and setting of the OpenLDAP server
The ppolicy overlay must be loaded and well configured, see the OpenLDAP administrator guide and password policy setting tutorial for further details. The following command, executed on the server, allows to verify this. The response must shows the ppolicy overlay loaded status ({x}ppolicy).
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}ppolicy
Especially, take care at 2 settings of this overlay. Assuming ppolicy settings DN is cn=ppolicy,dc=ldaptuto,dc=net, the following command allows to verify those settings values:
pwdCheckQuality: 2
pwdCheckModule: pqchecker.so
- pwdCheckModule must contain the name of the password checker plug-in, we use pqchecker.so
- pwdCheckQuality must contain the password control level, 3 values may be used:
pwdCheckQuality | Meaning |
---|---|
0 (default value) | No check is done, pqChecker is deactivated. |
1 | Default, the password is accepted. Especially, it's accepted when it's already encrypted or, for some reason, pqChecker does not work. The check is done only if pqChecker works and the password isn't encrypted. |
2 | Default, the password is rejected. Especially, it's rejected when it's already encrypted or, for some reason, pqChecker does not work. The check is done only if pqChecker works and the password isn't encrypted. |
To accept or reject passwords, pqChecker relies on settings stored in a text file: pqparams.dat. A single line of text contains all those settings. 6 fields constitute this line:
Order (left to right) | Field | Length | Sequence | Range | Meaning of content |
---|---|---|---|---|---|
1 | N| | 2 characters | 1,2 | 0| or 1| | 1| → Broadcasts passwords, 0| → Don't broadcasts |
2 | UU | 2 characters | 3,4 | 00 → 99 | Number of required uppercase characters |
3 | LL | 2 characters | 5,6 | 00 → 99 | Number of required lowercase characters |
4 | DD | 2 characters | 7,8 | 00 → 99 | Number of required digits |
5 | SS | 2 characters | 9,10 | 00 → 99 | Number of required special characters |
6 | The rest | indefinite | 11 → end of line | All characters | List of forbidden characters. This list may be empty |
Versions of pqChecker prior to 2.0 don't support field 1. This field act on passwords broadcasting. Only the last 5 fields are valid for these previous versions. Versions 2.0 and above support both formats.