Product SiteDocumentation Site

11.2. Viewing Password Policies

There can be multiple password policies configured in IPA. There is always a global policy, which is created with the server. Additional policies can be created for groups in IPA.
The UI lists all of the group password policies and the global policy on the Password Policies page.
Using the CLI, both global and group-level password policies can be viewed using the pwpolicy-show command. The CLI can also display the password policy in effect for a user.

11.2.1. Viewing the Global Password Policy

The global password policy is created with the server. This applies to every user until a group-level password policy supersedes it.
The default settings for the global password policy are listed in Table 11.2, “Default Global Password Policy”.
Table 11.2. Default Global Password Policy
Attribute Value
Max lifetime 90
Max lifetime 90 (days)
Min lifetime 1 (hour)
History size 0 (unset)
Character classes 0 (unset)
Min length 8
Max failures 6
Failure reset interval 60
Lockout duration 600

11.2.1.1. With the Web UI

  1. Click the Policy tab, and then click the Password Policies subtab.
  2. All of the policies in the UI are listed by group. The global password policy is defined by the global_policy group. Click the group link.
  3. The global policy is displayed.

11.2.1.2. With the Command Line

To view the global policy, simply run the pwpolicy-show command with no arguments: 
$ ipa pwpolicy-show 

  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

11.2.2. Viewing Group-Level Password Policies

11.2.2.1. With the Web UI

  1. Click the Policy tab, and then click the Password Policies subtab.
  2. All of the policies in the UI are listed by group. Click the name of the group which is assigned the policy.
  3. The group policy is displayed.

11.2.2.2. With the Command Line

For a group-level password policy, specify the group name with the command: 
$ ipa pwpolicy-show examplegroup

  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 3
  Character classes: 4
  Min length: 8
  Max failures: 3
  Failure reset interval: 15
  Lockout duration: 150

11.2.3. Viewing the Password Policy in Effect for a User

A user may belong to multiple groups, each with their own separate password policies. These policies are not additive. Only one policy is in effect at a time and it applies to all password policy attributes. To see which policy is in effect for a specific user, the pwpolicy-show command can be run for a specific user. The results also show which group policy is in effect for that user. 
$ ipa pwpolicy-show --user=jsmith

  Group: admins
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600