Password quality check for OpenLDAP


1. Password quality check for OpenLDAP

2. Configure password quality check – Openldap

There is no standard OpenLDAP module for password quality check. How to make OpenLDAP server to check the strength and quality of password? How to reject the password which does not meet desired standards? There is an alternate solution available.

With help of ppolicy overlay module in OpenLDAP can implement various password rules. The rules such as password max age, min age, warning age, length, account lock/unlock and history are possible to configure in ppolicy module. But password quality (complexity) check required LDAP extensions module to be installed and configured.

There are few extensions readily available. After do lot of research over web managed to populate the available LDAP extension for password quality (password complexity) check. By installing any of this modules will be able to define your own password complexity requirements.

  • No of upper case letters
  • No of lower case letters
  • No of special characters
  • No of digits
  • Prevent using forbidden characters
  • Prevent using geos in password such as user first or last name

Note: Password quality check is not applicable for “rootdn”.

Password quality checker for OpenLDAP ppolicy overlay (

Password checker is a free and opensource tool. Pqchecker is a shared library which you can obtain by download source code from github and compile for your system. The ppolicy overlay invokes pqchecker module each time when the password has been updated.

password quality check by pqchecker


With pqchecker extension get control of

  • Number of required uppercase characters
  • Number of required lowercase characters
  • Number of required special characters
  • Number of required digits
  • List of forbidden characters

Your ppolicy ldif file must have configured in such a way that
pwdCheckQuality 2

To download the source code and installation instruction from click here.

OpenLDAP password policy module (ppm.c)

PPM is another opensource LDAP extension for password quality check. Passwords are checked against the presence or absence of defined character classes. By default four character classes defined. Upper case, lower case, digits and special character are the default classes. If no rules specified default rules will take effect.

  • All the above mentioned controls of pqchecker module
  • If a password is too long, it can be rejected
  • We do have advantage of defining our own character set classes. For example define class such as force users to use symbols “< > { } / \” in password

To obtain source code and installation instruction click here.

OpenLDAP pwdChecker library (check_password.c)

The check_password is yet another opensource tool for password quality check. The check_password module run number of checks to ensure minimum strength and quality requirement are met.

  • Passwords shorter than 6 characters are rejected by default.
  • Character class check such as upper, lower, digit, special character and control as per configuration.
  • Prevent given characters set being repeatedly used. For example “aaaaa”. It is optional.
  • Passwords are checked against cracklib if it is enabled at compile time.

This software originally packaged as ltb-project-openldap-ppolicy-check-password-1.1 which can be downloaded from here.

The Onyx Point made number of improvements and relabelled as ppolicy-check-password. To obtain this package and instruction click here

Key points
  • You are free to choose any of above mentioned tools. However, the ppolicy (password policy) overlay invokes password strength check module whichever specified in attribute “pwdCheckModule” every time you run password being updated to database.
  • This password quality check is not applicable for “rootdn”

I have tested pqchecker module personally. It is working like charm. See the step by step installation instruction here. If any of you used already or facing difficulties in installation do share here. Let others know.

While posting this article all the above mentioned links were functional. If you found any broken links please do report in comment section.

6 thoughts on “Password quality check for OpenLDAP

  1. Hi!! it’s very nice document! Thanks for sharing..
    Can you plz tell me in which redhat release you installed openldap and were you able to configure TLS..

Comments are closed.