19.3. Creating and Editing Password Policies
19.3.1. Creating Password Policies in the Web UI
- Click the Policy tab, and then click the Password Policies subtab.
- All of the policies in the UI are listed by group. The global password policy is defined by the global_policy group. Click the group link.
- Click the Add link at the top.
- In the pop-up box, select the group for which to create the password policy.
- Set the priority of the policy. The higher the number, the lower the priority. Conversely, the highest priority policy has the lowest number.Only one password policy is in effect for a user, and that is the highest priority policy.
NoteThe priority cannot be changed in the UI once the policy is created.
- Click thebutton so that the policy form immediately opens.
- Set the policy fields. Leaving a field blank means that attribute is not added the password policy configuration.
- Max lifetime sets the maximum amount of time, in days, that a password is valid before a user must reset it.
- Min lifetime sets the minimum amount of time, in hours, that a password must remain in effect before a user is permitted to change it. This prevents a user from attempting to change a password back immediately to an older password or from cycling through the password history.
- History size sets how many previous passwords are stored. A user cannot re-use a password that is still in the password history.
- Character classes sets the number of different categories of character that must be used in the password. This does not set which classes must be used; it sets the number of different (unspecified) classes which must be used in a password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 19.1, “Password Policy Settings”. This is part of setting the complexity requirements.
- Min length sets how many characters must be in a password. This is part of setting the complexity requirements.
19.3.2. Creating Password Policies with the Command Line
[root@server ~]# kinit admin [root@server ~]# ipa pwpolicy-add groupName --attribute-value
[root@server ~]# kinit admin [root@server ~]# ipa pwpolicy-add exampleGroup --minlife=7 --maxlife=49 --history= --priority=1 Group: exampleGroup Max lifetime (days): 49 Min lifetime (hours): 7 Priority: 1
19.3.3. Editing Password Policies with the Command Line
pwpolicy-mod, and then the policy name. However, there is one difference with editing password policies: there is a global policy which always exists. Editing a group-level password policy is slightly different than editing the global password policy.
*-modcommands. It uses the
pwpolicy-modcommand, the name of the policy entry, and the attributes to change. For example:
[jsmith@ipaserver ~]$ ipa pwpolicy-mod exampleGroup --lockouttime=300 --history=5 --minlength=8
pwpolicy-modcommand with the attributes to change, but without specifying a password policy name. For example:
[jsmith@ipaserver ~]$ ipa pwpolicy-mod --lockouttime=300 --history=5 --minlength=8