On Thu, 2018-07-12 at 15:08 -0400, Mark Reynolds via FreeIPA-devel wrote: > New Attributes to add to objectclass "krbPwdPolicy": > > krbPwdPalindrome: on > krbPwdMaxSequence: 4 > krbPwdMaxSeqSets: 2 > krbPwdMaxCharClass: 3 > krbPwdMinDigits: 1 > krbPwdMinAlphas: 1 > krbPwdMinSpecial: 1 > krbPwdMin8bit: 0 > krbPwdMinUppers: 1 > krbPwdMinLowers: 1 > krbPwdMaxRepeated: 3 > krbPwdDictCheck: on > krbPwdDictPath: /path/to/custom/cracklib/dict/files > krbPwdBadWords: redhat fedora > krbPwdUserAttrs: uid cn sn givenname mail > krbPwdMinTokenLength: 3 **works only with "krbPwdUserAttrs". > Example: if any 3 consecutive characters from "uid" (and friends) are > in > the new password then it is rejected
Also note that we do not own the krbPwd namespace, the MIT krb5 project does. It would not be nice to squat on their namespace. If you want to extend this you'll have to use the ipa namespace and OID space (but I am really against adding more specialized ldap attributes to do this stuff, it never ends and it is not a good interface to set/enforce this kind of policy IMHO). > > Implementation > ------------------------------------------- > > Dictionary Checks require linking with CrackLib as follows: Cracklib makes calls to getpwuid_r in some case (to check the gecos field ....) I am not sure that is desirable either ... > diff --git a/freeipa.spec.in b/freeipa.spec.in > index 0ebc6df3e..ba573a00f 100755 > --- a/freeipa.spec.in > +++ b/freeipa.spec.in > @@ -148,6 +148,7 @@ BuildRequires: libini_config-devel > BuildRequires: cyrus-sasl-devel > %if ! %{ONLY_CLIENT} > BuildRequires: 389-ds-base-devel >= %{ds_version} > +BuildRequires: cracklib-devel > > > diff --git a/util/Makefile.am b/util/Makefile.am > index be40e8699..5c24be2b9 100644 > --- a/util/Makefile.am > +++ b/util/Makefile.am > @@ -14,3 +14,4 @@ libutil_la_SOURCES = ipa_krb5.c \ > ipa_pwd_ntlm.c > > libutil_la_LIBADD = $(CRYPTO_LIBS) $(KRB5_LIBS) $(LDAP_LIBS) > $(NSS_LIBS) > +libutil_la_LDFLAGS = -lcrack > > > pam_pwquality is open sourced and has been ported to 389 Directory > Server. The changes in 389 DS can basically be copied and pasted > into > FreeIPA source (around ipapwd_CheckPolicy() in > daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c). The major change > here is that we need to provide the Slapi_Entry to > ipapwd_CheckPolicy() > so you can check its attributes/values for the "User Attribute" > comparison feature (I've actually already coded this in a beta > patch). _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/VX3TCGGL2NBN7ZT7XTQVZ2WVQUMHXFXZ/