Add ppolicy-check-password library for ldap on Debian

This change added ppolicy-check-password package from https://github.com/cedric-dufour/ppolicy-check-password This package contains check_password.so that is used by ldap to enforce password complexity for ldap users. Test Plan for Debian: PASS: package build, image build PASS: system bootstrap, controller unlock PASS: after controller unlock, login by "admin" user on console, and su to "admin" on ssh session. PASS: failure path with incompliant passwords for ldap user password change (eg, change password when first login) Story: 2009101 Task: 44864 Signed-off-by: Andy Ning <andy.ning@windriver.com> Change-Id: If5a1e5c6784c7354c0a4903e1d1c4abb21d8a01f
2022-03-25 17:15:06 -04:00 · 2022-03-25 17:15:06 -04:00 · 8b59e0c8bc
parent 9d03b61a58
commit 8b59e0c8bc
4 changed files with 157 additions and 0 deletions
--- a/ldap/openldap/debian/deb_patches/0002-Support-building-ppolicy-check-password-library.patch
+++ b/ldap/openldap/debian/deb_patches/0002-Support-building-ppolicy-check-password-library.patch
@ -0,0 +1,119 @@
+From d1891425d25aaa0a6aeb31e74be95dc8d2c3f90a Mon Sep 17 00:00:00 2001
+From: Andy Ning <andy.ning@windriver.com>
+Date: Thu, 17 Mar 2022 15:22:48 -0400
+Subject: [PATCH] Support building ppolicy-check-password library
+
+The patch added support to build ppolicy-check-password library
+from:
+https://github.com/cedric-dufour/ppolicy-check-password/tree/debian-stretch
+commit: 02b9deeece428cbdae7970dfc5258a34e143cc28
+
+Signed-off-by: Andy Ning <andy.ning@windriver.com>
+Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
+---
+ debian/control                              | 16 +++++++++++++++-
+ debian/rules                                | 11 +++++++++--
+ debian/slapd-ppolicy-check-password.dirs    |  2 ++
+ debian/slapd-ppolicy-check-password.install |  2 ++
+ 4 files changed, 28 insertions(+), 3 deletions(-)
+ create mode 100644 debian/slapd-ppolicy-check-password.dirs
+ create mode 100644 debian/slapd-ppolicy-check-password.install
+
+diff --git a/debian/control b/debian/control
+index 7cad4d4..580f1a9 100644
+--- a/debian/control
+++ b/debian/control
+@@ -10,6 +10,7 @@ Build-Depends: debhelper (>= 10),
+                groff-base,
+                heimdal-multidev (>= 7.4.0.dfsg.1-1~) <!pkg.openldap.noslapd>,
+                libargon2-dev <!pkg.openldap.noslapd>,
+               libcrack2-dev <!pkg.openldap.noslapd>,
+                libdb5.3-dev <!pkg.openldap.noslapd>,
+                libgnutls28-dev,
+                libltdl-dev <!pkg.openldap.noslapd>,
+@@ -19,7 +20,8 @@ Build-Depends: debhelper (>= 10),
+                nettle-dev <!pkg.openldap.noslapd>,
+                perl:any,
+                po-debconf,
+-               unixodbc-dev <!pkg.openldap.noslapd>
+               unixodbc-dev <!pkg.openldap.noslapd>,
+               unzip
+ Build-Conflicts: libbind-dev, bind-dev, autoconf2.13
+ Standards-Version: 4.5.0
+ Homepage: https://www.openldap.org/
+@@ -67,6 +69,18 @@ Description: transitional package for slapd-contrib
+  This is a transitional package from slapd-smbk5pwd to slapd-contrib. It can be
+  safely removed.
