28.2. How Password Policies Work in IdM
All users must have a password that they use to authenticate to the Identity Management (IdM) Kerberos domain. Password policies in IdM define the requirements these user passwords must meet.
The IdM password policy is set in the underlying LDAP directory, but is also enforced by the Kerberos Key Distribution Center (KDC).
28.2.1. Supported Password Policy Attributes
Table 28.1, “Password Policy Attributes” lists the attributes that password policies in IdM can define.
Table 28.1. Password Policy Attributes
|Max lifetime||The maximum amount of time (in days) that a password is valid before a user must reset it.|| |
Max lifetime = 90
User passwords are valid only for 90 days. After that, IdM prompts users to change them.
|Min lifetime||The minimum amount of time (in hours) that must pass between two password change operations.|| |
Min lifetime = 1
After users change their passwords, they must wait at least 1 hour before changing them again.
|History size|| |
How many previous passwords are stored. A user cannot reuse a password from their password history.
History size = 0
Users can reuse any of their previous passwords.
|Character classes|| The number of different character classes the user must use in the password. The character classes are:
Using a character three or more times in a row decreases the character class by one. For example:
Character classes = 0
The default number of classes required is 0. To configure the number, run the ipa pwpolicy-mod command with the
$ ipa pwpolicy-mod --minclasses=1See also the Important note below this table.
|Min length||The minimum number of characters in a password.|| |
Min length = 8
Users cannot use passwords shorter than 8 characters.
|Max failures||The maximum number of failed login attempts before IdM locks the user account. See also Section 22.1.3, “Unlocking User Accounts After Password Failures”.|| |
Max failures = 6
IdM locks the user account the user enters a wrong password 7 times in a row.
|Failure reset interval||The amount of time (in seconds) after which IdM resets the current number of failed login attempts.|| |
Failure reset interval = 60
If the user waits for more than 1 minute after the number of failed login attempts defined in
|Lockout duration|| The amount of time (in seconds) for which the user account is locked after the number of failed login attempts defined in || |
Lockout duration = 600
Users with locked accounts are unable to log in for 10 minutes.
Use the English alphabet and common symbols for the character classes requirement if you have a diverse set of hardware that may not have access to international characters and symbols. For more information on character class policies in passwords, see What characters are valid in a password? in Red Hat Knowledgebase.
28.2.2. Global and Group-specific Password Policies
The default password policy is the global password policy. Apart from the global policy, you can create additional group password policies.
- Global password policy
- Installing the initial IdM server automatically creates a global password policy with default settings.The global policy rules apply to all users without a group password policy.
- Group password policies
- Group password policies apply to all members of the corresponding user group.
Only one password policy can be in effect at a time for any user. If a user has multiple password policies assigned, one of them takes precedence based on priority. See Section 28.2.3, “Password Policy Priorities”.
28.2.3. Password Policy Priorities
Every group password policy has a priority set. The lower the value, the higher the policy's priority. The lowest supported priority value is
- If multiple password policies are applicable to a user, the policy with the lowest priority value takes precedence. All rules defined in other policies are ignored.
- The password policy with the lowest priority value applies to all password policy attributes, even the attributes that are not defined in the policy.
The global password policy does not have a priority value set. It serves as a fallback policy when no group policy is set for a user. The global policy can never take precedence over a group policy.
Table 28.2, “Example of Applying Password Policy Attributes Based on Priority” demonstrates how password policy priorities work on an example of a user who belongs to two groups with a policy defined.
Table 28.2. Example of Applying Password Policy Attributes Based on Priority
|Max lifetime||Min length|
|Policy for group A (priority 0)||60||10|
|Policy for group B (priority 1)||90||0 (no restriction)|
|User (member of group A and group B)||60||10|
The ipa pwpolicy-show --user=user_name command shows which policy is currently in effect for a particular user.