How the Password Policy Plug-in Works

When a user wants to add or modify a password, customized password value checking takes place as follows:

1. The client sends the directory server either an ldapadd or ldapmodify request.

2. Before the directory server makes the addition or modification, it passes the password value to the plug-in.

3. The plug-in
   1. Parses the entry

   2. Captures the userpassword attribute value in clear text

   3. Implements whatever password value checking you have specified

4. If the password meets the specification, then the plug-in notifies the directory server accordingly, and the directory server makes the addition or modification. Otherwise, the plug-in sends one of the following error messages to the directory server, which, in turn, passes it to the client.

   ldap_add: UnKnown Error Encountered 
   ldap_add: additional info: PASSWORD POLICY VIOLATION:0000X, less than 8 
   chars 
   
   ldap_add: UnKnown Error Encountered 
   ldap_add: additional info: PASSWORD POLICY VIOLATION:0000X, contains 
   dictionary word 
   
   

   The same logic applies to the PRE ldapmodify plug-in.

The various kinds of value checks that the password policy plug-in can perform are:

• Minimum and maximum number of alphabetic characters

• Maximum number of numeric characters

• Minimum and maximum number of punctuation characters

• Maximum number of consecutive characters

• Maximum number of instances of any character