19.2. Viewing Password Policies

There can be multiple password policies configured in IdM. There is always a global policy, which is set when the server is created. Additional policies can be created for groups in IdM.
The UI lists all of the group password policies and the global policy on the Password Policies page.
Using the CLI, both global and group-level password policies can be viewed using the pwpolicy-show command. The CLI can also display the password policy in effect for a user.

19.2.1. Viewing the Global Password Policy

The global password policy is created as part of the initial IdM server setup. This policy applies to every user until a group-level password policy supersedes it.
The default settings for the global password policy are listed in Table 19.2, “Default Global Password Policy”.

Table 19.2. Default Global Password Policy

Attribute Value
Max lifetime 90 (days)
Min lifetime 1 (hour)
History size 0 (unset)
Character classes 0 (unset)
Min length 8
Max failures 6
Failure reset interval 60
Lockout duration 600

19.2.1.1. With the Web UI

  1. Click the Policy tab, and then click the Password Policies subtab.
  2. All of the policies in the UI are listed by group. The global password policy is defined by the global_policy group. Click the group link.
  3. The global policy is displayed.

19.2.1.2. With the Command Line

To view the global policy, simply run the pwpolicy-show command with no arguments:
[root@server ~]# kinit admin
[root@server ~]# ipa pwpolicy-show 

  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

19.2.2. Viewing Group-Level Password Policies

19.2.2.1. With the Web UI

  1. Click the Policy tab, and then click the Password Policies subtab.
  2. All of the policies in the UI are listed by group. Click the name of the group which is assigned the policy.
  3. The group policy is displayed.

19.2.2.2. With the Command Line

For a group-level password policy, specify the group name with the command:
[root@server ~]# kinit admin
[root@server ~]# ipa pwpolicy-show ipausers 
Group: ipausers 
Max lifetime (days): 120 
Min lifetime (hours): 10 
Min length: 10 
Priority: 50

19.2.3. Viewing the Password Policy in Effect for a User

A user may belong to multiple groups, each with their own separate password policies. These policies are not additive. Only one policy is in effect at a time and it applies to all password policy attributes. To see which policy is in effect for a specific user, the pwpolicy-show command can be run for a specific user. The results also show which group policy is in effect for that user.
[root@server ~]# kinit admin
[root@server ~]# ipa pwpolicy-show --user=jsmith
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600