OpenLDAP password policy pwdCheckModule - Page 1
How quality control and password dissemination work

The ppolicy overlay documentation provides information about the single function that the pqChecker plugin should contain. When OpenLDAP server with ppolicy overlay is installed:

man slapo-ppolicy
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);

The most important parameters are the received password and the value returned to the server.

  • pPasswd contains the modified password.
  • The value returned to the server, must be LDAP_SUCCESS (slapd.h) when password value is accepted, or any other value when it is rejected.

OpenLDAP password policy pwdCheckQuality

Password content check treatment is performed according settings stored in a text file named pqparams.dat. A system administrator can, manually, modify those settings to make a change of password content quality policy. More effectively, the modification of these settings may be done programmatically. This makes it possible to provide the feature of modifying them through a user-friendly interface. It also allows to avoid involving system administrator to achieve modifying settings. This is why the component provide two additional functions for reading and modifying the passwords strength settings.

When a password is validated, it can be broadcast to other systems, if this feature is enabled in the operating setting. The passwords are broadcast through the pqMessenger middleware.

pqMessenger uses the JNI interface to communicate with pqChecker on one side. On the other side, it communicates with a JMS server. It is an intermediary module between the native pqChecker plug-in and a Java application. An external application which provides the feature of modifying these settings through a user-friendly interface and a data broadcasting feature can use this message transmission chain in a very simple way.