I'm trying to implement password complexities on my pdc. It's a samba PDC with openLDAP backend. I tried cracklib-check but it looks like that I should have a decent and localize version of password library since the library out there usually comes in english. I also have another consideration that we will allow users to use any kind of password - even though it's dictionary based - as long as their passwords integrated with low/upper alphabet, digits, and other characters such as '$' or '_' (pam_cracklib.so calls them as classes).

So here is my /etc/pam.d/common-password:

#password    requisite    pam_pwcheck.so nullok cracklib
password     requisite    pam_cracklib.so minclass=4 reject_username
##password    requisite    pam_cracklib.so \
##    dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 reject_username
password     optional     pam_gnome_keyring.so    use_autht_ok
password     required     pam_unix2.so    use_authtok nullok

The first commented line (with #) was the default configuration of openSuse 11.3. The 2nd/3rd (with leading ##) is another configuration I use when minclass=4 line is commented out. By the way, I have

'check password script' = /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict 

and

passdb backend = ldapsam:ldap://127.0.0.1

parameters in smb.conf and cracklib-check works fine too.

So here is the test I conduct. I logon to windows and then change my password. Sometimes it works fine that it trows error message - which what I wanted, but simple password with only lower alphabets can pass windows change password. Maybe I should make a new library which incorporates local vocabularies, but a guy out there (raise your hand please if you read this :) ) also experienced the same trouble with english word. Besides, what we really want is to let user to choose 2 or 3 format password out of 4 classes. Is there a bug or something with pam module in openSuse 11.3? Thank you in advance.

Regards, Mario