OpenLDAP-check-pwquality

This is a small project to make libpwquality work as an OpenLDAP password policy module (pwdCheckModule).

The following installation instructions are for Ubuntu 24.04 LTS, but can be adjusted to other distros.

Install some dependencies (assuming that OpenLDAP/slapd is already installed):

sudo apt install libpwquality-dev cracklib-runtime libdb-dev

We need the OpenLDAP sources to compile our module. You can download the sources from the OpenLDAP website or use your package manager.

Option A: Use Ubuntu source package

Enable source packages (Ubuntu 24.04 uses deb822 format):

sudo sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources
sudo apt update

Get the source package and build it:

cd /tmp
apt-get source slapd
cd openldap-2.6.*/
./configure
make depend

Option B: Download from OpenLDAP directly

cd /tmp
wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-2.6.10.tgz
tar xzf openldap-2.6.10.tgz
cd openldap-2.6.10
./configure
make depend

Build the module

Clone this repo and make the library (adjust LDAP_SRC to match your OpenLDAP source directory):

cd /tmp
git clone https://github.com/isarandi/openldap-check-pwquality.git
cd openldap-check-pwquality
sudo make install LDAP_SRC=/tmp/openldap-2.6.10 CONFIG_PATH=/etc/ldap/pwquality.conf LDAP_LIBDIR=/usr/lib/ldap

At this point there should be a file check_pwquality.so under /usr/lib/ldap.

Configure the password policy

OpenLDAP 2.5+ (including Ubuntu 22.04+): The module must be configured at the ppolicy overlay level, not in the password policy entry. Add the module path to your ppolicy overlay configuration:

Using cn=config (LDIF):

dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: modify
add: olcPPolicyCheckModule
olcPPolicyCheckModule: /usr/lib/ldap/check_pwquality.so

Then enable it in your password policy entry:

dn: cn=default,ou=policies,dc=example,dc=com
changetype: modify
add: pwdUseCheckModule
pwdUseCheckModule: TRUE

OpenLDAP 2.4 (legacy): Add the attribute pwdCheckModule: check_pwquality.so directly to your password policy entry.

See this blog post on Kifarunix for general guidance on OpenLDAP password policies.

Now, all that remains is to configure pwquality at the chosen config file path (/etc/ldap/pwquality.conf by default). See man pwquality.conf for details on this. Since OpenLDAP is often run in a way that doesn't let it read files from just anywhere, make sure that your cracklib dictionary is readable to the LDAP server. In particular, it's best to place both the pwquality.conf file and the cracklib dictionary files under /etc/ldap/ as well.

You can set up a beefy cracklib dictionary as follows:

cd /tmp
git clone https://github.com/cracklib/cracklib.git
cd cracklib/words
make
sudo cp cracklib-words /etc/cracklib/
sudo sed -i 's/cracklib_dictpath_src=""/cracklib_dictpath_src="\/etc\/cracklib\/cracklib-words"/' /etc/cracklib/cracklib.conf
sudo update-cracklib
sudo cp /var/cache/cracklib/cracklib_dict* /etc/ldap/
echo 'dictpath = /etc/ldap/cracklib_dict' | sudo tee -a /etc/ldap/pwquality.conf

And that's it!

General tips to avoid pitfalls with password policies

• If you use ldapscripts, make sure to bind with something other than the root bind DN. The root bind DN bypasses all password policy checks, so ldapadduser will accept any password.
• Make sure that the clients don't send pre-hashed passwords to the server when changing the password. Obviously the server needs the plaintext password to check its quality. This means, you better set up TLS as well, to avoid plaintext passwords flying around the network. (E.g. Ubuntu clients should NOT have lines in /etc/ldap.conf like pam_password md5. Either remove it or set it to pam_password clear).

Similar projects

There are other similar projects out there already:

• openldap-ppolicy-check-password
• check-password
• BOFH OpenLDAP PPolicy pwdCheckModules
• pqchecker
• openldap-ppolicy-cracklib
• ppm

However, these are more limited in configuration options. The main point of this project is to harness the full power and configurability of libpwquality, by offloading all the password checking logic to its API.

References

• https://www.openldap.org/
• man slapo-ppolicy
• https://github.com/libpwquality/libpwquality
• https://github.com/cracklib/cracklib
• https://ldapwiki.com/wiki/Draft-behera-ldap-password-policy
• http://tutoriels.meddeb.net/openldap-password-policy-managing-users-accounts/
• https://kb.brightcomputing.com/knowledge-base/how-do-i-define-a-password-policy-in-ldap/
• https://ldapwiki.com/wiki/Password%20Strength