Date: 07-03-2023

Why is Password Complexity Important?

Password management is an important security measure for any Linux system. Without a secure password, unauthorized people can access the system, leaving it vulnerable to malicious attacks. It’s therefore essential to define password policies that force the user to consider a complex password that is difficult to guess or crack. These steps are crucial to ensuring your system stays secure, users stay protected, and all data stays protected.

Configure Password Complexity

1. For Symas OpenLDAP 2.5.13 and above, create an LDIF to modify the password policy that is implemented. In this example, we are modifying the default password policy entry (cn=passwordDefault,ou=policies,dc=example,dc=com):

vi /tmp/pw_check.ldif

2. Add the following content:

dn: cn=passwordDefault,ou=policies,dc=example,dc=com
changetype: modify
replace: pwdCheckQuality
pwdCheckQuality: 2
-
add: objectclass
objectclass: pwdPolicyChecker
-
add: pwdcheckmodule
pwdcheckmodule: ppm.so

3. Add the newly created ldif to the database:

ldapmodify -x -H ldap:/// -D cn=ldapadmin,dc=example,dc=com -f /tmp/pwcheck.ldif -W

4. Create the password complexity parameters in a file, for example, ppm.conf:

vi /tmp/ppm.conf

5. Enter the appropriate configuration to ppm.conf, example:

minQuality 3
forbiddenChars .?,
maxLength 0
checkRDN 1
class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1
class-lowerCase abcdefghijklmnopqrstuvwxyz 0 1
class-digit 0123456789 0 1
class-special <>,?;.:/!§ù%*μ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+ 0 1

Note: Due to changes in the ppm.so module, ppm.conf will no longer being used. The data will need to encoded in a base64 format and placed with the 'pwdCheckModuleArg' attribute.

6. Encode the data using command line:

cd /tmp/

base64 ppm.conf > encoded_ppm.conf

cat encoded_ppm.conf

bWluUXVhbGl0eSAzCmZvcmJpZGRlbkNoYXJzIC4/LAptYXhMZW5ndGggMApjaGVja1JETiAxCmNs
YXNzLXVwcGVyQ2FzZSBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWiAwIDEKY2xhc3MtbG93ZXJD
YXNlIGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6IDAgMQpjbGFzcy1kaWdpdCAwMTIzNDU2Nzg5
IDAgMQpjbGFzcy1zcGVjaWFsIDw+LD87LjovIcKnw7klKs68XsKoJMKjwrImw6l+IiMneyhbLXzD
qGBfXMOnXsOgQCldwrA9fSsgMCAx

7. Copy the output and place in an ldif:

vi /tmp/pwdcomplexity.ldif

dn: cn=passwordDefault,ou=policies,dc=example,dc=com
changetype: modify
replace: pwdCheckModuleArg
pwdCheckModuleArg:  bWluUXVhbGl0eSAzCmZvcmJpZGRlbkNoYXJzIC4/LAptYXhMZW5ndGggMApjaGVja1JETiAxCmNsYXNzLXVwcGVyQ2FzZSBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWiAwIDEKY2xhc3MtbG93ZXJDYXNlIGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6IDAgMQpjbGFzcy1kaWdpdCAwMTIzNDU2Nzg5IDAgMQpjbGFzcy1zcGVjaWFsIDw+LD87LjovIcKnw7klKs68XsKoJMKjwrImw6l+IiMneyhbLXzDqGBfXMOnXsOgQCldwrA9fSsgMCAx

8. Add the newly created ldif to the database.

ldapmodify -x -H ldap:/// -D cn=ldapadmin,dc=example,dc=com -f /tmp/pwdcomplexity.ldif -W

9. Save the changes and restart slapd service

service slapd restart

or 

systemctl restart slapd

or 

service solserver restart