OpenLDAP includes (default: -I/usr/include/openldap/include -I/usr/include/openldap/servers/slapd)
  • LDAP_LIB: link to OpenLDAP libraries (default: -lldap_r -llber)
  • LIBDIR: target installation directory (default: /usr/lib/openldap/)

Compilation command example:

$ make CONFIG="/usr/local/openldap/etc/openldap/check_password.conf" \
LDAP_INC="-I./include/ -I./servers/slapd/" \
CRACKLIB_OPT='' CRACKLIB_LIB=''

Install into the slapd server module path:

make install LIBDIR='/usr/local/openldap/lib'

The module path may be defined with slapd.conf parameter “modulepath”.

Ronan Lanore wrote a documentation for Debian Lenny: Compile check_password.so on Lenny

USAGE

To use this module you need to add objectClass pwdPolicyChecker with an attribute 'pwdCheckModule: check_password.so' to a password policy entry.

The module depends on a working cracklib installation including wordlist files. If the wordlist files are not readable, the cracklib check will be skipped silently.

Note: pwdPolicyChecker modules are loaded on *every* password change operation.

Configuration

The configuration file (/etc/openldap/check_passwd.conf by default) contains parameters for the module. If the file is not found, parameters are given their default value.

The syntax of the file is :

parameter value

with spaces being delimiters. Parameter names ARE case sensitive..

Current parameters :

  • minPoints : integer. Default value: 3. Minimum number of quality points a new password must have to be accepted. One quality point is awarded for each character class used in the password.
  • useCracklib : integer. Default value : 1. Set it to 0 to disable cracklib verification. It has no effect if cracklib is not included at compile time.
  • minUpper: integer. Defaut value: 0. Minimum upper characters expected.
  • minLower: integer. Defaut value: 0. Minimum lower characters expected.
  • minDigit: integer. Defaut value: 0. Minimum digit characters expected.
  • minPunct: integer. Defaut value: 0. Minimum punctuation characters expected.

Example:

minPoints 3
useCracklib 0
minUpper 2
minLower 4
minDigit 1
minPunct 0

Logs

If a user password is rejected by an OpenLDAP pwdChecker module, the user will not get a detailed error message, this is by design.

Typical user message from ldappasswd(5):

  Result: Constraint violation (19)
  Additional info: Password fails quality checking policy

A more detailed message is written to the server log.

Server log:

  check_password_quality: module error: (check_password.so)
  Password for dn=".." does not pass required number of strength checks (2 of 3)

Caveats

Runtime errors with this module (such as cracklib configuration problems) may bring down the slapd process.

Use at your own risk.