pqChecker
OpenLDAP password policy pwdCheckModule - Page 2
Prerequisites for pqChecker
and setting of the OpenLDAP server

The ppolicy overlay must be loaded and well configured, see the OpenLDAP administrator guide and password policy setting tutorial for further details. The following command, executed on the server, allows to verify this. The response must shows the ppolicy overlay loaded status ({x}ppolicy).

sudo ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcModuleList)" -LLL ↵

olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}ppolicy

Especially, take care at 2 settings of this overlay. Assuming ppolicy settings DN is cn=ppolicy,dc=ldaptuto,dc=net, the following command allows to verify those settings values:

sudo ldapsearch -Y external -H ldapi:/// -b cn=ppolicy,dc=ldaptuto,dc=net pwdCheckModule pwdCheckQuality -LLL ↵

pwdCheckQuality: 2
pwdCheckModule: pqchecker.so
  • pwdCheckModule must contain the name of the password checker plug-in, we use pqchecker.so
  • pwdCheckQuality must contain the password control level, 3 values may be used:
pwdCheckQuality Meaning
0 (default value) No check is done, pqChecker is deactivated.
1 Default, the password is accepted. Especially, it's accepted when it's already encrypted or, for some reason, pqChecker does not work. The check is done only if pqChecker works and the password isn't encrypted.
2 Default, the password is rejected. Especially, it's rejected when it's already encrypted or, for some reason, pqChecker does not work. The check is done only if pqChecker works and the password isn't encrypted.
 
Password content strength settings and their storage

To accept or reject passwords, pqChecker relies on settings stored in a text file: pqparams.dat. A single line of text contains all those settings. 6 fields constitute this line:

Order (left to right) Field Length Sequence Range Meaning of content
1N|2 characters1,20| or 1|1| → Broadcasts passwords, 0| → Don't broadcasts
2UU2 characters3,400 → 99Number of required uppercase characters
3LL2 characters5,600 → 99Number of required lowercase characters
4DD2 characters7,800 → 99Number of required digits
5SS2 characters9,1000 → 99Number of required special characters
6The restindefinite11 → end of lineAll charactersList of forbidden characters. This list may be empty

Versions of pqChecker prior to 2.0 don't support field 1. This field act on passwords broadcasting. Only the last 5 fields are valid for these previous versions. Versions 2.0 and above support both formats.