diff options
Diffstat (limited to 'contrib/slapd-modules/ppm')
| -rw-r--r-- | contrib/slapd-modules/ppm/CHANGELOG.md | 38 | ||||
| -rw-r--r-- | contrib/slapd-modules/ppm/CONTRIBUTIONS.md | 5 | ||||
| -rw-r--r-- | contrib/slapd-modules/ppm/INSTALL.md | 51 | ||||
| -rw-r--r-- | contrib/slapd-modules/ppm/LICENSE | 50 | ||||
| -rw-r--r-- | contrib/slapd-modules/ppm/Makefile | 97 | ||||
| -rw-r--r-- | contrib/slapd-modules/ppm/README.md | 1 | ||||
| -rw-r--r-- | contrib/slapd-modules/ppm/ppm.c | 684 | ||||
| -rw-r--r-- | contrib/slapd-modules/ppm/ppm.example | 85 | ||||
| -rw-r--r-- | contrib/slapd-modules/ppm/ppm.h | 125 | ||||
| -rw-r--r-- | contrib/slapd-modules/ppm/ppm.md | 343 | ||||
| -rw-r--r-- | contrib/slapd-modules/ppm/ppm_test.c | 66 | ||||
| -rw-r--r-- | contrib/slapd-modules/ppm/slapm-ppm.5 | 360 | ||||
| -rwxr-xr-x | contrib/slapd-modules/ppm/unit_tests.sh | 118 |
13 files changed, 2023 insertions, 0 deletions
diff --git a/contrib/slapd-modules/ppm/CHANGELOG.md b/contrib/slapd-modules/ppm/CHANGELOG.md new file mode 100644 index 0000000..d0e4ed7 --- /dev/null +++ b/contrib/slapd-modules/ppm/CHANGELOG.md @@ -0,0 +1,38 @@ +# CHANGELOG + +* 2021-02-23 David Coutadeur <david.coutadeur@gmail.com> + remove maxLength attribute (#21) + adapt the readme and documentation of ppm (#22) + prepare ppolicy10 in OpenLDAP 2.5 (#20, #23 and #24) + add pwdCheckModuleArg feature + Version 2.0 +* 2019-08-20 David Coutadeur <david.coutadeur@gmail.com> + adding debug symbols for ppm_test, + improve tests with the possibility to add username, + fix openldap crash when checkRDN=1 and username contains too short parts + Version 1.8 +* 2018-03-30 David Coutadeur <david.coutadeur@gmail.com> + various minor improvements provided by Tim Bishop (tdb) (compilation, test program, + imprvts in Makefile: new OLDAP_SOURCES variable pointing to OLDAP install. directory + Version 1.7 +* 2017-05-19 David Coutadeur <david.coutadeur@gmail.com> + Adds cracklib support + Readme adaptations and cleaning + Version 1.6 +* 2017-02-07 David Coutadeur <david.coutadeur@gmail.com> + Adds maxConsecutivePerClass (idea from Trevor Vaughan / tvaughan@onyxpoint.com) + Version 1.5 +* 2016-08-22 David Coutadeur <david.coutadeur@gmail.com> + Get config file from environment variable + Version 1.4 +* 2014-12-20 Daly Chikhaoui <dchikhaoui@janua.fr> + Adding checkRDN parameter + Version 1.3 +* 2014-10-28 David Coutadeur <david.coutadeur@gmail.com> + Adding maxLength parameter + Version 1.2 +* 2014-07-27 David Coutadeur <david.coutadeur@gmail.com> + Changing the configuration file and the configuration data structure + Version 1.1 +* 2014-04-04 David Coutadeur <david.coutadeur@gmail.com> + Version 1.0 diff --git a/contrib/slapd-modules/ppm/CONTRIBUTIONS.md b/contrib/slapd-modules/ppm/CONTRIBUTIONS.md new file mode 100644 index 0000000..0d563d8 --- /dev/null +++ b/contrib/slapd-modules/ppm/CONTRIBUTIONS.md @@ -0,0 +1,5 @@ +# CONTRIBUTIONS + +* 2014 - 2021 - David Coutadeur <david.coutadeur@gmail.com> - maintainer +* 2015 - Daly Chikhaoui - Janua <dchikhaoui@janua.fr> - contribution on RDN checks +* 2017 - tdb - Tim Bishop - contribution on some compilation improvements diff --git a/contrib/slapd-modules/ppm/INSTALL.md b/contrib/slapd-modules/ppm/INSTALL.md new file mode 100644 index 0000000..6052dc6 --- /dev/null +++ b/contrib/slapd-modules/ppm/INSTALL.md @@ -0,0 +1,51 @@ +INSTALLATION +============ + +Dependencies +------------------ +ppm is provided along with OpenLDAP sources. By default, it is available into contrib/slapd-modules. + - make sure both OpenLDAP sources and ppm are available for building. + - install cracklib development files if you want to test passwords against cracklib + - install pandoc if you want to build the man page + + +Build +----- +Enter contrib/slapd-modules/ppm directory + +You can optionally customize some variables if you don't want the default ones: +- prefix: prefix of the path where ppm is to be installed (defaults to /usr/local) +- ldap_subdir: OpenLDAP specific subdirectory for modules and configurations (defaults to openldap ) +- moduledir: where the ppm module is to be deployed (defaults to $prefix/$libexecdir/$ldap_subdir) +- etcdir: used to compose default sysconfdir location (defaults to $prefix/etc) +- sysconfdir: where the ppm example policy is to be deployed (defaults to $prefix/$etcdir/$ldap_subdir) +- LDAP_SRC: path to OpenLDAP source directory +- Options in OPTS variable: + CONFIG_FILE: (DEPRECATED) path to a ppm configuration file (see PPM_READ_FILE in ppm.h) + note: ppm configuration now lies into pwdCheckModuleArg password policy attribute + provided example file is only helpful as an example or for testing + CRACKLIB: if defined, link against cracklib + DEBUG: If defined, ppm logs its actions with syslog + + +To build ppm, simply run these commands: +(based upon the default prefix /usr/local of OpenLDAP) + +``` +make clean +make +make test +make doc +make install +``` + +Here is an illustrative example showing how to overload some options: + +``` +make clean +make LDAP_SRC=../../.. prefix=/usr/local libdir=/usr/local/lib +make test LDAP_SRC=../../.. +make doc prefix=/usr/local +make install prefix=/usr/local libdir=/usr/local/lib +``` + diff --git a/contrib/slapd-modules/ppm/LICENSE b/contrib/slapd-modules/ppm/LICENSE new file mode 100644 index 0000000..03f692b --- /dev/null +++ b/contrib/slapd-modules/ppm/LICENSE @@ -0,0 +1,50 @@ +OpenLDAP Public License + +The OpenLDAP Public License + Version 2.8.1, 25 November 2003 + +Redistribution and use of this software and associated documentation +("Software"), with or without modification, are permitted provided +that the following conditions are met: + +1. Redistributions in source form must retain copyright statements + and notices, + +2. Redistributions in binary form must reproduce applicable copyright + statements and notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution, and + +3. Redistributions must contain a verbatim copy of this document. + +The OpenLDAP Foundation may revise this license from time to time. +Each revision is distinguished by a version number. You may use +this Software under terms of this license revision or under the +terms of any subsequent revision of the license. + +THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS +CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) +OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +The names of the authors and copyright holders must not be used in +advertising or otherwise to promote the sale, use or other dealing +in this Software without specific, written prior permission. Title +to copyright in this Software shall at all times remain with copyright +holders. + +OpenLDAP is a registered trademark of the OpenLDAP Foundation. + +Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, +California, USA. All rights reserved. Permission to copy and +distribute verbatim copies of this document is granted. + diff --git a/contrib/slapd-modules/ppm/Makefile b/contrib/slapd-modules/ppm/Makefile new file mode 100644 index 0000000..7b6efad --- /dev/null +++ b/contrib/slapd-modules/ppm/Makefile @@ -0,0 +1,97 @@ +# $OpenLDAP$ +# Copyright 2014 David Coutadeur, Paris. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted only as authorized by the OpenLDAP +# Public License. +# +# A copy of this license is available in the file LICENSE in the +# top-level directory of the distribution or, alternatively, at +# <http://www.OpenLDAP.org/license.html>. + +LDAP_SRC = ../../.. +LDAP_BUILD = $(LDAP_SRC) +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/liblber/liblber.la $(LDAP_BUILD)/libraries/libldap/libldap.la + +LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install +CC = gcc +OPT = -g -O2 -fpic + +# To skip linking against CRACKLIB make CRACK=no +CRACK=yes +CRACKDEF_yes= -DCRACKLIB +CRACKDEF_no= + +CRACKLIB_yes= -lcrack +CRACKLIB_no= + +CRACKDEF=$(CRACKDEF_$(CRACK)) +CRACKLIB=$(CRACKLIB_$(CRACK)) + +DEFS = -DDEBUG $(CRACKDEF) +# Define if using a config file: +# -DCONFIG_FILE="\"$(sysconfdir)/$(EXAMPLE)\"" + +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +PROGRAMS=ppm.so +LTVER = 0:0:0 + +LDAP_LIBS = -L$(LDAP_BUILD)/libraries/liblber/.libs -L$(LDAP_BUILD)/libraries/libldap/.libs -lldap -llber + +prefix=/usr/local +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 +etcdir = $(exec_prefix)/etc +sysconfdir = $(etcdir)$(ldap_subdir) + +TEST=ppm_test +EXAMPLE=ppm.example +TESTS=./unit_tests.sh + +MANDOC=slapm-ppm.5 +MDDOC=ppm.md + +all: ppm $(TEST) + +$(TEST): ppm + $(CC) $(CFLAGS) $(OPT) $(CPPFLAGS) $(LDFLAGS) $(INCS) $(LDAP_LIBS) -Wl,-rpath=. -o $(TEST) ppm_test.c $(PROGRAMS) $(LDAP_LIBS) $(CRACKLIB) + +ppm.o: + $(CC) $(CFLAGS) $(OPT) $(CPPFLAGS) $(DEFS) -c $(INCS) ppm.c + +ppm: ppm.o + $(CC) $(LDFLAGS) $(INCS) -shared -o $(PROGRAMS) ppm.o $(CRACKLIB) + +install: ppm + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS); do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)/$(moduledir) ; \ + done + $(INSTALL) -m 644 $(EXAMPLE) $(DESTDIR)$(sysconfdir)/ + $(INSTALL) -m 644 $(MANDOC) $(DESTDIR)$(man5dir)/ +# $(INSTALL) -m 755 $(TEST) $(libdir) + +.PHONY: clean + +clean: + $(RM) -f ppm.o $(PROGRAMS) ppm.lo $(TEST) + $(RM) -rf .libs + +test: ppm $(TEST) + LDAP_SRC=$(LDAP_SRC) $(TESTS) + +doc: + pandoc $(MDDOC) -s -t man -o $(MANDOC) + sed -i -e 's#ETCDIR#$(DESTDIR)$(sysconfdir)#g' $(MANDOC) + diff --git