sugesting samba filter as well.

[PGTBoos]

Based upon https://www.mylinuxplace.com/tag/password-compexity/ I edited the example.
Its perl filter for samba password renewal. (not for windows domains).
So it can use the same self-service-password rules, upper lower number special and forbidden chars.
Fuzzy matching not included (as I wasnt running latest vesion of ssp).
Maybe it's something to add to this site /repo.
So the rules work on both sides and can be the same, direct client password change and website password change.

#!/usr/bin/perl -w
# This Script will check password complexity
$min_length=11;
$min_upercase=1;
$min_lowercase=1;
$min_digits=1;
$min_specialchar=1;

#minimal character categories of which a password should exist  as a-z , A-Z ,0-9, special chars 
$min_charactercategories=3;

$specialchars='!,@,#,$,%,^,&,*,(,),-,_,+,=';
$forbiddenchars = '*,(,),&,|,%';

# get the password from standard input ( possible to pipe )
$str_pass=<STDIN> ;
# now lets start check and update the counters is we find something
# but first lets set all counters to zero
$ctr_length=-1;
$ctr_upercase=0;
$ctr_lowercase=0;
$ctr_digits=0;
$ctr_specialcar=0;
$ctr_forbidden=0;


$cat_lower  = 0;
$cat_upper  = 0;
$cat_number = 0;
$cat_special =0;

# conver the string to array
@array_pass = split('',$str_pass);
# convert specias carachter into array
@arrayspecialchars = split(',',$specialchars);

@arrayforbiddenchars = split(','$forbiddenchars);

foreach $pass_char (@array_pass)
{
	$ctr_length++;
	# check upercase
	if($pass_char =~ /[A-Z]/)
	{
		$ctr_upercase++;
		$cat_upper=1;
	}
	# check lowercase
	elsif($pass_char =~ /[a-z]/)
	{
		$ctr_lowercase++;
		$cat_lower=1;
	}
	# check digits
	elsif($pass_char =~ /[0-9]/)
	{
		$ctr_digits++;
		$cat_number=1;
	}
	else
	{
	# check special characters
	foreach $schar (@arrayspecialchars)
	{
		if($pass_char =~ /Q$schar/)
		{
			$ctr_specialcar++;
			$cat_special=1;
		}
	}
	foreach $schar (@arrayforbiddenchars)
	{
		if($pass_char =~ /Q$schar/)
		{
			$ctr_forbidden++;
		}
	}
	}
}
# check if we reached minimal length




if($ctr_length<$min_length)
{
	print "too short , minimum $min_length and got $ctr_length n";
	exit 1 ;
}
# check if we reached minimal UPER case
if($ctr_upercase<$min_upercase)
{
	print "not enough upercase , minimum $min_upercase and got $ctr_upercase n";
	exit 2;
}
# check if we reached minimal lower case
if($ctr_lowercase<$min_lowercase)
{
	print "not enough lowercase , minimum $min_lowercase and got $ctr_lowercase n";
	exit 3;
}
# check if we reached minimal digits
if($ctr_digits<$min_digits)
{
	print "not enough digits , minimum $min_digits and got $ctr_digits n";
	exit 3;
}
# check if we reached minimal special characters
if($ctr_specialcar<$min_specialchar)
{
	print "not enough special characters , minimum $min_specialchar and got $ctr_specialcar n";
	exit 4;
}


# Added by peterboos to have the same password pollicy on on Samba as on the SSP websites.
# SSP has some protection against symbols that could be used in php injection attacks.
# which might not be the best.. (all scripts on any  site should be safe against that).
if($ctr_forbidden>0)
{
	print "its not allowed to use these letters $forbiddenchars in the password";
	exit 5 ;
}

# Added by Peter Boos to be the same as SSP site.
if ( ($cat_lower+$cat_upper+$cat_number+$cat_special)<$min_charactercategories)
{
	print "Password is not  complex enough, there are lower / upper case number and special characters available to you";
	exit 6;
}

# if you got up to here , meaning you passed it all with success
# we can now return a non error exit
exit 0;

[coudot]

Thanks, I'll see how to include it

[coudot]

I wonder if the best solution would not be to call the new web service /rest/v1/checkpassword.php