19.3. Creating and Editing Password Policies
A password policy can be selective; it may only define certain elements. A global password policy sets defaults that are used for every user entry, unless a group policy takes priority.
A global policy always exists, so there is no reason to add a global password policy.
Group-level policies override the global policies and offer specific policies that only apply to group members. Password policies are not cumulative. Either a group policy or the global policy is in effect for a user or group, but not both simultaneously.
Group-level policies do not exist by default, so they must be created manually.
It is not possible to set a password policy for a non-existent group.
19.3.1. Creating Password Policies in the Web UI
- Click the Policy tab, and then click the Password Policies subtab.
- All of the policies in the UI are listed by group. The global password policy is defined by the global_policy group. Click the group link.
- Click the Add link at the top.
- In the pop-up box, select the group for which to create the password policy.
- Set the priority of the policy. The higher the number, the lower the priority. Conversely, the highest priority policy has the lowest number.Only one password policy is in effect for a user, and that is the highest priority policy.
NoteThe priority cannot be changed in the UI once the policy is created.
- Click the Add and Edit button so that the policy form immediately opens.
- Set the policy fields. Leaving a field blank means that attribute is not added the password policy configuration.
- Max lifetime sets the maximum amount of time, in days, that a password is valid before a user must reset it.
- Min lifetime sets the minimum amount of time, in hours, that a password must remain in effect before a user is permitted to change it. This prevents a user from attempting to change a password back immediately to an older password or from cycling through the password history.
- History size sets how many previous passwords are stored. A user cannot re-use a password that is still in the password history.
- Character classes sets the number of different categories of character that must be used in the password. This does not set which classes must be used; it sets the number of different (unspecified) classes which must be used in a password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 19.1, “Password Policy Settings”. This is part of setting the complexity requirements.
- Min length sets how many characters must be in a password. This is part of setting the complexity requirements.
19.3.2. Creating Password Policies with the Command Line
Password policies are added with the
[root@server ~]# kinit admin [root@server ~]# ipa pwpolicy-add groupName --attribute-value
[root@server ~]# kinit admin [root@server ~]# ipa pwpolicy-add exampleGroup --minlife=7 --maxlife=49 --history= --priority=1 Group: exampleGroup Max lifetime (days): 49 Min lifetime (hours): 7 Priority: 1
Setting an attribute to a blank value effectively removes that attribute from the password policy.
19.3.3. Editing Password Policies with the Command Line
As with most IdM entries, a password policy is edited by using a
pwpolicy-mod, and then the policy name. However, there is one difference with editing password policies: there is a global policy which always exists. Editing a group-level password policy is slightly different than editing the global password policy.
Editing a group-level password policy follows the standard syntax of
*-modcommands. It uses the
pwpolicy-modcommand, the name of the policy entry, and the attributes to change. For example:
[jsmith@ipaserver ~]$ ipa pwpolicy-mod exampleGroup --lockouttime=300 --history=5 --minlength=8
To edit the global password policy, use the
pwpolicy-modcommand with the attributes to change, but without specifying a password policy name. For example:
[jsmith@ipaserver ~]$ ipa pwpolicy-mod --lockouttime=300 --history=5 --minlength=8