28.4. Modifying Password Policy Attributes

Important

When you modify a password policy, the new rules apply to new passwords only. The changes are not applied retroactively to existing passwords.
For the change to take effect, users must change their existing passwords, or the administrator must reset the passwords of other users. See Section 22.1.1, “Changing and Resetting User Passwords”.

Note

For recommendations on secure user passwords, see Password Security in the Security Guide.
To modify a password policy using:
Note that setting a password policy attribute to 0 means no attribute restriction. For example, if you set maximum lifetime to 0, user passwords never expire.

Web UI: Modifying a Password Policy

  1. Select PolicyPassword Policies.
  2. Click the policy you want to change.
  3. Update the required attributes. For details on the available attributes, see Section 28.2.1, “Supported Password Policy Attributes”.
  4. Click Save to confirm the changes.

Command Line: Modifying a Password Policy

  1. Use the ipa pwpolicy-mod command to change the policy's attributes.
    1. For example, to update the global password policy and set the minimum password length to 10:
      $ ipa pwpolicy-mod --minlength=10
    2. To update a group policy, add the group name to ipa pwpolicy-mod. For example:
      $ ipa pwpolicy-mod group_name --minlength=10
  2. Optional. Use the ipa pwpolicy-show command to display the new policy settings.
    1. To display the global policy:
      $ ipa pwpolicy-show
    2. To display a group policy, add the group name to ipa pwpolicy-show:
      $ ipa pwpolicy-show group_name