diff --git a/doc/setup.texi b/doc/setup.texi index 0aee37ef5..678db37a8 100644 --- a/doc/setup.texi +++ b/doc/setup.texi @@ -422,16 +422,18 @@ controls, add lines similar to the following to your @example [password_quality] - policies = external-check builtin:minimum-length module:policyname + policies = external-check builtin:minimum-length modulename:policyname external_program = /bin/false policy_libraries = @var{library1.so} @var{library2.so} @end example In @samp{[password_quality]policies} the module name is optional if the policy name is unique in all modules (members of -@samp{policy_libraries}). +@samp{policy_libraries}). All built-in policies can be qualified with +a module name of @samp{builtin} to unambiguously specify the built-in +policy and not a policy by the same name from a loaded module. -The built-in polices are +The built-in policies are @itemize @bullet diff --git a/lib/kadm5/kadm5_pwcheck.3 b/lib/kadm5/kadm5_pwcheck.3 index 13104102c..5174d9b92 100644 --- a/lib/kadm5/kadm5_pwcheck.3 +++ b/lib/kadm5/kadm5_pwcheck.3 @@ -77,16 +77,17 @@ library. .Pp There are two versions of the shared object API; the old version (0) is deprecated, but still supported. The new version (1) supports -multiple password quality checking modules in the same shared object. +multiple password quality checking policies in the same shared object. See below for details. .Pp -The password quality checker will run over all tests that are -configured by the user. +The password quality checker will run all policies that are +configured by the user. If any policy rejects the password, the password +will be rejected. .Pp -Module names are of the form -.Ql vendor:test-name -or, if the the test name is unique enough, just -.Ql test-name . +Policy names are of the form +.Ql module-name:policy-name +or, if the the policy name is unique enough, just +.Ql policy-name . .Sh IMPLEMENTING A PASSWORD QUALITY CHECKING SHARED OBJECT (This refers to the version 1 API only.) .Pp @@ -101,10 +102,16 @@ Its .Ft name and .Ft vendor -fields should be contain the obvious information and +fields should contain the obvious information. +.Ft name +must match the +.Ql module-name +portion of the policy name (the part before the colon), if the policy name +contains a colon, or the policy will not be run. .Ft version should be .Dv KADM5_PASSWD_VERSION_V1 . +.Pp .Ft funcs contains an array of .Ft "struct kadm5_pw_policy_check_func" @@ -113,8 +120,14 @@ structures that is terminated with an entry whose component is .Dv NULL . The +.Ft name +field of the array must match the +.Ql policy-name +portion of a policy name (the part after the colon, or the complete policy +name if there is no colon) specified by the user or the policy will not be +run. The .Ft func -Fields of the array elements are functions that are exported by the +fields of the array elements are functions that are exported by the module to be called to check the password. They get the following arguments: the Kerberos context, principal, password, a tuning parameter, and a pointer to a message buffer and its length. The tuning parameter