[Fedora-directory-users] Re: enforce strong passwords
Howard Chu
hyc at symas.com
Fri Jan 20 00:53:51 UTC 2006
>
> Message: 5 Date: Thu, 19 Jan 2006 14:25:16 -0700 From: Richard
> Megginson <rmeggins at redhat.com> Jo De Troy wrote: > Hello,
>> >
>> > I was wondering if anyone was looking into enforcement of strong
>> > passwords.
>> > I'm not a hardcore C programmer but I'm willing to help. But first
>> > I'll have to try in getting the current version compiled.
>> > I'm certainly willing to do some testing.
>>
>
> Funny you should mention that. We're looking at that issue right now.
> What sort of things would you want to check for?
> min number of lower case
> min number of upper case
> min number of digits
> min number of alphanumerics
> min number of special chars
> no user data in password
> dictionary checking? If so, how? /usr/share/dict/words?
>
>
For OpenLDAP's password policy module we define an attribute in the
policy object that gives the pathname of a dynamically loaded module
that can perform further quality checks. We pass in the password that is
being set, an error string pointer, and the user's current entry and get
a yes/no result code back. I suggest a similar approach here; it's too
limiting to just hardcode one set of rules into the server. (Heck, if we
used SLAPI, we could write these modules interchangeably between
OpenLDAP and FDS.) Symas currently has a module that checks against
cracklib. You could bundle one or two standard modules and go from
there. Probably we should have extended our API to include a pointer to
the current policy object as well. The point is to make the API simple
enough and expressive enough that end-users can plug in whatever
constraints they want.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the Fedora-directory-users
mailing list