Developers Documentation



301 error for file:

User Tools

Site Tools

Password Policies

There is a need to enforce password policies for end users. Policies include:

  • Enforcing a minimum password length
  • Enforcing capitals, numbers or non-alphanumeric characters in a password
  • Setting account expiration dates
  • etc.

Password policies are not only required as a matter of good security practice, but also for regulatory compliance.


Bring on the complexity! There are three distinct password policy engines on a ClearOS system:

  • Samba
  • LDAP
  • Linux shadow / PAM system

LDAP password policy objects in ClearOS In an ideal world, these policies would look like a single policy engine to the end user, administrator and software developer (via the software API). For example, if too many login failures were made from a Windows desktop, this could be configured to trigger a Samba account lockout. Some administrators may also want to extend this account lockout to other services (e.g. LDAP services, and Linux shadow services).

The adjacent screenshot shows the proposed location for OpenLDAP password policy objects in LDAP. A single default object (as shown) can be configured for all users. Alternatively, group or individual user policy objects can be added to LDAP.


So now that we have made the decision to unify the password policies, how are we going to do it? The first thing to look at are the capabilities and limitations of the three systems. The following table is a summary and it includes the LDAP attributes used by the password policy engines.

Last password changepwdChangedTimesambaPwdLastSetshadowLastChange
Minimum password age (no password changes allowed until…)pwdMinAgesambaMinPwdAgeshadowMin
Maximum password age (password can only be used for…)pwdMaxAgesambaMaxPwdAgeshadowMax
Password quality checkpwdCheckModulecheck password scriptPAM cracklib
Minimum password lengthpwdMinLengthsambaMinPwdLengthPAM cracklib minlen
Password change requiredpwdMustChangesambaLogonToChgPwd
Password historypwdHistorysambaPasswordHistory
Password history countpwdInHistorysambaPwdHistoryLength
Bad password lockout flagpwdLockoutsambaAcctFlags ?
Bad password lockout timepwdLockoutDurationsambaLockoutDuration
Bad password lockout attempts thresholdpwdMaxFailuresambaLockoutThreshold
Bad password lockout attempts cache timepwdFailureCountIntervalsambaLockoutObservationWindow
Bad password lockout timepwdAccountLockedTime?
Bad password timestamps/countpwdFailureTimesambaBadPasswordCount
Allow user password changespwdAllowUserChange?
Require both old and new password to changepwdSafeModify?
Password expire date sambaPwdMustChange
Account expire date shadowExpire

There are a few more attributes that should be mentioned and are noted here for completeness. These are features will not be included in the global ClearOS Password Policy Engine but may be included in an application's individual settings (for example, setting the logon hours for a Windows user/system).


pwdGraceUseTimeList of timestamps of logins made after the password has expired. These “grace logins” will not be implemented (pwdGraceAuthnLimit disabled).
pwdGraceAuthnLimitThe number of times an expired password may be used. These “grace logins” will be disabled.
pwdResetForces a user to reset their password if an administrator has changed user password.
pwdCheckQualityChecks password syntax.


shadowInactiveDays after password expires that account is disabled. In ClearOS, an account will be disabled as soon as a password expires.
shadowWarningAccount expiration warning time.


sambaPwdCanChangeTimestamp of when the user is allowed to update the password.
sambaLogonTimeTimestamp of last logon.
sambaLogoffTimeTimestamp of last logoff.
sambaKickoffTimeTimestamp of when the user will be logged off automatically.
sambaForceLogoffDisconnect Users outside logon hours.
sambaLogonHoursLogon hours.
sambaRefuseMachinePwdChangeRefuse machine password change.

Password Quality

What you may have noticed in the LDAP attributes is that password quality checks are not explicitly defined. For example:

  • Enforcing non-alphanumeric
  • Enforcing mixed case
  • Dictionary matches
  • etc.

This needs to be defined and then implemented with:

  • A script/binary for Samba
  • A loadable module in OpenLDAP
  • Creating a pam module or tweaking the pam_cracklib options


content/en_us/dev_apps_password_policies.txt · Last modified: 2015/09/17 15:01 (external edit)