> > Message: 5 Date: Thu, 19 Jan 2006 14:25:16 -0700 From: Richard > Megginson <rmeggins@redhat.com> Jo De Troy wrote: > Hello, >> > >> > I was wondering if anyone was looking into enforcement of strong >> > passwords. >> > I''m not a hardcore C programmer but I''m willing to help. But first >> > I''ll have to try in getting the current version compiled. >> > I''m certainly willing to do some testing. >> > > Funny you should mention that. We''re looking at that issue right now. > What sort of things would you want to check for? > min number of lower case > min number of upper case > min number of digits > min number of alphanumerics > min number of special chars > no user data in password > dictionary checking? If so, how? /usr/share/dict/words? > >For OpenLDAP''s password policy module we define an attribute in the policy object that gives the pathname of a dynamically loaded module that can perform further quality checks. We pass in the password that is being set, an error string pointer, and the user''s current entry and get a yes/no result code back. I suggest a similar approach here; it''s too limiting to just hardcode one set of rules into the server. (Heck, if we used SLAPI, we could write these modules interchangeably between OpenLDAP and FDS.) Symas currently has a module that checks against cracklib. You could bundle one or two standard modules and go from there. Probably we should have extended our API to include a pointer to the current policy object as well. The point is to make the API simple enough and expressive enough that end-users can plug in whatever constraints they want. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
Richard Megginson
2006-Jan-20 01:16 UTC
Re: [Fedora-directory-users] Re: enforce strong passwords
Howard Chu wrote:>> >> Message: 5 Date: Thu, 19 Jan 2006 14:25:16 -0700 From: Richard >> Megginson <rmeggins@redhat.com> Jo De Troy wrote: > Hello, >> >>> > >>> > I was wondering if anyone was looking into enforcement of strong > >>> passwords. >>> > I''m not a hardcore C programmer but I''m willing to help. But first >>> > I''ll have to try in getting the current version compiled. >>> > I''m certainly willing to do some testing. >>> >> >> >> Funny you should mention that. We''re looking at that issue right >> now. What sort of things would you want to check for? >> min number of lower case >> min number of upper case >> min number of digits >> min number of alphanumerics >> min number of special chars >> no user data in password >> dictionary checking? If so, how? /usr/share/dict/words? >> >> > > For OpenLDAP''s password policy module we define an attribute in the > policy object that gives the pathname of a dynamically loaded module > that can perform further quality checks. We pass in the password that > is being set, an error string pointer, and the user''s current entry > and get a yes/no result code back. I suggest a similar approach here; > it''s too limiting to just hardcode one set of rules into the server. > (Heck, if we used SLAPI, we could write these modules interchangeably > between OpenLDAP and FDS.) Symas currently has a module that checks > against cracklib. You could bundle one or two standard modules and go > from there. Probably we should have extended our API to include a > pointer to the current policy object as well. The point is to make the > API simple enough and expressive enough that end-users can plug in > whatever constraints they want.Yes. That''s the intention - make password policy pluggable. It''s going to be a bit more work to add the entry points to the code. We should support the attribute that you described.