[PR #1282] Password policy #1231

New issue

Open

opened 2026-02-27 09:11:25 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 09:11:25 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/lldap/lldap/pull/1282
Author: @gplubeck
Created: 9/8/2025
Status: 🔄 Open

Base: main ← Head: password-policy

📝 Commits (10+)

460836f Adding Password Policy. Defined in frontend-options as well as validation function. Retrieved via /settings. Appears to work in set-password. Next more validation and adding use in front end UI.
f2c81dd Appears to be working on web component. Unsure about how to return violations of password policy. More testing.
feda394 Front end now shows password requirement when password fails. Bubbles up all requirements not hit. Also happens for set-password.
69b0288 Cleaning up unused code.
d102a95 Update some lines to be more consistent with rest of repo.
e3f925b Added examples and comments to lldap_config.docker_template.toml
407eb87 cargo fmt
f96d4de Updated struct to remove redudant error message, change a few stylistic things, pin anyhow to major version 1.
b54fc92 Changing to test for chars length instead of bytes. Changing style of joining error strings so there is no else.
d19b81f Add HTTP request timeout when getting settings.

📊 Changes

9 files changed (+243 additions, -58 deletions)

View changed files

📝 Cargo.lock (+2 -0)
📝 app/src/components/change_password.rs (+75 -53)
📝 crates/frontend-options/Cargo.toml (+3 -0)
📝 crates/frontend-options/src/lib.rs (+106 -1)
📝 lldap_config.docker_template.toml (+21 -0)
📝 server/src/configuration.rs (+4 -0)
📝 server/src/tcp_server.rs (+8 -0)
📝 set-password/Cargo.toml (+3 -0)
📝 set-password/src/main.rs (+21 -4)

📄 Description

BLUF: This PR add the ability to set password complexity requirements via a PasswordPolicyOptions struct.

There appear to be a number of requests for volunteer organizations or small businesses (https://github.com/lldap/lldap/issues/521, https://github.com/lldap/lldap/issues/783, etc) that want basic password complexity. This pull request would add the ability to to add pseudo complex password.

The struct, its default implementation, and the validation function for password have been placed in the frontend-options create. Perhaps there is a better location for the struct definition and the validation function?

Additionally, the server configuration now loads the password policy options when started. This means password policies can change as requirements change.

set-password now queries the /settings endpoint and receives back the password policy options and enforces them unless the --bypass-password-policy is given. Moreover, the front end also queries the password policy and bubbles up all password requirement failures as seen in the screenshot.

Summary by CodeRabbit

New Features
- Clients (web UI and CLI) fetch and apply server password policy and validate passwords before submission.
Bug Fixes
- Validation now aggregates violations and displays multiline, user-friendly error messages.
- Policy-driven checks replace prior inline/minimum-only checks.
Documentation
- Docker template updated with a password_policy section and sensible defaults.
Chores
- Password policy propagated end-to-end from server configuration to clients and CLI.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/lldap/lldap/pull/1282 **Author:** [@gplubeck](https://github.com/gplubeck) **Created:** 9/8/2025 **Status:** 🔄 Open **Base:** `main` ← **Head:** `password-policy` --- ### 📝 Commits (10+) - [`460836f`](https://github.com/lldap/lldap/commit/460836fc6901281be4fc7dab078bbfe32062acc7) Adding Password Policy. Defined in frontend-options as well as validation function. Retrieved via /settings. Appears to work in set-password. Next more validation and adding use in front end UI. - [`f2c81dd`](https://github.com/lldap/lldap/commit/f2c81dde409df2c0e1ab67a5fe3b3a26e068c249) Appears to be working on web component. Unsure about how to return violations of password policy. More testing. - [`feda394`](https://github.com/lldap/lldap/commit/feda39437a4a22d283990edbf2e30254d1429f85) Front end now shows password requirement when password fails. Bubbles up all requirements not hit. Also happens for set-password. - [`69b0288`](https://github.com/lldap/lldap/commit/69b0288b0f855562bf03d66ceeb6405f738162b2) Cleaning up unused code. - [`d102a95`](https://github.com/lldap/lldap/commit/d102a9519094d0584db2122105c5304a65509890) Update some lines to be more consistent with rest of repo. - [`e3f925b`](https://github.com/lldap/lldap/commit/e3f925bb7bc73731ea79299c83eea29f082a4a2a) Added examples and comments to lldap_config.docker_template.toml - [`407eb87`](https://github.com/lldap/lldap/commit/407eb87ea6f71f4da5f0a518ce08f677bb44eae0) cargo fmt - [`f96d4de`](https://github.com/lldap/lldap/commit/f96d4de90f08a3cd1c78dc9566cd2800940349e4) Updated struct to remove redudant error message, change a few stylistic things, pin anyhow to major version 1. - [`b54fc92`](https://github.com/lldap/lldap/commit/b54fc924b913d611822acbd2f19ff9609c091e8b) Changing to test for chars length instead of bytes. Changing style of joining error strings so there is no else. - [`d19b81f`](https://github.com/lldap/lldap/commit/d19b81f83fe2b3352e71cda971856250b5377163) Add HTTP request timeout when getting settings. ### 📊 Changes **9 files changed** (+243 additions, -58 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+2 -0) 📝 `app/src/components/change_password.rs` (+75 -53) 📝 `crates/frontend-options/Cargo.toml` (+3 -0) 📝 `crates/frontend-options/src/lib.rs` (+106 -1) 📝 `lldap_config.docker_template.toml` (+21 -0) 📝 `server/src/configuration.rs` (+4 -0) 📝 `server/src/tcp_server.rs` (+8 -0) 📝 `set-password/Cargo.toml` (+3 -0) 📝 `set-password/src/main.rs` (+21 -4) </details> ### 📄 Description BLUF: This PR add the ability to set password complexity requirements via a PasswordPolicyOptions struct. There appear to be a number of requests for volunteer organizations or small businesses (https://github.com/lldap/lldap/issues/521, https://github.com/lldap/lldap/issues/783, etc) that want basic password complexity. This pull request would add the ability to to add pseudo complex password. The struct, its default implementation, and the validation function for password have been placed in the frontend-options create. Perhaps there is a better location for the struct definition and the validation function? Additionally, the server configuration now loads the password policy options when started. This means password policies can change as requirements change. set-password now queries the /settings endpoint and receives back the password policy options and enforces them unless the --bypass-password-policy is given. Moreover, the front end also queries the password policy and bubbles up all password requirement failures as seen in the screenshot. <img width="1549" height="646" alt="password_rejection" src="https://github.com/user-attachments/assets/4e7e3416-de8c-435f-a28f-ece9524a80ef" />  ## Summary by CodeRabbit - New Features - Clients (web UI and CLI) fetch and apply server password policy and validate passwords before submission. - Bug Fixes - Validation now aggregates violations and displays multiline, user-friendly error messages. - Policy-driven checks replace prior inline/minimum-only checks. - Documentation - Docker template updated with a password_policy section and sensible defaults. - Chores - Password policy propagated end-to-end from server configuration to clients and CLI. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>