Add and configure ppcheck.so module

Build install and configure the password checker plugin. It checks that the password contains at least - one digit, - one uppercase letter, - one lowercase letter.
NethServer · Oct 12, 2023 · b09cd9b · b09cd9b
1 parent aa41b13
commit b09cd9b
Show file tree

Hide file tree

Showing 9 changed files with 101 additions and 14 deletions.
diff --git a/build-images.sh b/build-images.sh
@@ -61,7 +61,27 @@ apk add --no-cache \
     openldap-passwd-sha2 \
     openldap-clients
 EOF
-
+buildah commit "${container}" server-builder
+builder=$(buildah from --volume=$PWD/ppcheck:/usr/src/ppcheck:z --network=host server-builder)
+buildah run "${builder}" sh <<'EOF'
+set -e
+apk add --no-cache build-base openldap-dev
+cd /usr/src/ppcheck
+pkgver=$(slapd -VV 2>&1 | awk '{print $4; exit;}')
+if [ ! -f openldap-${pkgver}.tgz ] ; then
+    wget -S https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-${pkgver}.tgz
+    tar xfz openldap-${pkgver}.tgz
+    ln -v -s openldap-${pkgver} openldap
+    ( cd openldap ; ./configure ; cd include ; make ldap_config.h ; )
+fi
+make
+make install
+EOF
+# Copy the ppcheck.so (shared library) from the temporary builder to the
+# working container:
+buildah add --from ${builder} ${container} \
+    /usr/lib/openldap/ppcheck.so /usr/lib/openldap/ppcheck.so
+buildah rm ${builder}
 buildah add "${container}" server/ /
 buildah config \
     --user=ldap:ldap \

diff --git a/imageroot/actions/get-password-policy/50get_password_policy b/imageroot/actions/get-password-policy/50get_password_policy
@@ -47,8 +47,8 @@ for line in ldapsearch_proc.stdout.split("\n"):
         ppolicy["strength"]["password_min_length"] = int(lval)
     elif lattr == "pwdInHistory":
         ppolicy["strength"]["history_length"] = int(lval)
-    elif lattr == "pwdCheckQuality":
-        ppolicy["strength"]["complexity_check"] = int(lval) == 2
+    elif lattr == "pwdUseCheckModule":
+        ppolicy["strength"]["complexity_check"] = lval == 'TRUE'
 
 if ppolicy["strength"]["complexity_check"] is True or \
     ppolicy["strength"]["history_length"] > 0 or \

diff --git a/imageroot/actions/get-password-policy/validate-output.json b/imageroot/actions/get-password-policy/validate-output.json
@@ -27,7 +27,9 @@
         "expiration": {
             "type": "object",
             "required": [
-                "enforced"
+                "enforced",
+                "max_age",
+                "min_age"
             ],
             "properties": {
                 "enforced": {
@@ -44,7 +46,10 @@
         "strength": {
             "type": "object",
             "required": [
-                "enforced"
+                "enforced",
+                "history_length",
+                "password_min_length",
+                "complexity_check"
             ],
             "properties": {
                 "enforced": {
@@ -63,4 +68,4 @@
         }
     },
     "$defs": {}
-}
+}
diff --git a/imageroot/actions/set-password-policy/50set_password_policy b/imageroot/actions/set-password-policy/50set_password_policy
@@ -24,11 +24,11 @@ else:
 if ppolicy["strength"]["enforced"] == True:
     pwd_in_history = ppolicy["strength"]["history_length"]
     pwd_min_length = ppolicy["strength"]["password_min_length"]
-    pwd_check_quality = 2 if ppolicy["strength"]["complexity_check"] == True else 0
+    pwd_use_check_module = 'TRUE' if ppolicy["strength"]["complexity_check"] == True else 'FALSE'
 else:
     pwd_in_history = 0
     pwd_min_length = 0
-    pwd_check_quality = 0
+    pwd_use_check_module = 'FALSE'
 
 ldif_modify_input = f'''dn: cn=default,ou=PPolicy,{ldap_suffix}
 changetype: modify
@@ -47,8 +47,8 @@ pwdInHistory: {pwd_in_history}
 replace: pwdMinLength
 pwdMinLength: {pwd_min_length}
 -
-replace: pwdCheckQuality
-pwdCheckQuality: {pwd_check_quality}
+replace: pwdUseCheckModule
+pwdUseCheckModule: {pwd_use_check_module}
 '''
 
