OpenLDAP password policy pwdCheckModule - Page 2
Prerequisites for pqChecker
and setting of the OpenLDAP server

ppolicy overlay must be loaded, see the OpenLDAP administrator guide for more details. Two settings of this overlay are very important:

  • pwdCheckModule must contain the name of the password checker plug-in, we use pqchecker.so
  • pwdCheckQuality must contain the password control level, 3 values may be used:

pwdCheckQuality Meaning
0 (default value) No control done, pqChecker is deactivated.
1 The supplied password is accepted by default. In particular, it is accepted, if for some reason, pqChecker does not work or it is already encrypted. It is controlled and rejected in case of non compliance, only if pqChecker works and it is provided in plain text.
2 If pqChecker does not work or the password provided is already encrypted, the entry is rejected. If supplied in plain text and pqChecker work, the password is checked. It is accepted if the configured criteria are met. If it does not comply, the entry is rejected.
Password quality parameters and their storage

To decide on the acceptance or rejection of password, pqCheker relies on a setting stored in a text file: pqparams.dat. A single line of text contains all the parameters. This line consists of 6 data fields:

Order (left to right) Field Length Sequence Range Meaning of content
1N|2 characters1,20| or 1|1 → Broadcasts passwords, 0 → Don't broadcasts
2UU2 characters3,40 → 99Number of required uppercase characters
3LL2 characters5,60 → 99Number of required lowercase characters
4DD2 characters7,80 → 99Number of required digits
5SS2 characters9,100 → 99Number of required special characters
6The restundefinite11 → end of lineAll charactersList of forbidden characters. This list may be empty

This format is valid from version 2.0 of pqChecker. Previous versions don't support field 1, which concerns the passwords broadcasting. Only the last 5 fields are valid for these previous versions. On the other hand versions 2.0 and above support both formats.