I can clean up our code, but it’s for a Kerberos pwqual plugin. That doesn’t seem to be the approach you’re using. We’re actually using code from Stanford that’s configurable for all kinds of policies, but we’re only using it for the database. Code that just checks the database would be much simpler. I’m using an sqlite database, but I’d be happy with other formats if you have a preference. (Stanford was doing additional checks that really needed something as powerful as SQL. We’d implementing the NIST recommendation strictly, and don’t need those other checks._
> On Jan 28, 2020, at 2:40 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > > Charles Hedrick via FreeIPA-users wrote: >> The NIST recommendations for passwords say they don’t think character >> classes and expiration are useful. Instead, they recommend using a blacklist >> of known common passwords. There’s no way to implement this policy without >> writing your own plugin. It would be useful for IPA’s password policy to >> allow you to specify a database of forbidden passwords. >> >> We’ve done this using a plugin, but I’d rather not have to write C code to >> implement policy. > > This sort of falls under the long-standing upstream issue > https://pagure.io/freeipa/issue/5948 , the idea being that socket > activation is used to pass off policy onto some configurable daemon > which would return a yes/no. > > Password policy is very much hardcoded in IPA for old, legacy reasons. > > And I'll just throw out that patches are welcome, even if they need some > additional work. > > rob > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
