19.2. Viewing Password Policies
There can be multiple password policies configured in IdM. There is always a global policy, which is set when the server is created. Additional policies can be created for groups in IdM.
The UI lists all of the group password policies and the global policy on the Password Policies page.
Using the CLI, both global and group-level password policies can be viewed using the
pwpolicy-show
command. The CLI can also display the password policy in effect for a user.
19.2.1. Viewing the Global Password Policy
The global password policy is created as part of the initial IdM server setup. This policy applies to every user until a group-level password policy supersedes it.
The default settings for the global password policy are listed in Table 19.2, “Default Global Password Policy”.
Attribute | Value |
---|---|
Max lifetime | 90 (days) |
Min lifetime | 1 (hour) |
History size | 0 (unset) |
Character classes | 0 (unset) |
Min length | 8 |
Max failures | 6 |
Failure reset interval | 60 |
Lockout duration | 600 |
19.2.1.1. With the Web UI
- Click the Policy tab, and then click the Password Policies subtab.
- All of the policies in the UI are listed by group. The global password policy is defined by the global_policy group. Click the group link.
- The global policy is displayed.
19.2.1.2. With the Command Line
To view the global policy, simply run the
pwpolicy-show
command with no arguments:
[root@server ~]# kinit admin [root@server ~]# ipa pwpolicy-show Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600
19.2.2. Viewing Group-Level Password Policies
19.2.2.1. With the Web UI
- Click the Policy tab, and then click the Password Policies subtab.
- All of the policies in the UI are listed by group. Click the name of the group which is assigned the policy.
- The group policy is displayed.
19.2.2.2. With the Command Line
For a group-level password policy, specify the group name with the command:
[root@server ~]# kinit admin [root@server ~]# ipa pwpolicy-show ipausers Group: ipausers Max lifetime (days): 120 Min lifetime (hours): 10 Min length: 10 Priority: 50
19.2.3. Viewing the Password Policy in Effect for a User
A user may belong to multiple groups, each with their own separate password policies. These policies are not additive. Only one policy is in effect at a time and it applies to all password policy attributes. To see which policy is in effect for a specific user, the
pwpolicy-show
command can be run for a specific user. The results also show which group policy is in effect for that user.
[root@server ~]# kinit admin [root@server ~]# ipa pwpolicy-show --user=jsmith Group: global_policy Max lifetime (days): 90 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 6 Failure reset interval: 60 Lockout duration: 600