28.2. How Password Policies Work in IdM
28.2.1. Supported Password Policy Attributes
Table 28.1. Password Policy Attributes
|Max lifetime||The maximum amount of time (in days) that a password is valid before a user must reset it.|| |
Max lifetime = 90
User passwords are valid only for 90 days. After that, IdM prompts users to change them.
|Min lifetime||The minimum amount of time (in hours) that must pass between two password change operations.|| |
Min lifetime = 1
After users change their passwords, they must wait at least 1 hour before changing them again.
|History size|| |
How many previous passwords are stored. A user cannot reuse a password from their password history.
History size = 0
Users can reuse any of their previous passwords.
|Character classes|| The number of different character classes the user must use in the password. The character classes are:
Using a character three or more times in a row decreases the character class by one. For example:
Character classes = 0
The default number of classes required is 0. To configure the number, run the
$ ipa pwpolicy-mod --minclasses=1See also the Important note below this table.
|Min length||The minimum number of characters in a password.|| |
Min length = 8
Users cannot use passwords shorter than 8 characters.
|Max failures||The maximum number of failed login attempts before IdM locks the user account. See also Section 22.1.3, “Unlocking User Accounts After Password Failures”.|| |
Max failures = 6
IdM locks the user account the user enters a wrong password 7 times in a row.
|Failure reset interval||The amount of time (in seconds) after which IdM resets the current number of failed login attempts.|| |
Failure reset interval = 60
If the user waits for more than 1 minute after the number of failed login attempts defined in
|Lockout duration|| The amount of time (in seconds) for which the user account is locked after the number of failed login attempts defined in || |
Lockout duration = 600
Users with locked accounts are unable to log in for 10 minutes.
28.2.2. Global and Group-specific Password Policies
- Global password policy
- Installing the initial IdM server automatically creates a global password policy with default settings.The global policy rules apply to all users without a group password policy.
- Group password policies
- Group password policies apply to all members of the corresponding user group.
28.2.3. Password Policy Priorities
- If multiple password policies are applicable to a user, the policy with the lowest priority value takes precedence. All rules defined in other policies are ignored.
- The password policy with the lowest priority value applies to all password policy attributes, even the attributes that are not defined in the policy.
Table 28.2. Example of Applying Password Policy Attributes Based on Priority
|Max lifetime||Min length|
|Policy for group A (priority 0)||60||10|
|Policy for group B (priority 1)||90||0 (no restriction)|
|User (member of group A and group B)||60||10|
ipa pwpolicy-show --user=user_namecommand shows which policy is currently in effect for a particular user.