1# Example of ppm configuration 2 3# Such configuration must be stored into pwdCheckModuleArg attribute 4# of a password policy entry 5# See slapo-ppolicy for more details 6# Here is an example of such password policy: 7# dn: cn=default,ou=policies,dc=my-domain,dc=com 8# objectClass: pwdPolicy 9# objectClass: top 10# objectClass: pwdPolicyChecker 11# objectClass: person 12# pwdCheckQuality: 2 13# pwdAttribute: userPassword 14# sn: default 15# cn: default 16# pwdMinLength: 6 17# pwdCheckModule: /usr/local/lib/ppm.so 18# pwdCheckModuleArg:: bWluUXVhbGl0eSAzCmNoZWNrUkROIDAKZm9yYmlkZGVuQ2hhcnMKbWF4Q29uc2VjdXRpdmVQZXJDbGFzcyAwCnVzZUNyYWNrbGliIDAKY3JhY2tsaWJEaWN0IC92YXIvY2FjaGUvY3JhY2tsaWIvY3JhY2tsaWJfZGljdApjbGFzcy11cHBlckNhc2UgQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVogMCAxCmNsYXNzLWxvd2VyQ2FzZSBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiAwIDEKY2xhc3MtZGlnaXQgMDEyMzQ1Njc4OSAwIDEKY2xhc3Mtc3BlY2lhbCA8Piw/Oy46LyHCp8O5JSrCtV7CqCTCo8KyJsOpfiIjJ3soWy18w6hgX1zDp17DoEApXcKwPX0rIDAgMQ== 19# 20# Different parameters are separated by a linefeed (\n) 21# Parameters starting with a # are ignored 22# Use a base64 tool to code / decode the content of pwdCheckModuleArg 23 24 25 26# Parameters 27 28# minQuality parameter 29# Format: 30# minQuality [NUMBER] 31# Description: 32# One point is granted for each class for which MIN_FOR_POINT criteria is fulfilled. 33# defines the minimum point numbers for the password to be accepted. 34minQuality 3 35 36# checkRDN parameter 37# Format: 38# checkRDN [0 | 1] 39# Description: 40# If set to 1, password must not contain a token from the RDN. 41# Tokens are separated by these delimiters : space tabulation _ - , ; £ 42checkRDN 0 43 44# forbiddenChars parameter 45# Format: 46# forbiddenChars [CHARACTERS_FORBIDDEN] 47# Description: 48# Defines the forbidden characters list (no separator). 49# If one of them is found in the password, then it is rejected. 50forbiddenChars 51 52# maxConsecutivePerClass parameter 53# Format: 54# maxConsecutivePerClass [NUMBER] 55# Description: 56# Defines the maximum number of consecutive character allowed for any class 57maxConsecutivePerClass 0 58 59# useCracklib parameter 60# Format: 61# useCracklib [0 | 1] 62# Description: 63# If set to 1, the password must pass the cracklib check 64useCracklib 0 65 66# cracklibDict parameter 67# Format: 68# cracklibDict [path_to_cracklib_dictionary] 69# Description: 70# directory+filename-prefix that your version of CrackLib will go hunting for 71# For example, /var/pw_dict resolves as /var/pw_dict.pwd, 72# /var/pw_dict.pwi and /var/pw_dict.hwm dictionary files 73cracklibDict /var/cache/cracklib/cracklib_dict 74 75# classes parameter 76# Format: 77# class-[CLASS_NAME] [CHARACTERS_DEFINING_CLASS] [MIN] [MIN_FOR_POINT] 78# Description: 79# [CHARACTERS_DEFINING_CLASS]: characters defining the class (no separator) 80# [MIN]: If at least [MIN] characters of this class is not found in the password, then it is rejected 81# [MIN_FOR_POINT]: one point is granted if password contains at least [MIN_FOR_POINT] character numbers of this class 82class-upperCase ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 83class-lowerCase abcdefghijklmnopqrstuvwxyz 0 1 84class-digit 0123456789 0 1 85class-special <>,?;.:/!§ù%*µ^¨$£²&é~"#'{([-|è`_\ç^à@)]°=}+ 0 1 86