From 3441bbb98eceef088034083de3298772151c3800 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 14 Jan 2010 17:40:16 -0800 Subject: [PATCH] Clarify documentation of password quality check modules Be clearer in the info documentation that the part of the policy name before the colon is the name of the module, not the static string "module". State explicitly that "builtin" can be used as the module name to identify built-in policies. Use the same terminology in kadm5_pwcheck(3) as the info documentation, changing test-name to policy-name and vendor to module-name. State explicitly how the module name and policy name are used to select which policies to run. Rephrase a few sentences, add a paragraph break, and fix a few typos for clarity. Signed-off-by: Love Hornquist Astrand --- doc/setup.texi | 8 +++++--- lib/kadm5/kadm5_pwcheck.3 | 31 ++++++++++++++++++++++--------- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/doc/setup.texi b/doc/setup.texi index 0aee37ef5..678db37a8 100644 --- a/doc/setup.texi +++ b/doc/setup.texi @@ -422,16 +422,18 @@ controls, add lines similar to the following to your @example [password_quality] - policies = external-check builtin:minimum-length module:policyname + policies = external-check builtin:minimum-length modulename:policyname external_program = /bin/false policy_libraries = @var{library1.so} @var{library2.so} @end example In @samp{[password_quality]policies} the module name is optional if the policy name is unique in all modules (members of -@samp{policy_libraries}). +@samp{policy_libraries}). All built-in policies can be qualified with +a module name of @samp{builtin} to unambiguously specify the built-in +policy and not a policy by the same name from a loaded module. -The built-in polices are +The built-in policies are @itemize @bullet diff --git a/lib/kadm5/kadm5_pwcheck.3 b/lib/kadm5/kadm5_pwcheck.3 index 13104102c..5174d9b92 100644 --- a/lib/kadm5/kadm5_pwcheck.3 +++ b/lib/kadm5/kadm5_pwcheck.3 @@ -77,16 +77,17 @@ library. .Pp There are two versions of the shared object API; the old version (0) is deprecated, but still supported. The new version (1) supports -multiple password quality checking modules in the same shared object. +multiple password quality checking policies in the same shared object. See below for details. .Pp -The password quality checker will run over all tests that are -configured by the user. +The password quality checker will run all policies that are +configured by the user. If any policy rejects the password, the password +will be rejected. .Pp -Module names are of the form -.Ql vendor:test-name -or, if the the test name is unique enough, just -.Ql test-name . +Policy names are of the form +.Ql module-name:policy-name +or, if the the policy name is unique enough, just +.Ql policy-name . .Sh IMPLEMENTING A PASSWORD QUALITY CHECKING SHARED OBJECT (This refers to the version 1 API only.) .Pp @@ -101,10 +102,16 @@ Its .Ft name and .Ft vendor -fields should be contain the obvious information and +fields should contain the obvious information. +.Ft name +must match the +.Ql module-name +portion of the policy name (the part before the colon), if the policy name +contains a colon, or the policy will not be run. .Ft version should be .Dv KADM5_PASSWD_VERSION_V1 . +.Pp .Ft funcs contains an array of .Ft "struct kadm5_pw_policy_check_func" @@ -113,8 +120,14 @@ structures that is terminated with an entry whose component is .Dv NULL . The +.Ft name +field of the array must match the +.Ql policy-name +portion of a policy name (the part after the colon, or the complete policy +name if there is no colon) specified by the user or the policy will not be +run. The .Ft func -Fields of the array elements are functions that are exported by the +fields of the array elements are functions that are exported by the module to be called to check the password. They get the following arguments: the Kerberos context, principal, password, a tuning parameter, and a pointer to a message buffer and its length. The tuning parameter -- 2.11.4.GIT