Red Hat Training

A Red Hat training course is available for Red Hat Linux

28.2. How Password Policies Work in IdM

All users must have a password that they use to authenticate to the Identity Management (IdM) Kerberos domain. Password policies in IdM define the requirements these user passwords must meet.

Note

The IdM password policy is set in the underlying LDAP directory, but is also enforced by the Kerberos Key Distribution Center (KDC).

28.2.1. Supported Password Policy Attributes

Table 28.1, “Password Policy Attributes” lists the attributes that password policies in IdM can define.

Table 28.1. Password Policy Attributes

Attribute Explanation Example
Max lifetime The maximum amount of time (in days) that a password is valid before a user must reset it.
Max lifetime = 90
User passwords are valid only for 90 days. After that, IdM prompts users to change them.
Min lifetime The minimum amount of time (in hours) that must pass between two password change operations.
Min lifetime = 1
After users change their passwords, they must wait at least 1 hour before changing them again.
History size
How many previous passwords are stored. A user cannot reuse a password from their password history.
History size = 0
Users can reuse any of their previous passwords.
Character classes The number of different character classes the user must use in the password. The character classes are:
  • Uppercase characters
  • Lowercase characters
  • Digits
  • Special characters, such as comma (,), period (.), asterisk (*)
  • Other UTF-8 characters
Using a character three or more times in a row decreases the character class by one. For example:
  • Secret1 has 3 character classes: uppercase, lowercase, digits
  • Secret111 has 2 character classes: uppercase, lowercase, digits, and a -1 penalty for using 1 repeatedly
Character classes = 0
The default number of classes required is 0. To configure the number, run the ipa pwpolicy-mod command with the --minclasses option. This command sets the required number of character classes to 1:
$ ipa pwpolicy-mod --minclasses=1
See also the Important note below this table.
Min length The minimum number of characters in a password.
Min length = 8
Users cannot use passwords shorter than 8 characters.
Max failures The maximum number of failed login attempts before IdM locks the user account. See also Section 22.1.3, “Unlocking User Accounts After Password Failures”.
Max failures = 6
IdM locks the user account the user enters a wrong password 7 times in a row.
Failure reset interval The amount of time (in seconds) after which IdM resets the current number of failed login attempts.
Failure reset interval = 60
If the user waits for more than 1 minute after the number of failed login attempts defined in Max failures, the user can attempt to log in again without risking a user account lock.
Lockout duration The amount of time (in seconds) for which the user account is locked after the number of failed login attempts defined in Max failures. See also Section 22.1.3, “Unlocking User Accounts After Password Failures”.
Lockout duration = 600
Users with locked accounts are unable to log in for 10 minutes.

Important

Use the English alphabet and common symbols for the character classes requirement if you have a diverse set of hardware that may not have access to international characters and symbols. For more information on character class policies in passwords, see What characters are valid in a password? in Red Hat Knowledgebase.

28.2.2. Global and Group-specific Password Policies

The default password policy is the global password policy. Apart from the global policy, you can create additional group password policies.
Global password policy
Installing the initial IdM server automatically creates a global password policy with default settings.
The global policy rules apply to all users without a group password policy.
Group password policies
Group password policies apply to all members of the corresponding user group.
Only one password policy can be in effect at a time for any user. If a user has multiple password policies assigned, one of them takes precedence based on priority. See Section 28.2.3, “Password Policy Priorities”.

28.2.3. Password Policy Priorities

Every group password policy has a priority set. The lower the value, the higher the policy's priority. The lowest supported priority value is 0.
  • If multiple password policies are applicable to a user, the policy with the lowest priority value takes precedence. All rules defined in other policies are ignored.
  • The password policy with the lowest priority value applies to all password policy attributes, even the attributes that are not defined in the policy.
The global password policy does not have a priority value set. It serves as a fallback policy when no group policy is set for a user. The global policy can never take precedence over a group policy.
Table 28.2, “Example of Applying Password Policy Attributes Based on Priority” demonstrates how password policy priorities work on an example of a user who belongs to two groups with a policy defined.

Table 28.2. Example of Applying Password Policy Attributes Based on Priority

Max lifetime Min length
Policy for group A (priority 0) 60 10
Policy for group B (priority 1) 90 0 (no restriction)
User (member of group A and group B) 60 10

Note

The ipa pwpolicy-show --user=user_name command shows which policy is currently in effect for a particular user.