+ 
+Package: slapd-ppolicy-check-password
+Section: net
+Priority: extra
+Architecture: any
+Build-Profiles: <!pkg.openldap.noslapd>
+Depends: slapd, ${shlibs:Depends}, ${misc:Depends}
+Suggests: cracklib-runtime
+Description: PPolicy password (strength) checker module
+  Extends the PPolicy module with password strength checks. Enable with:
+   pwdCheckModule: check_password.so
+   pwdCheckQuality: 2
+
+ Package: ldap-utils
+ Architecture: any
+ Depends: ${shlibs:Depends}, libldap-2.4-2 (= ${binary:Version}), ${misc:Depends}
+diff --git a/debian/rules b/debian/rules
+index 5b8b75f..ef38c2f 100755
+--- a/debian/rules
+++ b/debian/rules
+@@ -119,9 +119,14 @@ override_dh_auto_configure:
+ 	dh_auto_configure -- $(CONFIG)
+ 
+ override_dh_auto_build:
+	unzip ppolicy-check-password-debian-stretch.zip
+	sed -i 's#check_password: clean check_password.o#check_password: check_password.o#g' ppolicy-check-password-debian-stretch/Makefile
+	mv ppolicy-check-password-debian-stretch contrib/slapd-modules/ppolicy-check-password
+	cp -f check_password.conf contrib/slapd-modules/ppolicy-check-password
+
+ 	dh_auto_build -- $(MAKEVARS)
+ ifeq ($(filter pkg.openldap.noslapd,$(DEB_BUILD_PROFILES)),)
+-	for mod in $(CONTRIB_MODULES); do \
+	for mod in $(CONTRIB_MODULES) ppolicy-check-password; do \
+ 		dh_auto_build -Dcontrib/slapd-modules/$$mod -Bcontrib/slapd-modules/$$mod -- $(CONTRIB_MAKEVARS) || exit $$?; \
+ 	done
+ endif
+@@ -136,7 +141,7 @@ endif
+ override_dh_auto_install:
+ 	dh_auto_install -- $(MAKEVARS)
+ ifeq ($(filter pkg.openldap.noslapd,$(DEB_BUILD_PROFILES)),)
+-	for mod in $(CONTRIB_MODULES); do \
+	for mod in $(CONTRIB_MODULES) ppolicy-check-password; do \
+ 		dh_auto_install -Dcontrib/slapd-modules/$$mod -Bcontrib/slapd-modules/$$mod -- $(CONTRIB_MAKEVARS) || exit $$?; \
+ 	done
+ 
+@@ -165,6 +170,8 @@ endif
+ 	find $(installdir)/usr/share/man -name \*.8 \
+ 		| xargs perl -pi -e 's#(\.TH \w+ 8)C#$$1#'
+ 
+	cp -f check_password.conf $(installdir)/etc/ldap
+
+ override_dh_installinit:
+ 	dh_installinit -- "defaults 19 80"
+ 
+diff --git a/debian/slapd-ppolicy-check-password.dirs b/debian/slapd-ppolicy-check-password.dirs
+new file mode 100644
+index 0000000..3d793ea
+--- /dev/null
+++ b/debian/slapd-ppolicy-check-password.dirs
+@@ -0,0 +1,2 @@
+etc/ldap
+usr/lib/ldap
+diff --git a/debian/slapd-ppolicy-check-password.install b/debian/slapd-ppolicy-check-password.install
+new file mode 100644
+index 0000000..3e6278a
+--- /dev/null
+++ b/debian/slapd-ppolicy-check-password.install
+@@ -0,0 +1,2 @@
+contrib/slapd-modules/ppolicy-check-password/check_password.conf etc/ldap
+usr/lib/ldap/check_password.so*
+-- 
+2.25.1
+
--- a/ldap/openldap/debian/deb_patches/series
+++ b/ldap/openldap/debian/deb_patches/series
@ -1,2 +1,3 @@
 debian-disable-unit-tests.patch
 0001-Change-pid-file-and-args-file-location.patch
+0002-Support-building-ppolicy-check-password-library.patch
--- a/ldap/openldap/debian/files/check_password.conf
+++ b/ldap/openldap/debian/files/check_password.conf
@ -0,0 +1,31 @@
+## PPolicy password check module congifuration
+
+# Minimum number of quality points a new password must have to be accepted.
+# One quality point is awarded for each character class used in the password.
+#min_points 3
+min_points 4
+
+# Maximum number of characters that can appear consecutively from a given
+# character class (0 = disable).
+#max_consecutive_per_class 0
+
+# Minimum lower characters expected.
+#min_lower 0
+min_lower 1
+
+# Minimum upper characters expected.
+#min_upper 0
+min_upper 1
+
+# Minimum digit characters expected.
+#min_digit 0
+min_digit 1
+
+# Minimum punctuation characters expected.
+#min_punct 0
+min_punct 1
+
+# Set it to 1 to enable cracklib verification.
+#use_cracklib 0
+use_cracklib 1
+
--- a/ldap/openldap/debian/meta_data.yaml
+++ b/ldap/openldap/debian/meta_data.yaml
@ -5,6 +5,12 @@ dl_path:
  url: https://salsa.debian.org/openldap-team/openldap/-/archive/2.4.57+dfsg-3/openldap-2.4.57+dfsg-3.tar.gz
  md5sum: 85c7de35e79b8fe45b5d6aabba2b9a3d
  sha256sum: be60a9e51d8be36e1ccfb64db55d9d2ebe280137368fc5abdcdfd86042e053c2
+dl_files:
+  ppolicy-check-password-debian-stretch.zip:
+    topdir: null
+    url: https://github.com/cedric-dufour/ppolicy-check-password/archive/refs/heads/debian-stretch.zip
+    md5sum: 3d9c40e10568255d1db1271cc5f5e203
+    sha256sum: 5a6e0222e948cb3cbafef769ecbbea718d2f724f9c34b8dfb0a2266735a451c9
 revision:
  dist: $STX_DIST
  PKG_GITREVCOUNT: