Configure password quality check – Openldap



1.  Password quality check options – Openldap

2.  Configure password quality check – Openldap

How to implement password quality (complexity) enforcement rules? How to test the functionality?

In my previous discussion explained about various options available to implement password quality (complexity) check. Now I am going to demonstrate enforcing password complexity rules using “pqchecker” library.


All of these prerequisite must to be fulfilled.

1. Install JAVA

Ensure JAVA is installed. JAVA home path must be supplied with pqchecker while compiling. Try this command to identify available JAVA version and HOME path.

# java -version
java version "1.8.0_102"
Java(TM) SE Runtime Environment (build 1.8.0_102-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.102-b14, mixed mode)
#find / -name jdk*

Do not find valid JAVA SDK installation. No worries download and install latest version. This article guides you for that.

2. Download source code

Download source code to common location. I used /root/pwdq path.

Get Openldap code from here.

I used Openldap version 2.4.44 this can be obtained directly from here.

Get pqchecker source code from here.

3. Install gcc or cc compiler

#yum install gcc*

4. Working LDAP ppolicy

LDAP ppolicy overlay must be configured and active already. If not follow this and get it done.

Compile and Install pqchecker


#tar –xzf  /root/pwdq/openldap-2.4.44.tgz
#cd /root/pwdq/openldap-2.4.44
#./configure && make depend
#echo $?

Ensure exit status is zero (0).


#cd /root/pwdq
#tar -xzf
#cd pqchecker-master
#./configure LDAPSRC=/root/pwdq/openldap-2.4.44/ JAVAHOME=/opt/java/jdk1.8.0_102 libdir=/usr/lib64/openldap PARAMDIR=/etc/openldap/pqchecker
#make install /etc/openldap/pqchecker

LDAPSRC – LDAP source file location

JAVAHOME – Location of java libraries. JAVA home path obtained at “Install JAVA” section.

libdir – Where the pqchecker module should be placed post compile. This is the path where Openldap look for modules. In my configuration it is /usr/lib64/openldap. For 32bit system it will be /usr/lib/openldap. See “modulepath” attribute in slapd.conf.

PARAMDIR – Place where password complexity rules will be placed. Restrict others from reading and writing this directory.

#chown –R ldap:ldap /etc/openldap/pqchecker

Now the pqchecker man page should be accessible from “man” command.

#man pqchecker

We had done with installation.


Set the required complexity rules in pqchecker configuration file /etc/openldap/pqchecker/pqparams.dat. This file was created by pqchecker while install.

Rule syntax is UULLDDSS@)..

Ex. 01010201@

This rule passes complexity check when password contains

  • one uppercase and lowercase
  • two numeric character (0-9)
  • any one special character except symbol “@”

From ninth character optional and it can go infinite length. These are forbidden characters. It restricts user from using given characters in password.

The maximum character length can be provided is “99”.

Ex. 99010101

If this rule applied password with 99 uppercase letters will only be accepted.


Create LDIF file and add it to Openldap using ldapmodify.

#cat /root/pwdq.ldif
dn: cn=default,ou=pwpolicy,dc=sunt,dc=com
changetype: modify
replace: pwdCheckQuality
pwdCheckQuality: 2
add: objectclass
objectclass: pwdPolicyChecker
add: pwdcheckmodule

#ldapmodify –axw $PASS –D cn=manager,dc=sunt,dc=com –f /root/pwdq.ldif
#ldapsearch -xw $PASS -LLL -D cn=manager,dc=sunt,dc=com -b ou=pwpolicy,dc=sunt,dc=com

Ensure “pwdminlength” set to desired value. If not add it using ldif.

dn: cn=default,ou=pwpolicy,dc=sunt,dc=com
changetype: modify
add: pwdminlength
pwdminlength: 8

That is it..

Validate the enforcement

Login with any existing LDAP user and try changing password. From logs you can see simple passwords been rejected by pqchecker.

Aug 24 00:29:43 rhel4 slapd[2888]: conn=1031 op=4 BIND dn="uid=emp1,ou=people,dc=sunt,dc=com" method=128
Aug 24 00:29:43 rhel4 slapd[2888]: conn=1031 op=4 BIND dn="uid=emp1,ou=people,dc=sunt,dc=com" mech=SIMPLE ssf=0
Aug 24 00:29:43 rhel4 slapd[2888]: ppolicy_bind: Setting warning for password expiry for uid=emp1,ou=people,dc=sunt,dc=com = 98772 seconds
Aug 24 00:29:43 rhel4 slapd[2888]: conn=1031 op=4 RESULT tag=97 err=0 text=
Aug 24 00:29:43 rhel4 slapd[2888]: conn=1031 op=5 MOD dn="uid=emp1,ou=people,dc=sunt,dc=com"
Aug 24 00:29:43 rhel4 slapd[2888]: conn=1031 op=5 MOD attr=userPassword
Aug 24 00:29:43 rhel4 slapd[2888]: check_password_quality: module error: ( The password does not pass quality check..[1]
Aug 24 00:29:43 rhel4 slapd[2888]: conn=1031 op=5 RESULT tag=103 err=19 text=The password does not pass quality check.
Aug 24 00:29:45 rhel4 slapd[2888]: conn=1031 op=6 UNBIND
Aug 24 00:29:45 rhel4 slapd[2888]: conn=1031 fd=20 closed

The user receives password quality constraint error in standard output.

[emp1@rhel4 ~]$ passwd
Changing password for user emp1.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information update failed: Constraint violation
The password does not pass quality check.
passwd: Authentication token manipulation error

Any comments? Please post.

2 thoughts on “Configure password quality check – Openldap

Leave a Reply

Your email address will not be published. Required fields are marked *