The password syntax checking feature should be enhanced to enforce strict password policies. The policy needs to be flexible enough to work in a variety of deployments. The following should be enforceable: - minimum password character length - minimum number of digit characters (0-9) - minimum number of ASCII alpha characters (a-z, A-Z) - minimum number of uppercase ASCII alpha characters (A-Z) - minimum number of lowercase ASCII alpha characters (a-z) - minimum number of special ASCII characters (!@#$, etc.) - minimum number of 8-bit characters - maximum number of times the same char can be immediately repeated (aaabbb) - minimum number of character categories that are represented (categories are lower, upper, digit, special, and 8-bit) The code currently makes sure that userPassword is not the same as the uid, cn, sn, givenname, mail, or ou attribute value(s) present in the entry. This needs to be enhanced to make sure that the password does not contain these values instead of an equality check. There should also be a minimum value size to use for comparision purposes for these attributes. All of these features should work for passwords that contain 8-bit, multi-byte characters.
Created attachment 123641 [details] CVS DIffs These diffs implement everything outlined in the initial bug comment. It adds the following new config parameters to the cn=config entry (valid range and defaults in parenthesis): passwordMinDigits (0-64, default=0) passwordMinAlphas (0-64, default=0) passwordMinUppers (0-64, default=0) passwordMinLowers (0-64, default=0) passwordMinSpecials (0-64, default=0) passwordMin8Bit (0-64, default=0) passwordMaxRepeats (0-64, default=0) passwordMinCategories (1-5, default=3) passwordMinTokenLength (1-64, default=3) It also adjusts the default passwordMinLength setting to 8. This makes our defaults match Active Directorys password complexity feature.
Created attachment 123678 [details] CVS Commit Checked into ldapserver (HEAD). Reviewed by Rich, Pete, and Noriko.