a/contrib/slapd-modules/ppm/README.md b/contrib/slapd-modules/ppm/README.md new file mode 100644 index 0000000..129f788 --- /dev/null +++ b/contrib/slapd-modules/ppm/README.md @@ -0,0 +1 @@ +See ppm.md manual and INSTALL.md diff --git a/contrib/slapd-modules/ppm/ppm.c b/contrib/slapd-modules/ppm/ppm.c new file mode 100644 index 0000000..801ab6c --- /dev/null +++ b/contrib/slapd-modules/ppm/ppm.c @@ -0,0 +1,684 @@ +/* + * ppm.c for OpenLDAP + * + * See LICENSE, README and INSTALL files + */ + + +/* + password policy module is called with: + int check_password (char *pPasswd, char **ppErrStr, Entry *e, void *pArg) + + *pPasswd: new password + **ppErrStr: pointer to the string containing the error message + *e: pointer to the current user entry + *pArg: pointer to a struct berval holding the value of pwdCheckModuleArg attr +*/ + +#include <stdlib.h> // for type conversion, such as atoi... +#include <regex.h> // for matching allowedParameters / conf file +#include <string.h> +#include <ctype.h> +#include <portable.h> +#include <slap.h> +#include <stdarg.h> // for variable nb of arguments functions +#include "ppm.h" + +#ifdef CRACKLIB +#include "crack.h" // use cracklib to check password +#endif + +void +ppm_log(int priority, const char *format, ...) +{ + // if DEBUG flag is set + // logs into syslog (for OpenLDAP) or to stdout (for tests) +#if defined(DEBUG) + if(ppm_test != 1) + { + va_list syslog_args; + va_start(syslog_args, format); + vsyslog(priority, format, syslog_args); + va_end(syslog_args); + } + else + { + va_list stdout_args; + va_start(stdout_args, format); + vprintf(format, stdout_args); + printf("\n"); + fflush(stdout); + va_end(stdout_args); + } +#endif +} + +void +strcpy_safe(char *dest, char *src, int length_dest) +{ + if(src == NULL) + { + dest[0] = '\0'; + } + else + { + int length_src = strlen(src); + int n = (length_dest < length_src) ? length_dest : length_src; + // Copy the string — don’t copy too many bytes. + strncpy(dest, src, n); + // Ensure null-termination. + dest[n] = '\0'; + } +} + +genValue* +getValue(conf *fileConf, int numParam, char* param) +{ + int i = 0; + + // First scan parameters + for (i = 0; i < numParam; i++) { + if ((strlen(param) == strlen(fileConf[i].param)) + && (strncmp(param, fileConf[i].param, strlen(fileConf[i].param)) + == 0)) { + return &(fileConf[i].value); + } + } + return NULL; +} + +int maxConsPerClass(char *password, char *charClass) +{ + // find maximum number of consecutive class characters in the password + + int bestMax = 0; + int max = 0; + int i; + + for(i=0 ; i<strlen(password) ; i++) + { + if(strchr(charClass,password[i]) != NULL) + { + // current character is in class + max++; + // is the new max a better candidate to maxConsecutivePerClass? + if(max > bestMax) + { + // found a better maxConsecutivePerClass + bestMax = max; + } + } + else + { + // current character is not in class + // reinitialize max + max=0; + } + } + return bestMax; +} + +void +storeEntry(char *param, char *value, valueType valType, + char *min, char *minForPoint, conf * fileConf, int *numParam) +{ + int i = 0; + int iMin; + int iMinForPoint; + if (min == NULL || strcmp(min,"") == 0) + iMin = 0; + else + iMin = atoi(min); + + if (minForPoint == NULL || strcmp(minForPoint,"") == 0) + iMinForPoint = 0; + else + iMinForPoint = atoi(minForPoint); + + // First scan parameters + for (i = 0; i < *numParam; i++) { + if ((strlen(param) == strlen(fileConf[i].param)) + && (strncmp(param, fileConf[i].param, strlen(fileConf[i].param)) + == 0)) { + // entry found, replace values + if(valType == typeInt) + fileConf[i].value.iVal = atoi(value); + else + strcpy_safe(fileConf[i].value.sVal, value, VALUE_MAX_LEN); + fileConf[i].min = iMin; + fileConf[i].minForPoint = iMinForPoint; + if(valType == typeInt) + ppm_log(LOG_NOTICE, "ppm: Accepted replaced value: %d", + fileConf[i].value.iVal); + else + ppm_log(LOG_NOTICE, "ppm: Accepted replaced value: %s", + fileConf[i].value.sVal); + return; + } + } + // entry not found, add values + strcpy_safe(fileConf[*numParam].param, param, PARAM_MAX_LEN); + fileConf[*numParam].iType = valType; + if(valType == typeInt) + fileConf[i].value.iVal = atoi(value); + else + strcpy_safe(fileConf[i].value.sVal, value, VALUE_MAX_LEN); + fileConf[*numParam].min = iMin; + fileConf[*numParam].minForPoint = iMinForPoint; + ++(*numParam); + if(valType == typeInt) + ppm_log(LOG_NOTICE, "ppm: Accepted new value: %d", + fileConf[*numParam].value.iVal); + else + ppm_log(LOG_NOTICE, "ppm: Accepted new value: %s", + fileConf[*numParam].value.sVal); +} + +int +typeParam(char* param) +{ + int i; + int n = sizeof(allowedParameters)/sizeof(params); + + regex_t regex; + int reti; + + for(i = 0 ; i < n ; i++ ) + { + // Compile regular expression + reti = regcomp(®ex, allowedParameters[i].param, 0); + if (reti) { + ppm_log(LOG_ERR, "ppm: Cannot compile regex: %s", + allowedParameters[i].param); + return n; + } + + // Execute regular expression + reti = regexec(®ex, param, 0, NULL, 0); + if (!reti) + { + regfree(®ex); + return i; + } + regfree(®ex); + } + return n; +} + +#ifndef PPM_READ_FILE + + /* + * read configuration into pwdCheckModuleArg attribute + * */ + static void + read_config_attr(conf * fileConf, int *numParam, char *ppm_config_attr) + { + int nParam = 0; // position of found parameter in allowedParameters + int sAllowedParameters = sizeof(allowedParameters)/sizeof(params); + char arg[260*256]; + char *token; + char *saveptr1; + char *saveptr2; + + strcpy_safe(arg, ppm_config_attr, 260*256); + ppm_log(LOG_NOTICE, "ppm: Parsing pwdCheckModuleArg attribute"); + token = strtok_r(arg, "\n", &saveptr1); + + while (token != NULL) { + ppm_log(LOG_NOTICE, "ppm: get line: %s",token); + char *start = token; + char *word, *value; + char *min, *minForPoint;; + + while (isspace(*start) && isascii(*start)) + start++; + + if (!isascii(*start)) + { + token = strtok_r(NULL, "\n", &saveptr1); + continue; + } + if (start[0] == '#') + { + token = strtok_r(NULL, "\n", &saveptr1); + continue; + } + + if ((word = strtok_r(start, " \t", &saveptr2))) { + if ((value = strtok_r(NULL, " \t", &saveptr2)) == NULL) + { + saveptr2 = NULL; + ppm_log(LOG_NOTICE, "ppm: No value, goto next parameter"); + token = strtok_r(NULL, "\n", &saveptr1); + continue; + } + if (strchr(value, '\n') != NULL) + strchr(value, '\n')[0] = '\0'; + min = strtok_r(NULL, " \t", &saveptr2); + if (min != NULL) + if (strchr(min, '\n') != NULL) + strchr(min, '\n')[0] = '\0'; + minForPoint = strtok_r(NULL, " \t", &saveptr2); + if (minForPoint != NULL) + if (strchr(minForPoint, '\n') != NULL) + strchr(minForPoint, '\n')[0] = '\0'; + + + nParam = typeParam(word); // search for param in allowedParameters + if (nParam != sAllowedParameters) // param has been found + { + ppm_log(LOG_NOTICE, + "ppm: Param = %s, value = %s, min = %s, minForPoint= %s", + word, value, min, minForPoint); + + storeEntry(word, value, allowedParameters[nParam].iType, + min, minForPoint, fileConf, numParam); + } + else + { + ppm_log(LOG_NOTICE, + "ppm: Parameter '%s' rejected", word); + } + + } + token = strtok_r(NULL, "\n", &saveptr1); + } + + } + +#endif + +#ifdef PPM_READ_FILE + + /* + * read configuration file (DEPRECATED) + * */ + static void + read_config_file(conf * fileConf, int *numParam, char *ppm_config_file) + { + FILE *config; + char line[260] = ""; + int nParam = 0; // position of found parameter in allowedParameters + int sAllowedParameters = sizeof(allowedParameters)/sizeof(params); + + ppm_log(LOG_NOTICE, "ppm: Opening file %s", ppm_config_file); + if ((config = fopen(ppm_config_file, "r")) == NULL) { + ppm_log(LOG_ERR, "ppm: Opening file %s failed", ppm_config_file); + exit(EXIT_FAILURE); + } + + while (fgets(line, 256, config) != NULL) { + char *start = line; + char *word, *value; + char *min, *minForPoint;; + + while (isspace(*start) && isascii(*start)) + start++; + + if (!isascii(*start)) + continue; + if (start[0] == '#') + continue; + + if ((word = strtok(start, " \t"))) { + if ((value = strtok(NULL, " \t")) == NULL) + continue; + if (strchr(value, '\n') != NULL) + strchr(value, '\n')[0] = '\0'; + min = strtok(NULL, " \t"); + if (min != NULL) + if (strchr(min, '\n') != NULL) + strchr(min, '\n')[0] = '\0'; + minForPoint = strtok(NULL, " \t"); + if (minForPoint != NULL) + if (strchr(minForPoint, '\n') != NULL) + strchr(minForPoint, '\n')[0] = '\0'; + + + nParam = typeParam(word); // search for param in allowedParameters + if (nParam != sAllowedParameters) // param has been found + { + ppm_log(LOG_NOTICE, + "ppm: Param = %s, value = %s, min = %s, minForPoint= %s", + word, value, min, minForPoint); + + storeEntry(word, value, allowedParameters[nParam].iType, + min, minForPoint, fileConf, numParam); + } + else + { + ppm_log(LOG_NOTICE, + "ppm: Parameter '%s' rejected", word); + } + + } + } + + fclose(config); + } + +#endif + +static int +realloc_error_message(char **target, int curlen, int nextlen) +{ + if (curlen < nextlen + MEMORY_MARGIN) { + ppm_log(LOG_WARNING, + "ppm: Reallocating szErrStr from %d to %d", curlen, + nextlen + MEMORY_MARGIN); + ber_memfree(*target); + curlen = nextlen + MEMORY_MARGIN; + *target = (char *) ber_memalloc(curlen); + } + + return curlen; +} + +// Does the password contains a token from the RDN ? +int +containsRDN(char* passwd, char* DN) +{ + char lDN[DN_MAX_LEN]; + char * tmpToken; + char * token; + regex_t regex; + int reti; + + strcpy_safe(lDN, DN, DN_MAX_LEN); + + // Extract