Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

19.3. Creating and Editing Password Policies

A password policy can be selective; it may only define certain elements. A global password policy sets defaults that are used for every user entry, unless a group policy takes priority.


A global policy always exists, so there is no reason to add a global password policy.
Group-level policies override the global policies and offer specific policies that only apply to group members. Password policies are not cumulative. Either a group policy or the global policy is in effect for a user or group, but not both simultaneously.
Group-level policies do not exist by default, so they must be created manually.


It is not possible to set a password policy for a non-existent group.

19.3.1. Creating Password Policies in the Web UI

  1. Click the Policy tab, and then click the Password Policies subtab.
  2. All of the policies in the UI are listed by group. The global password policy is defined by the global_policy group. Click the group link.
  3. Click the Add link at the top.
  4. In the pop-up box, select the group for which to create the password policy.
  5. Set the priority of the policy. The higher the number, the lower the priority. Conversely, the highest priority policy has the lowest number.
    Only one password policy is in effect for a user, and that is the highest priority policy.


    The priority cannot be changed in the UI once the policy is created.
  6. Click the Add and Edit button so that the policy form immediately opens.
  7. Set the policy fields. Leaving a field blank means that attribute is not added the password policy configuration.
    • Max lifetime sets the maximum amount of time, in days, that a password is valid before a user must reset it.
    • Min lifetime sets the minimum amount of time, in hours, that a password must remain in effect before a user is permitted to change it. This prevents a user from attempting to change a password back immediately to an older password or from cycling through the password history.
    • History size sets how many previous passwords are stored. A user cannot re-use a password that is still in the password history.
    • Character classes sets the number of different categories of character that must be used in the password. This does not set which classes must be used; it sets the number of different (unspecified) classes which must be used in a password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 19.1, “Password Policy Settings”. This is part of setting the complexity requirements.
    • Min length sets how many characters must be in a password. This is part of setting the complexity requirements.

19.3.2. Creating Password Policies with the Command Line

Password policies are added with the pwpolicy-add command.
[root@server ~]# kinit admin
[root@server ~]# ipa pwpolicy-add groupName --attribute-value
For example:
[root@server ~]# kinit admin
[root@server ~]# ipa pwpolicy-add exampleGroup --minlife=7 --maxlife=49 --history= --priority=1 
Group: exampleGroup
Max lifetime (days): 49
Min lifetime (hours): 7
Priority: 1


Setting an attribute to a blank value effectively removes that attribute from the password policy.

19.3.3. Editing Password Policies with the Command Line

As with most IdM entries, a password policy is edited by using a *-mod command, pwpolicy-mod, and then the policy name. However, there is one difference with editing password policies: there is a global policy which always exists. Editing a group-level password policy is slightly different than editing the global password policy.
Editing a group-level password policy follows the standard syntax of *-mod commands. It uses the pwpolicy-mod command, the name of the policy entry, and the attributes to change. For example:
[jsmith@ipaserver ~]$ ipa pwpolicy-mod exampleGroup --lockouttime=300 --history=5 --minlength=8
To edit the global password policy, use the pwpolicy-mod command with the attributes to change, but without specifying a password policy name. For example:
[jsmith@ipaserver ~]$ ipa pwpolicy-mod --lockouttime=300 --history=5 --minlength=8