Cracklib password policy plugin for LdapCherry
- Doc
- Dev
- PyPI
- License
MIT
- Author
Pierre-Francois Carpentier - copyright © 2015
From pypi:
bash
pip install lcppolicy_cracklib
From sources:
bash
$ python setup.py install
In ldapcherry.ini:
ini
[ppolicy]
# password policy module ppolicy.module = 'lcppolicy_cracklib' # minimum password length (optional default: 0) min_length = 10 # minimum number of upper case characters (optional default: 0) min_upper = 1 # minimum number of lower case characters (optional default: 0) min_lower = 2 # minimum number of digits (optional default: 0) min_digit = 1 # minimum number of non alphanumeric characters (optional default: 0) min_other = 1 # path to dictionary (optional) dict_path = '/var/cache/cracklib/cracklib_dict'
To enable this module, set ppolicy.module to lcppolicy_cracklib in section [ppolicy] of ldapcherry.ini:
ini
[ppolicy]
ppolicy.module = 'lcppolicy_cracklib'
This plugin takes the following parameters in ldapcherry.ini (all the parameters are optional):
| Parameter | Section | Description | Values | Comment |
|---|---|---|---|---|
| min_length | ppolicy | Minimum length of password | integer | Default: 0 |
| min_upper | ppolicy | Minimum number of upper case characters | Integer | Default: 0 |
| min_digit | ppolicy | Minimum number of digit characters | Integer | Default: 0 |
| min_lower | ppolicy | Minimum number of lower case characters | Integer | Default: 0 |
| min_other | ppolicy | Minimum number of non alphanumeric characters | Integer | Default: 0 |
| dict_path | ppolicy | Path to dictionary | Path | Default: default cracklib dictionary, usually '/var/cache/cracklib/cracklib_dict'. If pointing, for example, to /path/dict, then /path/dict.hwm, /path/dict.pwd and /path/dict.pwi must exist. |
To build custom cracklib dictionaries:
- Get one or many word list files (for example here: http://www.winedt.org/Dict/).
- If necessary, encode it to UTF-8.
- Generate the cracklib dictionary.
example:
bash
# Just create a work directory $ mkdir dict/ $ cd dict/
# Recover and unzip the word list $ wget http://www.winedt.org/Dict/unicode/fr.zip $ unzip fr.zip
# UTF-8 encoding $ file * fr.dic: Little-endian UTF-16 Unicode text fr.txt: ASCII text, with CRLF line terminators fr.zip: Zip archive data, at least v2.0 to extract $ iconv -f UTF-16 -t UTF-8 fr.dic >fr2.dic
# Create the dictionary $ cat fr2.dic | cracklib-packer mydict
# Result $ ls mydict* mydict.hwm mydict.pwd mydict.pwi
Warning
Most distributions already provide dictionaries and a cron script to update cracklib dictionary.
For example in Debian/Ubuntu:
# Search available dictionary
$ apt-cache search 'dictionary' | egrep '^w'
# Take a look at the cron script and configuration
$ cat /etc/cron.daily/cracklib-runtime
$ cat /etc/cracklib/cracklib.conf