the RDN from the DN + tmpToken = strtok(lDN, ",+"); + tmpToken = strtok(tmpToken, "="); + tmpToken = strtok(NULL, "="); + + // Search for each token in the password */ + token = strtok(tmpToken, TOKENS_DELIMITERS); + + while (token != NULL) + { + if (strlen(token) > 2) + { + ppm_log(LOG_NOTICE, "ppm: Checking if %s part of RDN matches the password", token); + // Compile regular expression + reti = regcomp(®ex, token, REG_ICASE); + if (reti) { + ppm_log(LOG_ERR, "ppm: Cannot compile regex: %s", token); + return 0; + } + + // Execute regular expression + reti = regexec(®ex, passwd, 0, NULL, 0); + if (!reti) + { + regfree(®ex); + return 1; + } + + regfree(®ex); + } + else + { + ppm_log(LOG_NOTICE, "ppm: %s part of RDN is too short to be checked", token); + } + token = strtok(NULL, TOKENS_DELIMITERS); + } + + return 0; +} + + +int +check_password(char *pPasswd, char **ppErrStr, Entry *e, void *pArg) +{ + + Entry *pEntry = e; + struct berval *pwdCheckModuleArg = pArg; + char *szErrStr = (char *) ber_memalloc(MEM_INIT_SZ); + int mem_len = MEM_INIT_SZ; + int numParam = 0; // Number of params in current configuration + + int useCracklib; + char cracklibDict[VALUE_MAX_LEN]; + char cracklibDictFiles[3][(VALUE_MAX_LEN+5)]; + char const* cracklibExt[] = { ".hwm", ".pwd", ".pwi" }; + FILE* fd; + char* res; + int minQuality; + int checkRDN; + char forbiddenChars[VALUE_MAX_LEN]; + int nForbiddenChars = 0; + int nQuality = 0; + int maxConsecutivePerClass; + int nbInClass[CONF_MAX_SIZE]; + int i,j; + + ppm_log(LOG_NOTICE, "ppm: entry %s", pEntry->e_nname.bv_val); + +#ifdef PPM_READ_FILE + /* Determine if config file is to be read (DEPRECATED) */ + char ppm_config_file[FILENAME_MAX_LEN]; + + ppm_log(LOG_NOTICE, "ppm: Not reading pwdCheckModuleArg attribute"); + ppm_log(LOG_NOTICE, "ppm: instead, read configuration file (deprecated)"); + + strcpy_safe(ppm_config_file, getenv("PPM_CONFIG_FILE"), FILENAME_MAX_LEN); + if (ppm_config_file[0] == '\0') { + strcpy_safe(ppm_config_file, CONFIG_FILE, FILENAME_MAX_LEN); + } + ppm_log(LOG_NOTICE, "ppm: reading config file from %s", ppm_config_file); +#else + if ( !pwdCheckModuleArg || !pwdCheckModuleArg->bv_val ) { + ppm_log(LOG_ERR, "ppm: No config provided in pwdCheckModuleArg"); + mem_len = realloc_error_message(&szErrStr, mem_len, + strlen(GENERIC_ERROR)); + sprintf(szErrStr, GENERIC_ERROR); + goto fail; + } + + ppm_log(LOG_NOTICE, "ppm: Reading pwdCheckModuleArg attribute"); + ppm_log(LOG_NOTICE, "ppm: RAW configuration: %s", pwdCheckModuleArg->bv_val); +#endif + + for (i = 0; i < CONF_MAX_SIZE; i++) + nbInClass[i] = 0; + + /* Set default values */ + conf fileConf[CONF_MAX_SIZE] = { + {"minQuality", typeInt, {.iVal = DEFAULT_QUALITY}, 0, 0 + } + , + {"checkRDN", typeInt, {.iVal = 0}, 0, 0 + } + , + {"forbiddenChars", typeStr, {.sVal = ""}, 0, 0 + } + , + {"maxConsecutivePerClass", typeInt, {.iVal = 0}, 0, 0 + } + , + {"useCracklib", typeInt, {.iVal = 0}, 0, 0 + } + , + {"cracklibDict", typeStr, {.sVal = "/var/cache/cracklib/cracklib_dict"}, 0, 0 + } + , + {"class-upperCase", typeStr, {.sVal = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"}, 0, 1 + } + , + {"class-lowerCase", typeStr, {.sVal = "abcdefghijklmnopqrstuvwxyz"}, 0, 1 + } + , + {"class-digit", typeStr, {.sVal = "0123456789"}, 0, 1 + } + , + {"class-special", typeStr, + {.sVal = "<>,?;.:/!§ù%*µ^¨$£²&é~\"#'{([-|è`_\\ç^à@)]°=}+"}, 0, 1 + } + }; + numParam = 10; + + #ifdef PPM_READ_FILE + /* Read configuration file (DEPRECATED) */ + read_config_file(fileConf, &numParam, ppm_config_file); + #else + /* Read configuration attribute (pwdCheckModuleArg) */ + read_config_attr(fileConf, &numParam, (*(struct berval*)pwdCheckModuleArg).bv_val); + #endif + + minQuality = getValue(fileConf, numParam, "minQuality")->iVal; + checkRDN = getValue(fileConf, numParam, "checkRDN")->iVal; + strcpy_safe(forbiddenChars, + getValue(fileConf, numParam, "forbiddenChars")->sVal, + VALUE_MAX_LEN); + maxConsecutivePerClass = getValue(fileConf, numParam, "maxConsecutivePerClass")->iVal; + useCracklib = getValue(fileConf, numParam, "useCracklib")->iVal; + strcpy_safe(cracklibDict, + getValue(fileConf, numParam, "cracklibDict")->sVal, + VALUE_MAX_LEN); + + + /*The password must have at least minQuality strength points with one + * point granted if the password contains at least minForPoint characters for each class + * It must contains at least min chars of each class + * It must not contain any char in forbiddenChar */ + + for (i = 0; i < strlen(pPasswd); i++) { + + int n; + for (n = 0; n < numParam; n++) { + if (strstr(fileConf[n].param, "class-") != NULL) { + if (strchr(fileConf[n].value.sVal, pPasswd[i]) != NULL) { + ++(nbInClass[n]); + } + } + } + if (strchr(forbiddenChars, pPasswd[i]) != NULL) { + nForbiddenChars++; + } + } + + // Password checking done, now loocking for minForPoint criteria + for (i = 0; i < CONF_MAX_SIZE; i++) { + if (strstr(fileConf[i].param, "class-") != NULL) { + if ((nbInClass[i] >= fileConf[i].minForPoint) + && strlen(fileConf[i].value.sVal) != 0) { + // 1 point granted + ++nQuality; + ppm_log(LOG_NOTICE, "ppm: 1 point granted for class %s", + fileConf[i].param); + } + } + } + + if (nQuality < minQuality) { + mem_len = realloc_error_message(&szErrStr, mem_len, + strlen(PASSWORD_QUALITY_SZ) + + strlen(pEntry->e_nname.bv_val) + 4); + sprintf(szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_nname.bv_val, + nQuality, minQuality); + goto fail; + } + // Password checking done, now loocking for constraintClass criteria + for (i = 0; i < CONF_MAX_SIZE; i++) { + if (strstr(fileConf[i].param, "class-") != NULL) { + if ((nbInClass[i] < fileConf[i].min) && + strlen(fileConf[i].value.sVal) != 0) { + // constraint is not satisfied... goto fail + mem_len = realloc_error_message(&szErrStr, mem_len, + strlen(PASSWORD_CRITERIA) + + strlen(pEntry->e_nname.bv_val) + + 2 + PARAM_MAX_LEN); + sprintf(szErrStr, PASSWORD_CRITERIA, pEntry->e_nname.bv_val, + fileConf[i].min, fileConf[i].param); + goto fail; + } + } + } + + // Password checking done, now loocking for forbiddenChars criteria + if (nForbiddenChars > 0) { // at least 1 forbidden char... goto fail + mem_len = realloc_error_message(&szErrStr, mem_len, + strlen(PASSWORD_FORBIDDENCHARS) + + strlen(pEntry->e_nname.bv_val) + 2 + + VALUE_MAX_LEN); + sprintf(szErrStr, PASSWORD_FORBIDDENCHARS, pEntry->e_nname.bv_val, + nForbiddenChars, forbiddenChars); + goto fail; + } + + // Password checking done, now loocking for maxConsecutivePerClass criteria + for (i = 0; i < CONF_MAX_SIZE; i++) { + if (strstr(fileConf[i].param, "class-") != NULL) { + if ( maxConsecutivePerClass != 0 && + (maxConsPerClass(pPasswd,fileConf[i].value.sVal) + > maxConsecutivePerClass)) { + // Too much consecutive characters of the same class + ppm_log(LOG_NOTICE, "ppm: Too much consecutive chars for class %s", + fileConf[i].param); + mem_len = realloc_error_message(&szErrStr, mem_len, + strlen(PASSWORD_MAXCONSECUTIVEPERCLASS) + + strlen(pEntry->e_nname.bv_val) + 2 + + PARAM_MAX_LEN); + sprintf(szErrStr, PASSWORD_MAXCONSECUTIVEPERCLASS, pEntry->e_nname.bv_val, + maxConsecutivePerClass, fileConf[i].param); + goto fail; + } + } + } +#ifdef CRACKLIB + // Password checking done, now loocking for cracklib criteria + if ( useCracklib > 0 ) { + + for( j = 0 ; j < 3 ; j++) { + strcpy_safe(cracklibDictFiles[j], cracklibDict, VALUE_MAX_LEN); + strcat(cracklibDictFiles[j], cracklibExt[j]); + if (( fd = fopen ( cracklibDictFiles[j], "r")) == NULL ) { + ppm_log(LOG_NOTICE, "ppm: Error while reading %s file", + cracklibDictFiles[j]); + mem_len = realloc_error_message(&szErrStr, mem_len, + strlen(GENERIC_ERROR)); + sprintf(szErrStr, GENERIC_ERROR); + goto fail; + + } + else { + fclose (fd); + } + } + res = (char *) FascistCheck (pPasswd, cracklibDict); + if ( res != NULL ) { + ppm_log(LOG_NOTICE, "ppm: cracklib does not validate password for entry %s", + pEntry->e_nname.bv_val); + mem_len = realloc_error_message(&szErrStr, mem_len, + strlen(PASSWORD_CRACKLIB) + + strlen(pEntry->e_nname.bv_val)); + sprintf(szErrStr, PASSWORD_CRACKLIB, pEntry->e_nname.bv_val); + goto fail; + + } + + } +#endif + + // Password checking done, now looking for checkRDN criteria + if (checkRDN == 1 && containsRDN(pPasswd, pEntry->e_nname.bv_val)) + // RDN check enabled and a token from RDN is found in password: goto fail + { + mem_len = realloc_error_message(&szErrStr, mem_len, + strlen(RDN_TOKEN_FOUND) + + strlen(pEntry->e_nname.bv_val)); + sprintf(szErrStr, RDN_TOKEN_FOUND, pEntry->e_nname.bv_val); + + goto fail; + } + + *ppErrStr = strdup(""); + ber_memfree(szErrStr); + return (LDAP_SUCCESS); + + fail: + *ppErrStr = strdup(szErrStr); + ber_memfree(szErrStr); + return (EXIT_FAILURE); + +} diff --git a/contrib/slapd-modules/ppm/ppm.example b/contrib/slapd-modules/ppm/ppm.example new file mode 100644 index 0000000..10cf132 --- /dev/null +++ b/contrib/slapd-modules/ppm/ppm.example @@ -0,0 +1,85 @@ +# Example of ppm configuration + +# Such configuration must be stored into pwdCheckModuleArg attribute +# of a password policy entry +# See slapo-ppolicy for more details +# Here is an example of such password policy: +# dn: cn=default,ou=policies,dc=my-domain,dc=com +# objectClass: pwdPolicy +# objectClass: top +# objectClass: pwdPolicyChecker +# objectClass: person +# pwdCheckQuality: 2 +# pwdAttribute: userPassword +# sn: default +# cn: default +# pwdMinLength: 6 +# pwdCheckModule: /usr/local/lib/ppm.so +# pwdCheckModuleArg:: bWluUXVhbGl0eSAzCmNoZWNrUkROIDAKZm9yYmlkZGVuQ2hhcnMKbWF4Q29uc2VjdXRpdmVQZXJDbGFzcyAwCnVzZUNyYWNrbGliIDAKY3JhY2tsaWJEaWN0IC92YXIvY2FjaGUvY3JhY2tsaWIvY3JhY2tsaWJfZGljdApjbGFzcy11cHBlckNhc2UgQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVogMCAxCmNsYXNzLWxvd2VyQ2FzZSBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiAwIDEKY2xhc3MtZGlnaXQgMDEyMzQ1Njc4OSAwIDEKY2xhc3Mtc3BlY2lhbCA8Piw/Oy46LyHCp8O5JSrCtV7CqCTCo8KyJsOpfiIjJ3soWy18w6hgX1zDp17DoEApXcKwPX0rIDAgMQ== +# +# Different parameters are separated by a linefeed (\n) +# Parameters starting with a # are ignored +# Use a base64 tool to code / decode the content of pwdCheckModuleArg + + + +# Parameters + +# minQuality parameter +# Format: +# minQuality [NUMBER] +# Description: +# One point is granted for each class for which MIN_FOR_POINT criteria is fulfilled. +# defines the minimum point numbers for the password to be accepted. +minQuality 3 + +# checkRDN parameter +# Format: +# checkRDN [0 | 1] +# Description: +# If set to 1, password must not contain a token from the RDN. +# Tokens are separated by these delimiters : space tabulation _ - , ; £ +checkRDN 0 + +# forbiddenChars parameter +# Format: +# forbiddenChars [CHARACTERS_FORBIDDEN] +# Description: +# Defines the forbidden characters list (no separator). +# If one of them is found in the password, then it is rejected. +forbiddenChars + +# maxConsecutivePerClass parameter +# Format: +# maxConsecutivePerClass [NUMBER] +# Description: +# Defines the maximum number of consecutive character allowed for any class +maxConsecutivePerClass 0 + +# useCracklib parameter +# Format: +# useCracklib [0 | 1] +# Description: +# If set to 1, the password must pass the cracklib check +useCracklib 0 + +# cracklibDict parameter +# Format: +# cracklibDict [path_to_cracklib_dictionary] +# Description: +# directory+filename-prefix that your version of CrackLib will go hunting for +# For example, /var/pw_dict resolves as /var/pw_dict.pwd, +# /var/pw_dict.pwi and /var/pw_dict.hwm dictionary files +cracklibDict /var/cache/cracklib/cracklib_dict + +# classes parameter +# Format: +# class-[CLASS_NAME] [CHARACTERS_DEFINING_CLASS] [MIN] [MIN_FOR_POINT] +# Description: +# [CHARACTERS_DEFINING_CLASS]: characters defining the class (no separator) +# [MIN]: If at least [MIN] characters of this class is not found in the password, then it is rejected +# [MIN_FOR_POINT]: one point is granted if password contains at least [MIN_FOR_POINT] character numbers of this class +class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 +class-lowerCase abcdefghijklmnopqrstuvwxyz 0 1 +class-digit 0123456789 0 1 +class-special <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+ 0 1 diff --git a/contrib/slapd-modules/ppm/ppm.h b/contrib/slapd-modules/ppm/ppm.h new file mode 100644 index 0000000..25b360d --- /dev/null +++ b/contrib/slapd-modules/ppm/ppm.h @@ -0,0 +1,125 @@ +/* + * ppm.h for OpenLDAP + * + * See LICENSE, README and INSTALL files + */ + +#ifndef PPM_H_ +#define PPM_H_ + +#include <stdlib.h> // for type conversion, such as atoi... +#include <regex.h> // for matching allowedParameters / conf file +#include <string.h> +#include <ctype.h> +#include <portable.h> +#include <slap.h> + +#if defined(DEBUG) +#include <syslog.h> +#endif + +//#define PPM_READ_FILE 1 // old deprecated configuration mode + // 1: (deprecated) don't read pwdCheckModuleArg + // attribute, instead read config file + // 0: read pwdCheckModuleArg attribute + +/* config file parameters (DEPRECATED) */ +#ifndef CONFIG_FILE +#define CONFIG_FILE "/etc/openldap/ppm.example" +#endif +#define FILENAME_MAX_LEN 512 + +#define DEFAULT_QUALITY 3 +#define MEMORY_MARGIN 50 +#define MEM_INIT_SZ 64 +#define DN_MAX_LEN 512 + +#define CONF_MAX_SIZE 50 +#define PARAM_MAX_LEN 32 +#define VALUE_MAX_LEN 128 +#define ATTR_NAME_MAX_LEN 150 + +#define PARAM_PREFIX_CLASS "class-" +#define TOKENS_DELIMITERS " ,;-_£\t" + + +#define DEBUG_MSG_MAX_LEN 256 + +#define PASSWORD_QUALITY_SZ \ + "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)" +#define PASSWORD_CRITERIA \ + "Password for dn=\"%s\" has not reached the minimum number of characters (%d) for class %s" +#define PASSWORD_MAXCONSECUTIVEPERCLASS \ + "Password for dn=\"%s\" has reached the maximum number of characters (%d) for class %s" +#define PASSWORD_FORBIDDENCHARS \ + "Password for dn=\"%s\" contains %d forbidden characters in %s" +#define RDN_TOKEN_FOUND \ + "Password for dn=\"%s\" contains tokens from the RDN" +#define GENERIC_ERROR \ + "Error while checking password" +#define PASSWORD_CRACKLIB \ + "Password for dn=\"%s\" is too weak" +#define BAD_PASSWORD_SZ \ + "Bad password for dn=\"%s\" because %s" + + + +typedef union genValue { + int iVal; + char sVal[VALUE_MAX_LEN]; +} genValue; + +typedef enum { + typeInt, + typeStr +} valueType; + +typedef struct params { + char param[PARAM_MAX_LEN]; + valueType iType; +} params; + +// allowed parameters loaded into configuration structure +// it also contains the type of the corresponding value +params allowedParameters[7] = { + {"^minQuality", typeInt}, + {"^checkRDN", typeInt}, + {"^forbiddenChars", typeStr}, + {"^maxConsecutivePerClass", typeInt}, + {"^useCracklib", typeInt}, + {"^cracklibDict", typeStr}, + {"^class-.*", typeStr} +}; + + +// configuration structure, containing a parameter, a value, +// a corresponding min and minForPoint indicators if necessary +// and a type for the value (typeInt or typeStr) +typedef struct conf { + char param[PARAM_MAX_LEN]; + valueType iType; + genValue value; + int min; + int minForPoint; +} conf; + +void ppm_log(int priority, const char *format, ...); +int min(char *str1, char *str2); +#ifndef PPM_READ_FILE + static void read_config_attr(conf * fileConf, int *numParam, char *ppm_config_attr); +#endif +#ifdef PPM_READ_FILE + static void read_config_file(conf * fileConf, int *numParam, char *ppm_config_file); +#endif +int check_password(char *pPasswd, char **ppErrStr, Entry *e, void *pArg); +int maxConsPerClass(char *password, char *charClass); +void storeEntry(char *param, char *value, valueType valType, + char *min, char *minForPoint, conf * fileConf, int *numParam); +int typeParam(char* param); +genValue* getValue(conf *fileConf, int numParam, char* param); +void strcpy_safe(char *dest, char *src, int length_dest); + + +int ppm_test = 0; + +#endif diff --git a/contrib/slapd-modules/ppm/ppm.md b/contrib/slapd-modules/ppm/ppm.md new file mode 100644 index 0000000..5b1accb --- /dev/null +++ b/contrib/slapd-modules/ppm/ppm.md @@ -0,0 +1,343 @@ +--- +title: ppm +section: 5 +header: File Formats Manual +footer: ppm +date: August 24, 2021 +--- + +# NAME + +ppm (Password Policy Module) - extension of the password policy overlay + +# SYNOPSIS + +ETCDIR/ppm.example + +# DESCRIPTION + +**ppm** is an OpenLDAP module for checking password quality when they are modified. +Passwords are checked against the presence or absence of certain character classes. + +This module is used as an extension of the OpenLDAP password policy controls, +see slapo-ppolicy(5) section **pwdCheckModule**. + + +# USAGE + +Create a password policy entry and indicate the path of the ppm.so library +and the content of the desired policy. +Use a base64 tool to code / decode the content of the policy stored into +**pwdCheckModuleArg**. Here is an example: + +``` +dn: cn=default,ou=policies,dc=my-domain,dc=com +objectClass: pwdPolicy +objectClass: top +objectClass: pwdPolicyChecker +objectClass: person +pwdCheckQuality: 2 +pwdAttribute: userPassword +sn: default +cn: default +pwdMinLength: 6 +pwdCheckModule: /usr/local/lib/ppm.so +pwdCheckModuleArg:: bWluUXVhbGl0eSAzCmNoZWNrUkROIDAKZm9yYmlkZGVuQ2hhcnMKbWF4Q29uc2VjdXRpdmVQZXJDbGFzcyAwCnVzZUNyYWNrbGliIDAKY3JhY2tsaWJEaWN0IC92YXIvY2FjaGUvY3JhY2tsaWIvY3JhY2tsaWJfZGljdApjbGFzcy11cHBlckNhc2UgQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVogMCAxCmNsYXNzLWxvd2VyQ2FzZSBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiAwIDEKY2xhc3MtZGlnaXQgMDEyMzQ1Njc4OSAwIDEKY2xhc3Mtc3BlY2lhbCA8Piw/Oy46LyHCp8O5JSrCtV7CqCTCo8KyJsOpfiIjJ3soWy18w6hgX1zDp17DoEApXcKwPX0rIDAgMQ== +``` + + +See **slapo-ppolicy** for more information, but to sum up: + +- enable ppolicy overlay in your database. +- define a default password policy in OpenLDAP configuration or use pwdPolicySubentry attribute to point to the given policy. + +This example show the activation for a **slapd.conf** file +(see **slapd-config** and **slapo-ppolicy** for more information for + **cn=config** configuration) + +``` +overlay ppolicy +ppolicy_default "cn=default,ou=policies,dc=my-domain,dc=com" +#ppolicy_use_lockout # for having more infos about the lockout +``` + + +# FEATURES + +Here are the main features: + +- 4 character classes are defined by default: +upper case, lower case, digits and special characters. + +- more character classes can be defined, just write your own. + +- passwords must match the amount of quality points. +A point is validated when at least m characters of the corresponding +character class are present in the password. + +- passwords must have at least n of the corresponding character class +present, else they are rejected. + +- the two previous criteria are checked against any specific character class +defined. + +- if a password contains any of the forbidden characters, then it is +rejected. + +- if a password contains tokens from the RDN, then it