OpenLDAP check_password Password Policy Module

The OpenLDAP project I am currently working on requires mandatory password strength checking in addition to password policy definitions. OpenLDAP supports the password policy specification out of the box. Password strength checking, however, requires writing a custom module as no such module is currently included.

Note that the OpenLDAP password policy implementation is based on an RFC draft.

I have written an OpenLDAP module that checks passwords for a minimum length of 6 characters and the presence of at least three out of four of lower, upper, digit and punctuation characters. Additionally, the module runs the password through cracklib (if cracklib has been linked in).

You need to add objectClass pwdPolicyChecker with an attribute pwdCheckModule: check_password.so to a password policy entry.

Note that the module is not loaded at startup time (it is not loaded with a moduleload statement in slapd.conf) but rather on every password check operation involving a password policy entry where the module has been configured.

I have successfully built and tested it with OpenLDAP 2.3.35 on openSUSE 10.2 with the patch below.