I am trying to implement a password policy in OpenLDAP.
So far this is how my LDIF looks like for it:
dn: cn=module{0},cn=config
changeType: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPpolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=ppolicy,dc=ldaptuto,dc=net
olcPPolicyUseLockout: FALSE
olcPPolicyHashCleartext: TRUE
dn: cn=ppolicy,dc=ldaptuto,dc=net
objectClass: device
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
cn: ppolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdMinLength: 10
pwdCheckQuality: 1
pwdInHistory: 5
pwdMustChange: TRUE
pwdMaxAge: 7776000
pwdMaxFailure: 10
pwdLockout: TRUE
pwdLockoutDuration: 1800
I need to make sure that when the user changes their password the new one differs in at least 2 positions from the old password.
I did not find any policy setting in the LDAP wiki for this. I also tried searching on the web with no result.
I figured I could write my own password checker, something like this, however, I don't see the old password being used in the checking process.
How can I implement a policy that ensures the new password differs in at least 2 positions from the old one in OpenLDAP?
You have to
pwdSafeModify: TRUE in pwdPolicy entryThen your own pwdChecker module also receives the old password when processing the extended operation request.