@@ -158,6 +158,108 @@ resource = icingaweb-mysql
158158Please read [ this chapter] ( 20-Advanced-Topics.md#advanced-topics-authentication-tips-manual-user-database-auth )
159159in order to manually create users directly inside the database.
160160
161+ ### Password Policy <a id =" authentication-password-policy " ></a >
162+
163+ Icinga Web supports password policies when using database authentication.
164+ You can configure this under ** Configuration > Application > General** .
165+
166+ By default, no password policy is enforced (` Any ` ).
167+ Icinga Web provides a built-in policy called ` Common ` with the following requirements:
168+
169+ * Minimum length of 12 characters
170+ * At least one number
171+ * At least one special character
172+ * At least one uppercase letter
173+ * At least one lowercase letter
174+
175+ #### Custom Password Policy <a id =" authentication-custom-password-policy " ></a >
176+
177+ You can create custom password policies by developing a module with a provided hook.
178+
179+ ** Create Module Structure**
180+
181+ ``` bash
182+ mkdir -p /usr/share/icingaweb2/modules/mypasswordpolicy/library/Mypasswordpolicy/ProvidedHook
183+ cd /usr/share/icingaweb2/modules/mypasswordpolicy
184+ ```
185+
186+ Create ` module.info ` :
187+
188+ ``` ini
189+ Module: mypasswordpolicy
190+ Name: My Password Policy
191+ Version: 1.0.0
192+ Description: Custom password policy implementation
193+ ```
194+
195+ ** Implement the Hook**
196+
197+ Icinga Web provides the ` PasswordPolicyHook ` with predefined methods
198+ that simplify the extension of custom password policies.
199+
200+ Create ` library/Mypasswordpolicy/ProvidedHook/PasswordPolicy.php ` :
201+
202+ ``` php
203+ <?php
204+
205+ namespace Icinga\Module\Mypasswordpolicy\ProvidedHook;
206+
207+ use Icinga\Application\Hook\PasswordPolicyHook;
208+
209+ class PasswordPolicy extends PasswordPolicyHook
210+ {
211+
212+ public function getName(): string
213+ {
214+ return 'My Custom Policy';
215+ }
216+
217+ public function getDescription(): string
218+ {
219+ return 'Custom password requirements: 8+ chars, 1 number';
220+ }
221+
222+ public function validate(string $newPassword, ?string $oldPassword = null): array;
223+ {
224+ $violations = [];
225+
226+ if (strlen($newPassword) < 8) {
227+ $violations[] = 'Password must be at least 8 characters';
228+ }
229+
230+ if (! preg_match('/[0-9]/', $newPassword)) {
231+ $violations[] = 'Password must contain at least one number';
232+ }
233+
234+ if ($oldPassword !== null && hash_equals($oldPassword, $newPassword)) {
235+ $violations[] = 'New password must be different from the old password';
236+ }
237+
238+ return $violations;
239+ }
240+ }
241+ ?>
242+ ```
243+
244+ ** Register the Hook**
245+
246+ Create ` run.php ` :
247+
248+ ``` php
249+ <?php
250+
251+ use Icinga\Module\Mypasswordpolicy\ProvidedHook\MyPasswordPolicy;
252+ Mypasswordpolicy::register();
253+ ?>
254+ ```
255+
256+
257+ Enable the module:
258+ ``` shell
259+ icingacli module enable mypasswordpolicy
260+ ```
261+
262+ The custom policy will now appear in ** Configuration > Application > General** under Password Policy.
161263
162264## Groups <a id =" authentication-configuration-groups " ></a >
163265
0 commit comments