11.3. Editing the Global Password Policy

A password policy can be selective; it may only define certain elements. A global password policy sets defaults that are used for every user entry, unless a group policy takes priority.

A global policy always exists, so there is no reason to add a global password policy.

11.3.1. With the UI

Click the Policy tab, and then click the Password Policies subtab.
All of the policies in the UI are listed by group. The global password policy is defined by the global_policy group. Click the group link.
The group policy is displayed.
Change the policy fields. Leaving a field blank removes that attribute from the password policy configuration.
- Max lifetime sets the maximum amount of time, in days, that a password is valid before a user must reset it.
- Min lifetime sets the minimum amount of time, in hours, that a password must remain in effect before a user is permitted to change it. This prevents a user from attempting to change a password back immediately to an older password or from cycling through the password history.
- History size sets how many previous passwords are stored. A user cannot re-use a password that is still in the password history.
- Character classes sets the different categories of character that must be used in the password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 11.1, “Password Policy Settings”. This is part of setting the complexity requirements.
- Min length sets how many characters must be in a password. This is part of setting the complexity requirements.

11.3.2. With the Command Line

To edit the global password policy, use the pwpolicy-mod command with the attributes to change:

ipa pwpolicy-mod --attribute=value

For example:

ipa pwpolicy-mod --lockouttime=300 --history=5 --minlength=8