28.4. Modifying Password Policy Attributes
Important
When you modify a password policy, the new rules apply to new passwords only. The changes are not applied retroactively to existing passwords.
For the change to take effect, users must change their existing passwords, or the administrator must reset the passwords of other users. See Section 22.1.1, “Changing and Resetting User Passwords”.
Note
For recommendations on secure user passwords, see Password Security in the Security Guide.
To modify a password policy using:
- the web UI, see the section called “Web UI: Modifying a Password Policy”
- the command line, see the section called “Command Line: Modifying a Password Policy”
Note that setting a password policy attribute to
0
means no attribute restriction. For example, if you set maximum lifetime to 0
, user passwords never expire.
Web UI: Modifying a Password Policy
- Select
. - Click the policy you want to change.
- Update the required attributes. For details on the available attributes, see Section 28.2.1, “Supported Password Policy Attributes”.
- Clickto confirm the changes.
Command Line: Modifying a Password Policy
- Use the ipa pwpolicy-mod command to change the policy's attributes.
- For example, to update the global password policy and set the minimum password length to
10
:$ ipa pwpolicy-mod --minlength=10
- To update a group policy, add the group name to ipa pwpolicy-mod. For example:
$ ipa pwpolicy-mod group_name --minlength=10
- Optional. Use the ipa pwpolicy-show command to display the new policy settings.
- To display the global policy:
$ ipa pwpolicy-show
- To display a group policy, add the group name to ipa pwpolicy-show:
$ ipa pwpolicy-show group_name