Description of problem:

Currently Fedora Directory Server allows for a very simple password policy (see http://directory.fedoraproject.org/wiki/Password_Syntax) that is applied to passwords changed by the users using the password change extended operation (exop for short).

Many organizations would like to be able to supplement that policy with their own custom, programmable policies. Currently there's no flexibility whatsoever.

The password quality assessment can be accomplished using very simple means - what is needed is just a program or script that reads a single line (containing the password) in its standard input and sets it return code to 0 if the password is OK or to 1 if it's not OK. It can also output a descriptive error in its standard output.

Here's an example of such script in Perl:


#!/usr/bin/perl -w
#

chomp(my $line = <STDIN>);

if ($line =~ /^password/i) {
  print "The password cannot begin with the word 'password'.\n";
  exit 1;
} else {
  exit 0;
}

Note that this way one can easily implement various additional checks, e.g. check against a known wordlist, statistic tests on the characters comprising the password etc.


I think that this functionality could be implemented in FDS using a plugin that consumes one configuration option: the full absolute path to the binary to be executed for checking passwords.