New Password Syntax Checks


Overview

The server’s password syntax checking was lacking some common industry password syntax standards. The server can how handle many new kinds of password syntax checking, but it is limited to evaluating only the new password as it does not do any kind of comparison between the current(old) password verses the new one.

Design

Here is a list of the new password syntax checks that ave been added to 389-ds-base.1.4.0, and how they work

Implementation

Here are the following attributes that were added the password policy configuration. By default all of these features are disabled.

passwordDictCheck: on|off
passwordDictPath:  <PATH TO CUSTOM CRACKLIB DICTIONARY FILES>
passwordMaxSequence: <number of characters - 0 disables feature>
passwordMaxSeqSets: <number of characters - 0 disables feature>
passwordMaxClassChars: <number of characters - 0 disables feature>
passwordPalindrome: on|off
passwordBadWords: WORD WORD WORD
passwordUserAttributes: ATTR ATTR ATTR

Dependencies

cracklib-devel.

Origin

https://github.com/389ds/389-ds-base/pull/2895

Author

mreynolds@redhat.com

Last modified on 1 March 2024