is rejected. + +- if a password does not pass cracklib check, then it is rejected. + + +# CONFIGURATION + +Since OpenLDAP 2.5 version, ppm configuration is held in a binary +attribute of the password policy: **pwdCheckModuleArg** + +The example file (**ETCDIR/ppm.example** by default) is to be +considered as an example configuration, to import in the **pwdCheckModuleArg** +attribute. It is also used for testing passwords with the test program +provided. + +If for some reasons, any parameter is not found, it will be given its +default value. + +Note: you can still compile ppm to use the configuration file, by enabling +**PPM_READ_FILE** in **ppm.h** (but this is deprecated now). If you decide to do so, +you can use the **PPM_CONFIG_FILE** environment variable for overloading the +configuration file path. + +The syntax of a configuration line is: + +``` +parameter value [min] [minForPoint] +``` + +with spaces being delimiters and Line Feed (LF) ending the line. + +Parameter names **are** case sensitive. + +Lines beginning by a **#** are considered as comments. + +The default configuration is the following: + +``` +# minQuality parameter +# Format: +# minQuality [NUMBER] +# Description: +# One point is granted for each class for which MIN_FOR_POINT criteria is fulfilled. +# defines the minimum point numbers for the password to be accepted. +minQuality 3 + +# checkRDN parameter +# Format: +# checkRDN [0 | 1] +# Description: +# If set to 1, password must not contain a token from the RDN. +# Tokens are separated by the following delimiters : space tabulation _ - , ; £ +checkRDN 0 + +# forbiddenChars parameter +# Format: +# forbiddenChars [CHARACTERS_FORBIDDEN] +# Description: +# Defines the forbidden characters list (no separator). +# If one of them is found in the password, then it is rejected. +forbiddenChars + +# maxConsecutivePerClass parameter +# Format: +# maxConsecutivePerClass [NUMBER] +# Description: +# Defines the maximum number of consecutive character allowed for any class +maxConsecutivePerClass 0 + +# useCracklib parameter +# Format: +# useCracklib [0 | 1] +# Description: +# If set to 1, the password must pass the cracklib check +useCracklib 0 + +# cracklibDict parameter +# Format: +# cracklibDict [path_to_cracklib_dictionary] +# Description: +# directory+filename-prefix that your version of CrackLib will go hunting for +# For example, /var/pw_dict resolves as /var/pw_dict.pwd, +# /var/pw_dict.pwi and /var/pw_dict.hwm dictionary files +cracklibDict /var/cache/cracklib/cracklib_dict + +# classes parameter +# Format: +# class-[CLASS_NAME] [CHARACTERS_DEFINING_CLASS] [MIN] [MIN_FOR_POINT] +# Description: +# [CHARACTERS_DEFINING_CLASS]: characters defining the class (no separator) +# [MIN]: If at least [MIN] characters of this class is not found in the password, then it is rejected +# [MIN_FOR_POINT]: one point is granted if password contains at least [MIN_FOR_POINT] character numbers of this class +class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 +class-lowerCase abcdefghijklmnopqrstuvwxyz 0 1 +class-digit 0123456789 0 1 +class-special <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+ 0 1 +``` + +# EXAMPLE + +With this policy: +``` +minQuality 4 +forbiddenChars .?, +checkRDN 1 +class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 5 +class-lowerCase abcdefghijklmnopqrstuvwxyz 0 12 +class-digit 0123456789 0 1 +class-special <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+ 0 1 +class-myClass :) 1 1`` +``` + +the password **ThereIsNoCowLevel)** is working, because: + +- it has 4 character classes validated : upper, lower, special, and myClass +- it has no character among .?, +- it has at least one character among : or ) + +but it won't work for the user uid=John Cowlevel,ou=people,cn=example,cn=com, +because the token "Cowlevel" from his RDN exists in the password (case insensitive). + + +# LOGS + +If a user password is rejected by **ppm**, the user will get this type of message: + +Typical user message from ldappasswd(5): + +``` + Result: Constraint violation (19) + Additional info: Password for dn=\"%s\" does not pass required number of strength checks (2 of 3) +``` + +A more detailed message is written to the server log. + +Server log: + +``` +Feb 26 14:46:10 debian-11-64 slapd[1981]: conn=1000 op=16 MOD dn="uid=user,ou=persons,dc=my-domain,dc=com" +Feb 26 14:46:10 debian-11-64 slapd[1981]: conn=1000 op=16 MOD attr=userPassword +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: entry uid=user,ou=persons,dc=my-domain,dc=com +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Reading pwdCheckModuleArg attribute +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: RAW configuration: # minQuality parameter#012# Format:#012# minQuality [NUMBER]#012# Description:#012# One point is granted for each class for which MIN_FOR_POINT criteria is fulfilled.#012# defines the minimum point numbers for the password to be accepted.#012minQuality 3#012#012# checkRDN parameter#012# Format:#012# checkRDN [0 | 1]#012# Description:#012# If set to 1, password must not contain a token from the RDN.#012# Tokens are separated by the following delimiters : space tabulation _ - , ; £#012checkRDN 0#012#012# forbiddenChars parameter#012# Format:#012# forbiddenChars [CHARACTERS_FORBIDDEN]#012# Description:#012# Defines the forbidden characters list (no separator).#012# If one of them is found in the password, then it is rejected.#012forbiddenChars#012#012# maxConsecutivePerClass parameter#012# Format:#012# maxConsecutivePerClass [NUMBER]#012# Description:#012# Defines the maximum number of consecutive character allowed for any class#012maxConsecutivePerClass 0#012#012# useCracklib parameter#012# Format:#012# useCracklib [0 | 1]#012# Description:#012# If set to 1, the password must pass the cracklib check#012useCracklib 0#012#012# cracklibDict parameter#012# Format:#012# cracklibDict [path_to_cracklib_dictionary]#012# Description:#012# directory+filename-prefix that your version of CrackLib will go hunting for#012# For example, /var/pw_dict resolves as /var/pw_dict.pwd,#012# /var/pw_dict.pwi and /var/pw_dict.hwm dictionary files#012cracklibDict /var/cache/cracklib/cracklib_dict#012#012# classes parameter#012# Format:#012# class-[CLASS_NAME] [CHARACTERS_DEFINING_CLASS] [MIN] [MIN_FOR_POINT]#012# Description:#012# [CHARACTERS_DEFINING_CLASS]: characters defining the class (no separator)#012# [MIN]: If at least [MIN] characters of this class is not found in the password, then it is rejected#012# [MIN_FOR_POINT]: one point is granted if password contains at least [MIN_FOR_POINT] character numbers of this class#012class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1#012class-lowerCase abcdefghijklmnopqrstuvwxyz 0 1#012class-digit 0123456789 0 1#012class-special <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+ 0 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Parsing pwdCheckModuleArg attribute +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # minQuality parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # minQuality [NUMBER] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # One point is granted for each class for which MIN_FOR_POINT criteria is fulfilled. +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # defines the minimum point numbers for the password to be accepted. +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: minQuality 3 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = minQuality, value = 3, min = (null), minForPoint= (null) +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: 3 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # checkRDN parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # checkRDN [0 | 1] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # If set to 1, password must not contain a token from the RDN. +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Tokens are separated by the following delimiters : space tabulation _ - , ; £ +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: checkRDN 0 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = checkRDN, value = 0, min = (null), minForPoint= (null) +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: 0 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # forbiddenChars parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # forbiddenChars [CHARACTERS_FORBIDDEN] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Defines the forbidden characters list (no separator). +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # If one of them is found in the password, then it is rejected. +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: forbiddenChars +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: No value, goto next parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # maxConsecutivePerClass parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # maxConsecutivePerClass [NUMBER] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Defines the maximum number of consecutive character allowed for any class +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: maxConsecutivePerClass 0 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = maxConsecutivePerClass, value = 0, min = (null), minForPoint= (null) +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: 0 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # useCracklib parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # useCracklib [0 | 1] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # If set to 1, the password must pass the cracklib check +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: useCracklib 0 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = useCracklib, value = 0, min = (null), minForPoint= (null) +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: 0 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # cracklibDict parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # cracklibDict [path_to_cracklib_dictionary] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # directory+filename-prefix that your version of CrackLib will go hunting for +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # For example, /var/pw_dict resolves as /var/pw_dict.pwd, +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # /var/pw_dict.pwi and /var/pw_dict.hwm dictionary files +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: cracklibDict /var/cache/cracklib/cracklib_dict +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = cracklibDict, value = /var/cache/cracklib/cracklib_dict, min = (null), minForPoint= (null) +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: /var/cache/cracklib/cracklib_dict +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # classes parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # class-[CLASS_NAME] [CHARACTERS_DEFINING_CLASS] [MIN] [MIN_FOR_POINT] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # [CHARACTERS_DEFINING_CLASS]: characters defining the class (no separator) +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # [MIN]: If at least [MIN] characters of this class is not found in the password, then it is rejected +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # [MIN_FOR_POINT]: one point is granted if password contains at least [MIN_FOR_POINT] character numbers of this class +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = class-upperCase, value = ABCDEFGHIJKLMNOPQRSTUVWXYZ, min = 0, minForPoint= 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: ABCDEFGHIJKLMNOPQRSTUVWXYZ +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: class-lowerCase abcdefghijklmnopqrstuvwxyz 0 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = class-lowerCase, value = abcdefghijklmnopqrstuvwxyz, min = 0, minForPoint= 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: abcdefghijklmnopqrstuvwxyz +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: class-digit 0123456789 0 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = class-digit, value = 0123456789, min = 0, minForPoint= 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: 0123456789 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: class-special <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+ 0 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = class-special, value = <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+, min = 0, minForPoint= 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+ +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: 1 point granted for class class-lowerCase +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: 1 point granted for class class-digit +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Reallocating szErrStr from 64 to 173 +Feb 26 14:46:10 debian-11-64 slapd[1981]: check_password_quality: module error: (/usr/local/lib/ppm.so) Password for dn="uid=user,ou=persons,dc=my-domain,dc=com" does not pass required number of strength checks (2 of 3).[1] +Feb 26 14:46:10 debian-11-64 slapd[1981]: conn=1000 op=16 RESULT tag=103 err=19 qtime=0.000020 etime=0.001496 text=Password for dn="uid=user,ou=persons,dc=my-domain,dc=com" does not pass required number of strength checks (2 of 3) +``` + + +# TESTS + +There is a unit test script: **unit_tests.sh** that illustrates checking some passwords. + +It is possible to test one particular password using directly the test program: + +``` +cd /usr/local/lib +LD_LIBRARY_PATH=. ./ppm_test "uid=test,ou=users,dc=my-domain,dc=com" "my_password" "/usr/local/etc/openldap/ppm.example" && echo OK +``` + + +# FILES + +**ETCDIR/ppm.example** + +> example of ppm configuration to be inserted in **pwdCheckModuleArg** attribute of given password policy + +**ppm.so** + +> ppm library, loaded by the **pwdCheckModule** attribute of given password policy + +**ppm_test** + +> small test program for checking password in a command-line + + +# SEE ALSO + +**slapo-ppolicy**(5), **slapd-config**(5), **slapd.conf**(5) + +# ACKNOWLEDGEMENTS + +This module was developed in 2014-2021 by David Coutadeur. diff --git a/contrib/slapd-modules/ppm/ppm_test.c b/contrib/slapd-modules/ppm/ppm_test.c new file mode 100644 index 0000000..520aa0a --- /dev/null +++ b/contrib/slapd-modules/ppm/ppm_test.c @@ -0,0 +1,66 @@ +#include <stdio.h> +#include <stdlib.h> +#include "ppm.h" + +int main(int argc, char *argv[]) +{ + /* + * argv[1]: user + * argv[2]: password + * argv[3]: configuration file + */ + + int ret = 1; + + if(argc > 2) + { + printf("Testing user %s password: '%s' against %s policy config file \n", + argv[1], argv[2], argv[3] + ); + + /* format user entry */ + char *errmsg = NULL; + Entry pEntry; + pEntry.e_nname.bv_val=argv[1]; + pEntry.e_name.bv_val=argv[1]; + + /* get configuration file content */ + struct berval pArg; + FILE *fp; + if ((fp = fopen(argv[3],"r")) == NULL) + { + fprintf(stderr,"Unable to open config file for reading\n"); + return ret; + } + char *fcontent = NULL; + fseek(fp, 0, SEEK_END); + long fsize = ftell(fp); + fseek(fp, 0, SEEK_SET); + fcontent = malloc(fsize); + fread(fcontent, 1, fsize, fp); + fclose(fp); + pArg.bv_val = fcontent; + + ppm_test=1; // enable ppm_test for informing ppm not to use syslog + + ret = check_password(argv[2], &errmsg, &pEntry, &pArg); + + if(ret == 0) + { + printf("Password is OK!\n"); + } + else + { + printf("Password failed checks : %s\n", errmsg); + } + + ber_memfree(errmsg); + return ret; + + } + + return ret; +} + + + diff --git a/contrib/slapd-modules/ppm/slapm-ppm.5 b/contrib/slapd-modules/ppm/slapm-ppm.5 new file mode 100644 index 0000000..10e9c8d --- /dev/null +++ b/contrib/slapd-modules/ppm/slapm-ppm.5 @@ -0,0 +1,360 @@ +.\" Automatically generated by Pandoc 2.9.2.1 +.\" +.TH "ppm" "5" "August 24, 2021" "ppm" "File Formats Manual" +.hy +.SH NAME +.PP +ppm (Password Policy Module) - extension of the password policy overlay +.SH SYNOPSIS +.PP +ETCDIR/ppm.example +.SH DESCRIPTION +.PP +\f[B]ppm\f[R] is an OpenLDAP module for checking password quality when +they are modified. +Passwords are checked against the presence or absence of certain +character classes. +.PP +This module is used as an extension of the OpenLDAP password policy +controls, see slapo-ppolicy(5) section \f[B]pwdCheckModule\f[R]. +.SH USAGE +.PP +Create a password policy entry and indicate the path of the ppm.so +library and the content of the desired policy. +Use a base64 tool to code / decode the content of the policy stored into +\f[B]pwdCheckModuleArg\f[R]. +Here is an example: +.IP +.nf +\f[C] +dn: cn=default,ou=policies,dc=my-domain,dc=com +objectClass: pwdPolicy +objectClass: top +objectClass: pwdPolicyChecker +objectClass: person +pwdCheckQuality: 2 +pwdAttribute: userPassword +sn: default +cn: default +pwdMinLength: 6 +pwdCheckModule: /usr/local/lib/ppm.so +pwdCheckModuleArg:: bWluUXVhbGl0eSAzCmNoZWNrUkROIDAKZm9yYmlkZGVuQ2hhcnMKbWF4Q29uc2VjdXRpdmVQZXJDbGFzcyAwCnVzZUNyYWNrbGliIDAKY3JhY2tsaWJEaWN0IC92YXIvY2FjaGUvY3JhY2tsaWIvY3JhY2tsaWJfZGljdApjbGFzcy11cHBlckNhc2UgQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVogMCAxCmNsYXNzLWxvd2VyQ2FzZSBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiAwIDEKY2xhc3MtZGlnaXQgMDEyMzQ1Njc4OSAwIDEKY2xhc3Mtc3BlY2lhbCA8Piw/Oy46LyHCp8O5JSrCtV7CqCTCo8KyJsOpfiIjJ3soWy18w6hgX1zDp17DoEApXcKwPX0rIDAgMQ== +\f[R] +.fi +.PP +See \f[B]slapo-ppolicy\f[R] for more information, but to sum up: +.IP \[bu] 2 +enable ppolicy overlay in your database. +.IP \[bu] 2 +define a default password policy in OpenLDAP configuration or use +pwdPolicySubentry attribute to point to the given policy. +.PP +This example show the activation for a \f[B]slapd.conf\f[R] file (see +\f[B]slapd-config\f[R] and \f[B]slapo-ppolicy\f[R] for more information +for \f[B]cn=config\f[R] configuration) +.IP +.nf +\f[C] +overlay ppolicy +ppolicy_default \[dq]cn=default,ou=policies,dc=my-domain,dc=com\[dq] +#ppolicy_use_lockout # for having more infos about the lockout +\f[R] +.fi +.SH FEATURES +.PP +Here are the main features: +.IP \[bu] 2 +4 character classes are defined by default: upper case, lower case, +digits and special characters. +.IP \[bu] 2 +more character classes can be defined, just write your own. +.IP \[bu] 2 +passwords must match the amount of quality points. +A point is validated when at least m characters of the corresponding +character class are present in the password. +.IP \[bu] 2 +passwords must have at least n of the corresponding character class +present, else they are rejected. +.IP \[bu] 2 +the two previous criteria are checked against any specific character +class defined. +.IP \[bu] 2 +if a password contains any of the forbidden characters, then it is +rejected. +.IP \[bu] 2 +if a password contains tokens from the RDN, then it is rejected. +.IP \[bu] 2 +if a password does not pass cracklib check, then it is rejected. +.SH CONFIGURATION +.PP +Since OpenLDAP 2.5 version, ppm configuration