Description of problem:

Currently Fedora Directory Server allows for a very simple password policy (see
http://directory.fedoraproject.org/wiki/Password_Syntax) that is applied to
passwords changed by the users using the password change extended operation
(exop for short).

Many organizations would like to be able to supplement that policy with their
own custom, programmable policies. Currently there's no flexibility whatsoever.

The password quality assessment can be accomplished using very simple means -
what is needed is just a program or script that reads a single line (containing
the password) in its standard input and sets it return code to 0 if the
password is OK or to 1 if it's not OK. It can also output a descriptive error
in its standard output.

Here's an example of such script in Perl:


#!/usr/bin/perl -w
#

chomp(my $line = <STDIN>);

if ($line =~ /^password/i) {
  print "The password cannot begin with the word 'password'.\n";
  exit 1;
} else {
  exit 0;
}

Note that this way one can easily implement various additional checks, e.g.
check against a known wordlist, statistic tests on the characters comprising
the password etc.


I think that this functionality could be implemented in FDS using a plugin that
consumes one configuration option: the full absolute path to the binary to be
executed for checking passwords.