https://bugzilla.redhat.com/show_bug.cgi?id=458792
Description of problem: Currently Fedora Directory Server allows for a very simple password policy (see http://directory.fedoraproject.org/wiki/Password_Syntax) that is applied to passwords changed by the users using the password change extended operation (exop for short). Many organizations would like to be able to supplement that policy with their own custom, programmable policies. Currently there's no flexibility whatsoever. The password quality assessment can be accomplished using very simple means - what is needed is just a program or script that reads a single line (containing the password) in its standard input and sets it return code to 0 if the password is OK or to 1 if it's not OK. It can also output a descriptive error in its standard output. Here's an example of such script in Perl: #!/usr/bin/perl -w # chomp(my $line = <STDIN>); if ($line =~ /^password/i) { print "The password cannot begin with the word 'password'.\n"; exit 1; } else { exit 0; } Note that this way one can easily implement various additional checks, e.g. check against a known wordlist, statistic tests on the characters comprising the password etc. I think that this functionality could be implemented in FDS using a plugin that consumes one configuration option: the full absolute path to the binary to be executed for checking passwords.
batch update to FUTURE milestone
set default ticket origin to Community
Added initial screened field value.
Metadata Update from @nkinder: - Issue set to the milestone: FUTURE
I do not believe we should contact an external script. Instead we have designed an extensible change to our password mechanism that we hope to develop soon.
Metadata Update from @firstyear: - Custom field component reset (from Security - Password Policy) - Custom field reviewstatus adjusted to new (was: Needs Review) - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/109
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.