sugesting samba filter as well.

[PGTBoos]

Based upon https://www.mylinuxplace.com/tag/password-compexity/ I edited the example. Its perl filter for samba password renewal. (not for windows domains). So it can use the same self-service-password rules, upper lower number special and forbidden chars. Fuzzy matching not included (as I wasnt running latest vesion of ssp). Maybe it's something to add to this site /repo. So the rules work on both sides and can be the same, direct client password change and website password change.

#!/usr/bin/perl -w
# This Script will check password complexity
$min_length=11;
$min_upercase=1;
$min_lowercase=1;
$min_digits=1;
$min_specialchar=1;

#minimal character categories of which a password should exist  as a-z , A-Z ,0-9, special chars 
$min_charactercategories=3;

$specialchars='!,@,#,$,%,^,&,*,(,),-,_,+,=';
$forbiddenchars = '*,(,),&,|,%';

# get the password from standard input ( possible to pipe )
$str_pass=<STDIN> ;
# now lets start check and update the counters is we find something
# but first lets set all counters to zero
$ctr_length=-1;
$ctr_upercase=0;
$ctr_lowercase=0;
$ctr_digits=0;
$ctr_specialcar=0;
$ctr_forbidden=0;

$cat_lower  = 0;
$cat_upper  = 0;
$cat_number = 0;
$cat_special =0;

# conver the string to array
@array_pass = split('',$str_pass);
# convert specias carachter into array
@arrayspecialchars = split(',',$specialchars);

@arrayforbiddenchars = split(','$forbiddenchars);

foreach $pass_char (@array_pass)
{
    $ctr_length++;
    # check upercase
    if($pass_char =~ /[A-Z]/)
    {
        $ctr_upercase++;
        $cat_upper=1;
    }
    # check lowercase
    elsif($pass_char =~ /[a-z]/)
    {
        $ctr_lowercase++;
        $cat_lower=1;
    }
    # check digits
    elsif($pass_char =~ /[0-9]/)
    {
        $ctr_digits++;
        $cat_number=1;
    }
    else
    {
    # check special characters
    foreach $schar (@arrayspecialchars)
    {
        if($pass_char =~ /Q$schar/)
        {
            $ctr_specialcar++;
            $cat_special=1;
        }
    }
    foreach $schar (@arrayforbiddenchars)
    {
        if($pass_char =~ /Q$schar/)
        {
            $ctr_forbidden++;
        }
    }
    }
}
# check if we reached minimal length

if($ctr_length<$min_length)
{
    print "too short , minimum $min_length and got $ctr_length n";
    exit 1 ;
}
# check if we reached minimal UPER case
if($ctr_upercase<$min_upercase)
{
    print "not enough upercase , minimum $min_upercase and got $ctr_upercase n";
    exit 2;
}
# check if we reached minimal lower case
if($ctr_lowercase<$min_lowercase)
{
    print "not enough lowercase , minimum $min_lowercase and got $ctr_lowercase n";
    exit 3;
}
# check if we reached minimal digits
if($ctr_digits<$min_digits)
{
    print "not enough digits , minimum $min_digits and got $ctr_digits n";
    exit 3;
}
# check if we reached minimal special characters
if($ctr_specialcar<$min_specialchar)
{
    print "not enough special characters , minimum $min_specialchar and got $ctr_specialcar n";
    exit 4;
}

# Added by peterboos to have the same password pollicy on on Samba as on the SSP websites.
# SSP has some protection against symbols that could be used in php injection attacks.
# which might not be the best.. (all scripts on any  site should be safe against that).
if($ctr_forbidden>0)
{
    print "its not allowed to use these letters $forbiddenchars in the password";
    exit 5 ;
}

# Added by Peter Boos to be the same as SSP site.
if ( ($cat_lower+$cat_upper+$cat_number+$cat_special)<$min_charactercategories)
{
    print "Password is not  complex enough, there are lower / upper case number and special characters available to you";
    exit 6;
}

# if you got up to here , meaning you passed it all with success
# we can now return a non error exit
exit 0;

[coudot]

Thanks, I'll see how to include it

[coudot]

I wonder if the best solution would not be to call the new web service /rest/v1/checkpassword.php