# Example of ppm configuration # Such configuration must be stored into pwdCheckModuleArg attribute # of a password policy entry # See slapo-ppolicy for more details # Here is an example of such password policy: # dn: cn=default,ou=policies,dc=my-domain,dc=com # objectClass: pwdPolicy # objectClass: top # objectClass: pwdPolicyChecker # objectClass: person # pwdCheckQuality: 2 # pwdAttribute: userPassword # sn: default # cn: default # pwdMinLength: 6 # pwdCheckModule: /usr/local/lib/ppm.so # pwdCheckModuleArg:: bWluUXVhbGl0eSAzCmNoZWNrUkROIDAKY2hlY2tBdHRyaWJ1dGVzCmZvcmJpZGRlbkNoYXJzCm1heENvbnNlY3V0aXZlUGVyQ2xhc3MgMAp1c2VDcmFja2xpYiAwCmNyYWNrbGliRGljdCAvdmFyL2NhY2hlL2NyYWNrbGliL2NyYWNrbGliX2RpY3QKY2xhc3MtdXBwZXJDYXNlIEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaIDAgMSAwCmNsYXNzLWxvd2VyQ2FzZSBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiAwIDEgMApjbGFzcy1kaWdpdCAwMTIzNDU2Nzg5IDAgMSAwCmNsYXNzLXNwZWNpYWwgPD4sPzsuOi8hwqfDuSUqwrVewqgkwqPCsibDqX4iIyd7KFstfMOoYF9cw6dew6BAKV3CsD19KyAwIDEgMAo= # # Different parameters are separated by a linefeed (\n) # Parameters starting with a # are ignored # Use a base64 tool to code / decode the content of pwdCheckModuleArg # Parameters # minQuality parameter # Format: # minQuality [NUMBER] # Description: # One point is granted for each class for which MIN_FOR_POINT criteria is fulfilled. # defines the minimum point numbers for the password to be accepted. minQuality 3 # checkRDN parameter # Format: # checkRDN [0 | 1] # Description: # If set to 1, password must not contain a token from the RDN. # Tokens are separated by these delimiters : space tabulation _ - , ; £ checkRDN 0 # checkAttributes parameter # Format: # checkAttributes [ATTR1,ATTR2,...] # Description: # Password must not contain a token from the values in the given list of attributes # Tokens are substrings of the values of the given attributes, # delimited by: space tabulation _ - , ; @ # For example, if uid="the wonderful entry", # password must not contain "the", nor "wonderful", nor "entry" checkAttributes # forbiddenChars parameter # Format: # forbiddenChars [CHARACTERS_FORBIDDEN] # Description: # Defines the forbidden characters list (no separator). # If one of them is found in the password, then it is rejected. forbiddenChars # maxConsecutivePerClass parameter # Format: # maxConsecutivePerClass [NUMBER] # Description: # Defines the maximum number of consecutive character allowed for any class maxConsecutivePerClass 0 # useCracklib parameter # Format: # useCracklib [0 | 1] # Description: # If set to 1, the password must pass the cracklib check useCracklib 0 # cracklibDict parameter # Format: # cracklibDict [path_to_cracklib_dictionary] # Description: # directory+filename-prefix that your version of CrackLib will go hunting for # For example, /var/pw_dict resolves as /var/pw_dict.pwd, # /var/pw_dict.pwi and /var/pw_dict.hwm dictionary files cracklibDict /var/cache/cracklib/cracklib_dict # classes parameter # Format: # class-[CLASS_NAME] [CHARACTERS_DEFINING_CLASS] [MIN] [MIN_FOR_POINT] # Description: # [CHARACTERS_DEFINING_CLASS]: characters defining the class (no separator) # [MIN]: If at least [MIN] characters of this class is not found in the password, then it is rejected # [MIN_FOR_POINT]: one point is granted if password contains at least [MIN_FOR_POINT] character numbers of this class # [MAX]: if > [MAX] occurrences of characters from this class are found, then the password is rejected (0 means no maximum) class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 0 class-lowerCase abcdefghijklmnopqrstuvwxyz 0 1 0 class-digit 0123456789 0 1 0 class-special <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+ 0 1 0