 subprocess.run(["podman", "exec", "-i", "openldap", "ldapmodify"],

diff --git a/imageroot/actions/set-password-policy/validate-input.json b/imageroot/actions/set-password-policy/validate-input.json
@@ -27,7 +27,9 @@
         "expiration": {
             "type": "object",
             "required": [
-                "enforced"
+                "enforced",
+                "max_age",
+                "min_age"
             ],
             "properties": {
                 "enforced": {
@@ -44,7 +46,10 @@
         "strength": {
             "type": "object",
             "required": [
-                "enforced"
+                "enforced",
+                "history_length",
+                "password_min_length",
+                "complexity_check"
             ],
             "properties": {
                 "enforced": {
@@ -63,4 +68,4 @@
         }
     },
     "$defs": {}
-}
+}
diff --git a/ppcheck/Makefile b/ppcheck/Makefile
@@ -0,0 +1,20 @@
+#
+# Copyright (C) 2023 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+CC=gcc
+
+all: ppcheck.so
+
+ppcheck.o: ppcheck.c
+	$(CC) -O2 -fpic -Wall -I./openldap/include -I./openldap/servers/slapd -c ppcheck.c
+
+ppcheck.so: ppcheck.o
+	$(CC) -shared -o ppcheck.so ppcheck.o
+
+install: ppcheck.so
+	install -m 0755 ppcheck.so /usr/lib/openldap
+
+clean:
+	rm -f ppcheck.so ppcheck.o
diff --git a/ppcheck/ppcheck.c b/ppcheck/ppcheck.c
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2023 Nethesis S.r.l.
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ */
+
+#include <portable.h>
+#include <slap.h>
+
+int check_password (char *pPasswd, struct berval *pErrmsg, Entry *pEntry, struct berval *pArg);
+
+int check_password (char *pPasswd, struct berval *pErrmsg, Entry *pEntry, struct berval *pArg) {
+    int match_digit = 0,
+        match_lowercase = 0,
+        match_uppercase = 0;
+
+    for (int i=0; i<strlen(pPasswd); i++) {
+        if (LDAP_RANGE(pPasswd[i], '0', '9')) {
+            match_digit = 1;
+        } else if (LDAP_RANGE(pPasswd[i], 'a', 'z')) {
+            match_lowercase = 1;
+        } else if (LDAP_RANGE(pPasswd[i], 'A', 'Z')) {
+            match_uppercase = 1;
+        }
+    }
+
+    // Password requirement: at least one char for each group
+    if(match_digit + match_lowercase + match_uppercase == 3) {
+        return(LDAP_SUCCESS);
+    }
+
+    return(LDAP_OTHER);
+}
diff --git a/server/usr/local/lib/templates/config.ldif b/server/usr/local/lib/templates/config.ldif
@@ -120,3 +120,4 @@ olcOverlay: ppolicy
 olcPPolicyDefault: cn=default,ou=PPolicy,${LDAP_SUFFIX}
 olcPPolicyHashCleartext: FALSE
 olcPPolicyUseLockout: TRUE
+olcPPolicyCheckModule: ppcheck.so
diff --git a/server/usr/local/lib/templates/mdb0.ldif b/server/usr/local/lib/templates/mdb0.ldif
@@ -26,14 +26,18 @@ ou: PPolicy
 dn: cn=default,ou=PPolicy,${LDAP_SUFFIX}
 objectClass: namedPolicy
 objectClass: pwdPolicy
+objectClass: pwdPolicyChecker
 cn: default
 pwdAttribute: userPassword
-pwdCheckQuality: 0
+pwdCheckQuality: 2
 pwdMinAge: 0
 pwdMaxAge: 0
 pwdMinLength: 8
 pwdInHistory: 5
 pwdLockout: FALSE
+pwdUseCheckModule: FALSE
+pwdCheckModuleArg: default
+pwdExpireWarning: 0
 
 dn: cn=${LDAP_SVCUSER},${LDAP_SUFFIX}
 objectClass: device