OpenLDAP directory server with the ppolicy overlay allows to manage a powerful passwords policy. All aspects of this policy are directly supported by the ppolicy overlay, apart from the content quality of the password. The passwords content strength management is delegated to an external plug-in that must be a native shared library. The pqChecker component offers this feature. It allows to control the content of passwords, ie:
- Number of required uppercase characters.
- Number of required lowercase characters.
- Number of required special characters (non-alphabetical characters).
- Number of required digits (0-9).
- Forbidden characters.
- Setting the passwords content quality programmatically.
- Real-time broadcast to other information systems of the modified passwords.
At each modification, or first password entry in the directory, pqChecker is solicited. It receives the new value of this attribute and checks its compliance with the defined strength parameters. At the end of this control, this value is accepted or rejected.
In addition, it is possible to read and modify the quality parameters through middlware communication with a JMS server: pqMessenger. This possibility allows to manage these parameters without any particular system constraint (need for system administrator intervention). It even allows the use of a graphical user interface for this purpose (cf. mdAdmin application).
pqChecker also allows to broadcast the new password, in real time, after its validation. This feature provides the ability to synchronize passwords stored in the OpenLDAP directory with other systems that use it (RDBMS, email servers, other LDAP servers..). The passwords diffusion isn't a default behavior, It is deactivated by default but can be activated by simple setting.
pqChecker is a free and opensource software. It is licensed under the GNU GPL v3+ license.