OpenLDAP password policy pwdCheckModule - Page 1
How quality control and password dissemination work

The ppolicy overlay documentation provides information about the single function that the pqChecker plugin should contain. When OpenLDAP server with ppolicy overlay is installed:

man slapo-ppolicy
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);

The most important parameters are the received password and the value returned to the server.

  • pPasswd contains the password to control that ithe server transmits to pqChecker plug-in.
  • The value returned to the server, must be LDAP_SUCCESS (slapd.h) when accepted password, or anything other when it is rejected.


Password content check treatment is based on parameters stored in a text file named pqparams.dat. A system administrator can, manually, modify those parameters to make a change of password content quality policy. More effectively, the modification of these parameters can be done by programming. This makes it possible to provide the possibility of modifying them through a user-friendly user interface, but above all that does not require the granting of any system administration rights. This is why the component offers two additional functions for reading and modifying the parameters.

When a password is validated, it can be broadcast to other systems, if this feature is enabled in the operating parameter. The passwords are broadcast through the pqMessenger middleware.

pqMessenger uses the JNI interface to communicate with pqChecker on one side. On the other hand, it communicates with a JMS server. It is an intermediary module between the native pqChecker plug-in and a Java application. An external application which provides the functionality of modifying these parameters through a user-friendly interface and a data broadcasting feature can use this message transmission chain in a very simple manner.

Modifying settings and broadcasting passwords through a Java application

The pqMessenger module is a middleware that enables communication between pqChecker and a JMS compliant application. This communication concerns the parameters of passwords content quality This allows to change these settings through a user-friendly interface and without the need for specific system privileges. After validation, the modified password may be broadcast by pqChecker to pqMessenger. Note that pqMessenger is an optional module and pqChecker can work alone. In this case, however, the password broadcasting function cannot be activated and the operating parameter can only be changed manually.