is held in a binary +attribute of the password policy: \f[B]pwdCheckModuleArg\f[R] +.PP +The example file (\f[B]ETCDIR/ppm.example\f[R] by default) is to be +considered as an example configuration, to import in the +\f[B]pwdCheckModuleArg\f[R] attribute. +It is also used for testing passwords with the test program provided. +.PP +If for some reasons, any parameter is not found, it will be given its +default value. +.PP +Note: you can still compile ppm to use the configuration file, by +enabling \f[B]PPM_READ_FILE\f[R] in \f[B]ppm.h\f[R] (but this is +deprecated now). +If you decide to do so, you can use the \f[B]PPM_CONFIG_FILE\f[R] +environment variable for overloading the configuration file path. +.PP +The syntax of a configuration line is: +.IP +.nf +\f[C] +parameter value [min] [minForPoint] +\f[R] +.fi +.PP +with spaces being delimiters and Line Feed (LF) ending the line. +.PP +Parameter names \f[B]are\f[R] case sensitive. +.PP +Lines beginning by a \f[B]#\f[R] are considered as comments. +.PP +The default configuration is the following: +.IP +.nf +\f[C] +# minQuality parameter +# Format: +# minQuality [NUMBER] +# Description: +# One point is granted for each class for which MIN_FOR_POINT criteria is fulfilled. +# defines the minimum point numbers for the password to be accepted. +minQuality 3 + +# checkRDN parameter +# Format: +# checkRDN [0 | 1] +# Description: +# If set to 1, password must not contain a token from the RDN. +# Tokens are separated by the following delimiters : space tabulation _ - , ; \[Po] +checkRDN 0 + +# forbiddenChars parameter +# Format: +# forbiddenChars [CHARACTERS_FORBIDDEN] +# Description: +# Defines the forbidden characters list (no separator). +# If one of them is found in the password, then it is rejected. +forbiddenChars + +# maxConsecutivePerClass parameter +# Format: +# maxConsecutivePerClass [NUMBER] +# Description: +# Defines the maximum number of consecutive character allowed for any class +maxConsecutivePerClass 0 + +# useCracklib parameter +# Format: +# useCracklib [0 | 1] +# Description: +# If set to 1, the password must pass the cracklib check +useCracklib 0 + +# cracklibDict parameter +# Format: +# cracklibDict [path_to_cracklib_dictionary] +# Description: +# directory+filename-prefix that your version of CrackLib will go hunting for +# For example, /var/pw_dict resolves as /var/pw_dict.pwd, +# /var/pw_dict.pwi and /var/pw_dict.hwm dictionary files +cracklibDict /var/cache/cracklib/cracklib_dict + +# classes parameter +# Format: +# class-[CLASS_NAME] [CHARACTERS_DEFINING_CLASS] [MIN] [MIN_FOR_POINT] +# Description: +# [CHARACTERS_DEFINING_CLASS]: characters defining the class (no separator) +# [MIN]: If at least [MIN] characters of this class is not found in the password, then it is rejected +# [MIN_FOR_POINT]: one point is granted if password contains at least [MIN_FOR_POINT] character numbers of this class +class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 +class-lowerCase abcdefghijklmnopqrstuvwxyz 0 1 +class-digit 0123456789 0 1 +class-special <>,?;.:/!\[sc]\[`u]%*\[mc]\[ha]\[ad]$\[Po]\[S2]&\['e]\[ti]\[dq]#\[aq]{([-|\[`e]\[ga]_\[rs]\[,c]\[ha]\[`a]\[at])]\[de]=}+ 0 1 +\f[R] +.fi +.SH EXAMPLE +.PP +With this policy: +.IP +.nf +\f[C] +minQuality 4 +forbiddenChars .?, +checkRDN 1 +class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 5 +class-lowerCase abcdefghijklmnopqrstuvwxyz 0 12 +class-digit 0123456789 0 1 +class-special <>,?;.:/!\[sc]\[`u]%*\[mc]\[ha]\[ad]$\[Po]\[S2]&\['e]\[ti]\[dq]#\[aq]{([-|\[`e]\[ga]_\[rs]\[,c]\[ha]\[`a]\[at])]\[de]=}+ 0 1 +class-myClass :) 1 1\[ga]\[ga] +\f[R] +.fi +.PP +the password \f[B]ThereIsNoCowLevel)\f[R] is working, because: +.IP \[bu] 2 +it has 4 character classes validated : upper, lower, special, and +myClass +.IP \[bu] 2 +it has no character among .?, +.IP \[bu] 2 +it has at least one character among : or ) +.PP +but it won\[cq]t work for the user uid=John +Cowlevel,ou=people,cn=example,cn=com, because the token +\[lq]Cowlevel\[rq] from his RDN exists in the password (case +insensitive). +.SH LOGS +.PP +If a user password is rejected by \f[B]ppm\f[R], the user will get this +type of message: +.PP +Typical user message from ldappasswd(5): +.IP +.nf +\f[C] + Result: Constraint violation (19) + Additional info: Password for dn=\[rs]\[dq]%s\[rs]\[dq] does not pass required number of strength checks (2 of 3) +\f[R] +.fi +.PP +A more detailed message is written to the server log. +.PP +Server log: +.IP +.nf +\f[C] +Feb 26 14:46:10 debian-11-64 slapd[1981]: conn=1000 op=16 MOD dn=\[dq]uid=user,ou=persons,dc=my-domain,dc=com\[dq] +Feb 26 14:46:10 debian-11-64 slapd[1981]: conn=1000 op=16 MOD attr=userPassword +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: entry uid=user,ou=persons,dc=my-domain,dc=com +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Reading pwdCheckModuleArg attribute +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: RAW configuration: # minQuality parameter#012# Format:#012# minQuality [NUMBER]#012# Description:#012# One point is granted for each class for which MIN_FOR_POINT criteria is fulfilled.#012# defines the minimum point numbers for the password to be accepted.#012minQuality 3#012#012# checkRDN parameter#012# Format:#012# checkRDN [0 | 1]#012# Description:#012# If set to 1, password must not contain a token from the RDN.#012# Tokens are separated by the following delimiters : space tabulation _ - , ; \[Po]#012checkRDN 0#012#012# forbiddenChars parameter#012# Format:#012# forbiddenChars [CHARACTERS_FORBIDDEN]#012# Description:#012# Defines the forbidden characters list (no separator).#012# If one of them is found in the password, then it is rejected.#012forbiddenChars#012#012# maxConsecutivePerClass parameter#012# Format:#012# maxConsecutivePerClass [NUMBER]#012# Description:#012# Defines the maximum number of consecutive character allowed for any class#012maxConsecutivePerClass 0#012#012# useCracklib parameter#012# Format:#012# useCracklib [0 | 1]#012# Description:#012# If set to 1, the password must pass the cracklib check#012useCracklib 0#012#012# cracklibDict parameter#012# Format:#012# cracklibDict [path_to_cracklib_dictionary]#012# Description:#012# directory+filename-prefix that your version of CrackLib will go hunting for#012# For example, /var/pw_dict resolves as /var/pw_dict.pwd,#012# /var/pw_dict.pwi and /var/pw_dict.hwm dictionary files#012cracklibDict /var/cache/cracklib/cracklib_dict#012#012# classes parameter#012# Format:#012# class-[CLASS_NAME] [CHARACTERS_DEFINING_CLASS] [MIN] [MIN_FOR_POINT]#012# Description:#012# [CHARACTERS_DEFINING_CLASS]: characters defining the class (no separator)#012# [MIN]: If at least [MIN] characters of this class is not found in the password, then it is rejected#012# [MIN_FOR_POINT]: one point is granted if password contains at least [MIN_FOR_POINT] character numbers of this class#012class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1#012class-lowerCase abcdefghijklmnopqrstuvwxyz 0 1#012class-digit 0123456789 0 1#012class-special <>,?;.:/!\[sc]\[`u]%*\[mc]\[ha]\[ad]$\[Po]\[S2]&\['e]\[ti]\[dq]#\[aq]{([-|\[`e]\[ga]_\[rs]\[,c]\[ha]\[`a]\[at])]\[de]=}+ 0 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Parsing pwdCheckModuleArg attribute +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # minQuality parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # minQuality [NUMBER] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # One point is granted for each class for which MIN_FOR_POINT criteria is fulfilled. +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # defines the minimum point numbers for the password to be accepted. +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: minQuality 3 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = minQuality, value = 3, min = (null), minForPoint= (null) +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: 3 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # checkRDN parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # checkRDN [0 | 1] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # If set to 1, password must not contain a token from the RDN. +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Tokens are separated by the following delimiters : space tabulation _ - , ; \[Po] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: checkRDN 0 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = checkRDN, value = 0, min = (null), minForPoint= (null) +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: 0 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # forbiddenChars parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # forbiddenChars [CHARACTERS_FORBIDDEN] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Defines the forbidden characters list (no separator). +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # If one of them is found in the password, then it is rejected. +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: forbiddenChars +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: No value, goto next parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # maxConsecutivePerClass parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # maxConsecutivePerClass [NUMBER] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Defines the maximum number of consecutive character allowed for any class +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: