Author: coudot Date: 2009-10-30 18:35:44 +0100 (Fri, 30 Oct 2009) New Revision: 40
Modified: openldap-ppolicy-check-password/trunk/README openldap-ppolicy-check-password/trunk/check_password.c Log: Apply patch form Jerome HUET (#137) and update documentation Modified: openldap-ppolicy-check-password/trunk/README =================================================================== --- openldap-ppolicy-check-password/trunk/README 2009-10-28 11:24:38 UTC (rev 39) +++ openldap-ppolicy-check-password/trunk/README 2009-10-30 17:35:44 UTC (rev 40) @@ -3,7 +3,8 @@ 2007-06-06 Michael Steinmann <[email protected]> 2008-01-30 Pierre-Yves Bonnetain <[email protected]> -2009-02-05 Clement Oudot <[email protected]> - LINAGORA Group +2009 Clement Oudot <[email protected]> - LTB-project +2009 Jerome HUET - LTB-project check_password.c is an OpenLDAP pwdPolicyChecker module used to check the strength and quality of user-provided passwords. @@ -18,12 +19,13 @@ Password checks --------------- - - passwords shorter than 6 characters are rejected (because cracklib WILL - reject them). + - passwords shorter than 6 characters are rejected if cracklib is used (because + cracklib WILL reject them). - syntactic checks controls how many different character classes are used (lower, upper, digit and punctuation characters). The minimum number of - classes is defined in a configuration file, not hardcoded anymore. + classes is defined in a configuration file. You can set the minimum for each + class. - passwords are checked against cracklib if cracklib is enabled at compile time. It can be disabled in configuration file. @@ -61,7 +63,7 @@ Configuration ------------- -The configuration file (/etc/openldap/check_passwd.conf by default) contains +The configuration file (/etc/openldap/check_password.conf by default) contains parameters for the module. If the file is not found, parameters are given their default value. @@ -74,13 +76,21 @@ Current parameters : -minPoints : integer. Default value : 3. Minimum number of quality points a new password must have -to be accepted. One quality point is awarded for each character class used in -the password. +- useCracklib: integer. Default value: 1. Set it to 0 to disable cracklib verification. + It has no effect if cracklib is not included at compile time. -useCracklib : integer. Default value : 1. Set it to 0 to disable cracklib verification. It has no -effect if cracklib is not included at compile time. +- minPoints: integer. Default value: 3. Minimum number of quality points a new + password must have to be accepted. One quality point is awarded for each character + class used in the password. +- minUpper: integer. Defaut value: 0. Minimum upper characters expected. + +- minLower: integer. Defaut value: 0. Minimum lower characters expected. + +- minDigit: integer. Defaut value: 0. Minimum digit characters expected. + +- minPunct: integer. Defaut value: 0. Minimum punctuation characters expected. + Logs ---- If a user password is rejected by an OpenLDAP pwdChecker module, the user will @@ -112,6 +122,10 @@ HISTORY ------- +* 2009-10-30 Clement OUDOT - LTB-project + Version 1.1 + - Apply patch from Jerome HUET for minUpper/minLower/minDigit/minPunct + * 2009-02-05 Clement Oudot <[email protected]> - LINAGORA Group Version 1.0.3 - Add useCracklib parameter in config file (with help of Pascal Pejac) Modified: openldap-ppolicy-check-password/trunk/check_password.c =================================================================== --- openldap-ppolicy-check-password/trunk/check_password.c 2009-10-28 11:24:38 UTC (rev 39) +++ openldap-ppolicy-check-password/trunk/check_password.c 2009-10-30 17:35:44 UTC (rev 40) @@ -69,6 +69,14 @@ } +static int set_digit (char *value) +{ +#if defined(DEBUG) + syslog(LOG_NOTICE, "check_password: Setting parameter to [%s]", value); +#endif + if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0; + return (int) (value[0] - '0'); +} static validator valid_word (char *word) { @@ -77,6 +85,10 @@ validator dealer; } list[] = { { "minPoints", set_quality }, { "useCracklib", set_cracklib }, + { "minUpper", set_digit }, + { "minLower", set_digit }, + { "minDigit", set_digit }, + { "minPunct", set_digit }, { NULL, NULL } }; int index = 0; @@ -180,6 +192,10 @@ int nUpper = 0; int nDigit = 0; int nPunct = 0; + int minLower = 0; + int minUpper = 0; + int minDigit = 0; + int minPunct = 0; int nQuality = 0; int i; @@ -204,6 +220,10 @@ minQuality = read_config_file("minPoints"); useCracklib = read_config_file("useCracklib"); + minUpper = read_config_file("minUpper"); + minLower = read_config_file("minLower"); + minDigit = read_config_file("minDigit"); + minPunct = read_config_file("minPunct"); /** The password must have at least minQuality strength points with one * point for the first occurrance of a lower, upper, digit and @@ -215,7 +235,8 @@ if ( nQuality >= minQuality ) break; if ( islower (pPasswd[i]) ) { - if ( !nLower ) { + minLower--; + if ( !nLower && (minLower < 1)) { nLower = 1; nQuality++; #if defined(DEBUG) syslog(LOG_NOTICE, "check_password: Found lower character - quality raise %d", nQuality); @@ -225,7 +246,8 @@ } if ( isupper (pPasswd[i]) ) { - if ( !nUpper ) { + minUpper--; + if ( !nUpper && (minUpper < 1)) { nUpper = 1; nQuality++; #if defined(DEBUG) syslog(LOG_NOTICE, "check_password: Found upper character - quality raise %d", nQuality); @@ -235,7 +257,8 @@ } if ( isdigit (pPasswd[i]) ) { - if ( !nDigit ) { + minDigit--; + if ( !nDigit && (minDigit < 1)) { nDigit = 1; nQuality++; #if defined(DEBUG) syslog(LOG_NOTICE, "check_password: Found digit character - quality raise %d", nQuality); @@ -245,7 +268,8 @@ } if ( ispunct (pPasswd[i]) ) { - if ( !nPunct ) { + minPunct--; + if ( !nPunct && (minPunct < 1)) { nPunct = 1; nQuality++; #if defined(DEBUG) syslog(LOG_NOTICE, "check_password: Found punctuation character - quality raise %d", nQuality); _______________________________________________ ltb-changes mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-changes