maxConsecutivePerClass 0 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = maxConsecutivePerClass, value = 0, min = (null), minForPoint= (null) +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: 0 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # useCracklib parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # useCracklib [0 | 1] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # If set to 1, the password must pass the cracklib check +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: useCracklib 0 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = useCracklib, value = 0, min = (null), minForPoint= (null) +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: 0 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # cracklibDict parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # cracklibDict [path_to_cracklib_dictionary] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # directory+filename-prefix that your version of CrackLib will go hunting for +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # For example, /var/pw_dict resolves as /var/pw_dict.pwd, +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # /var/pw_dict.pwi and /var/pw_dict.hwm dictionary files +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: cracklibDict /var/cache/cracklib/cracklib_dict +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = cracklibDict, value = /var/cache/cracklib/cracklib_dict, min = (null), minForPoint= (null) +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: /var/cache/cracklib/cracklib_dict +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # classes parameter +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Format: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # class-[CLASS_NAME] [CHARACTERS_DEFINING_CLASS] [MIN] [MIN_FOR_POINT] +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # Description: +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # [CHARACTERS_DEFINING_CLASS]: characters defining the class (no separator) +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # [MIN]: If at least [MIN] characters of this class is not found in the password, then it is rejected +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: # [MIN_FOR_POINT]: one point is granted if password contains at least [MIN_FOR_POINT] character numbers of this class +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = class-upperCase, value = ABCDEFGHIJKLMNOPQRSTUVWXYZ, min = 0, minForPoint= 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: ABCDEFGHIJKLMNOPQRSTUVWXYZ +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: class-lowerCase abcdefghijklmnopqrstuvwxyz 0 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = class-lowerCase, value = abcdefghijklmnopqrstuvwxyz, min = 0, minForPoint= 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: abcdefghijklmnopqrstuvwxyz +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: class-digit 0123456789 0 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = class-digit, value = 0123456789, min = 0, minForPoint= 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: 0123456789 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: get line: class-special <>,?;.:/!\[sc]\[`u]%*\[mc]\[ha]\[ad]$\[Po]\[S2]&\['e]\[ti]\[dq]#\[aq]{([-|\[`e]\[ga]_\[rs]\[,c]\[ha]\[`a]\[at])]\[de]=}+ 0 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Param = class-special, value = <>,?;.:/!\[sc]\[`u]%*\[mc]\[ha]\[ad]$\[Po]\[S2]&\['e]\[ti]\[dq]#\[aq]{([-|\[`e]\[ga]_\[rs]\[,c]\[ha]\[`a]\[at])]\[de]=}+, min = 0, minForPoint= 1 +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Accepted replaced value: <>,?;.:/!\[sc]\[`u]%*\[mc]\[ha]\[ad]$\[Po]\[S2]&\['e]\[ti]\[dq]#\[aq]{([-|\[`e]\[ga]_\[rs]\[,c]\[ha]\[`a]\[at])]\[de]=}+ +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: 1 point granted for class class-lowerCase +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: 1 point granted for class class-digit +Feb 26 14:46:10 debian-11-64 slapd[1981]: ppm: Reallocating szErrStr from 64 to 173 +Feb 26 14:46:10 debian-11-64 slapd[1981]: check_password_quality: module error: (/usr/local/lib/ppm.so) Password for dn=\[dq]uid=user,ou=persons,dc=my-domain,dc=com\[dq] does not pass required number of strength checks (2 of 3).[1] +Feb 26 14:46:10 debian-11-64 slapd[1981]: conn=1000 op=16 RESULT tag=103 err=19 qtime=0.000020 etime=0.001496 text=Password for dn=\[dq]uid=user,ou=persons,dc=my-domain,dc=com\[dq] does not pass required number of strength checks (2 of 3) +\f[R] +.fi +.SH TESTS +.PP +There is a unit test script: \f[B]unit_tests.sh\f[R] that illustrates +checking some passwords. +.PP +It is possible to test one particular password using directly the test +program: +.IP +.nf +\f[C] +cd /usr/local/lib +LD_LIBRARY_PATH=. ./ppm_test \[dq]uid=test,ou=users,dc=my-domain,dc=com\[dq] \[dq]my_password\[dq] \[dq]/usr/local/etc/openldap/ppm.example\[dq] && echo OK +\f[R] +.fi +.SH FILES +.PP +\f[B]ETCDIR/ppm.example\f[R] +.RS +.PP +example of ppm configuration to be inserted in +\f[B]pwdCheckModuleArg\f[R] attribute of given password policy +.RE +.PP +\f[B]ppm.so\f[R] +.RS +.PP +ppm library, loaded by the \f[B]pwdCheckModule\f[R] attribute of given +password policy +.RE +.PP +\f[B]ppm_test\f[R] +.RS +.PP +small test program for checking password in a command-line +.RE +.SH SEE ALSO +.PP +\f[B]slapo-ppolicy\f[R](5), \f[B]slapd-config\f[R](5), +\f[B]slapd.conf\f[R](5) +.SH ACKNOWLEDGEMENTS +.PP +This module was developed in 2014-2021 by David Coutadeur. diff --git a/contrib/slapd-modules/ppm/unit_tests.sh b/contrib/slapd-modules/ppm/unit_tests.sh new file mode 100755 index 0000000..c152c96 --- /dev/null +++ b/contrib/slapd-modules/ppm/unit_tests.sh @@ -0,0 +1,118 @@ +#!/bin/bash + +# Launch unitary tests +# + + +CONFIG_FILE="ppm.example" + +LDAP_SRC="${LDAP_SRC:-../../..}" +LDAP_BUILD=${LDAP_BUILD:-${LDAP_SRC}} +CURRENT_DIR=$( dirname $0 ) +LIB_PATH="${LD_LIBRARY_PATH}:${CURRENT_DIR}:${LDAP_BUILD}/libraries/liblber/.libs:${LDAP_BUILD}/libraries/libldap/.libs" + +RED='\033[0;31m' +GREEN='\033[0;32m' +NC='\033[0m' + +RESULT=0 + +PPM_CONF_1='minQuality 3 +checkRDN 0 +forbiddenChars +maxConsecutivePerClass 0 +useCracklib 0 +cracklibDict /var/cache/cracklib/cracklib_dict +class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 +class-lowerCase abcdefghijklmnopqrstuvwxyz 0 1 +class-digit 0123456789 0 1 +class-special <>,?;.:/!§ù%*µ^¨$£²&é~"#'\''{([-|è`_\ç^à@)]°=}+ 0 1' + +PPM_CONF_2='minQuality 3 +checkRDN 0 +forbiddenChars à +maxConsecutivePerClass 5 +useCracklib 0 +cracklibDict /var/cache/cracklib/cracklib_dict +class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 2 4 +class-lowerCase abcdefghijklmnopqrstuvwxyz 3 4 +class-digit 0123456789 2 4 +class-special <>,?;.:/!§ù%*µ^¨$£²&é~"#'\''{([-|è`_\ç^à@)]°=}+ 0 4' + +PPM_CONF_3='minQuality 3 +checkRDN 1 +forbiddenChars +maxConsecutivePerClass 0 +useCracklib 0 +cracklibDict /var/cache/cracklib/cracklib_dict +class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 +class-lowerCase abcdefghijklmnopqrstuvwxyz 0 1 +class-digit 0123456789 0 1 +class-special <>,?;.:/!§ù%*µ^¨$£²&é~"#'\''{([-|è`_\ç^à@)]°=}+ 0 1' + + +echo "$PPM_CONF_1" > ppm1.conf +echo "$PPM_CONF_2" > ppm2.conf +echo "$PPM_CONF_3" > ppm3.conf + + +launch_test() +{ + # launch tests + # FORMAT: launch_test [conf_file] [password] [expected_result] + # [expected_result] = [PASS|FAIL] + + local CONF="$1" + local USER="$2" + local PASS="$3" + local EXPECT="$4" + + [[ $EXPECT == "PASS" ]] && EXP="0" || EXP="1" + + LD_LIBRARY_PATH="${LIB_PATH}" ./ppm_test "${USER}" "${PASS}" "${CONF}" + RES="$?" + + if [ "$RES" -eq "$EXP" ] ; then + echo -e "conf=${CONF} user=${USER} pass=${PASS} expect=${EXPECT}... ${GREEN}PASS${NC}" + else + echo -e "conf=${CONF} user=${USER} pass=${PASS} expect=${EXPECT}... ${RED}FAIL${NC}" + ((RESULT+=1)) + fi + + echo +} + + + + +launch_test "ppm1.conf" "uid=test,ou=users,dc=my-domain,dc=com" "azerty" "FAIL" +launch_test "ppm1.conf" "uid=test,ou=users,dc=my-domain,dc=com" "azeRTY" "FAIL" +launch_test "ppm1.conf" "uid=test,ou=users,dc=my-domain,dc=com" "azeRTY123" "PASS" +launch_test "ppm1.conf" "uid=test,ou=users,dc=my-domain,dc=com" "azeRTY." "PASS" + + +launch_test "ppm2.conf" "uid=test,ou=users,dc=my-domain,dc=com" "AAaaa01AAaaa01AAaaa0" "PASS" +# forbidden char +launch_test "ppm2.conf" "uid=test,ou=users,dc=my-domain,dc=com" "AAaaa01AAaaa01AAaaaà" "FAIL" +# too much consecutive for upper +launch_test "ppm2.conf" "uid=test,ou=users,dc=my-domain,dc=com" "AAaaa01AAaaa01AAAAAA" "FAIL" +# not enough upper +launch_test "ppm2.conf" "uid=test,ou=users,dc=my-domain,dc=com" "Aaaaa01aaaaa01aa.;.;" "FAIL" +# not enough lower +launch_test "ppm2.conf" "uid=test,ou=users,dc=my-domain,dc=com" "aaAAA01BB0123AAA.;.;" "FAIL" +# not enough digit +launch_test "ppm2.conf" "uid=test,ou=users,dc=my-domain,dc=com" "1AAAA.;BBB.;.;AA.;.;" "FAIL" +# not enough points (no point for digit) +launch_test "ppm2.conf" "uid=test,ou=users,dc=my-domain,dc=com" "AAaaaBBBBaaa01AAaaaa" "FAIL" + +# password in RDN +launch_test "ppm3.conf" "uid=User_Password10-test,ou=users,dc=my-domain,dc=com" "Password10" "FAIL" +launch_test "ppm3.conf" "uid=User_Passw0rd-test,ou=users,dc=my-domain,dc=com" "Password10" "PASS" +launch_test "ppm3.conf" "uid=User-Pw-Test,ou=users,dc=my-domain,dc=com" "Password10" "PASS" + + +echo "${RESULT} error(s) encountered" + +rm ppm1.conf ppm2.conf ppm3.conf +exit ${RESULT} + |