6.6. Applying additional password policy options to an IdM group

Procedure

1. Apply the user name check to all new passwords suggested by the users in the managers group:

   $ ipa pwpolicy-mod --usercheck=True managers

   注意

   If you do not specify the name of the password policy, the default global_policy is modified.

2. Set the maximum number of identical consecutive characters to 2 in the managers password policy:

   $ ipa pwpolicy-mod --maxrepeat=2 managers

   A password now will not be accepted if it contains more than 2 identical consecutive characters. For example, the eR873mUi111YJQ combination is unacceptable because it contains three 1s in succession.

Verification

1. Add a test user named test_user:

   $ ipa user-add test_user
   First name: test
   Last name: user
   ----------------------------
   Added user "test_user"
   ----------------------------

2. Add the test user to the managers group:

   1. In the IdM Web UI, click Identity Groups User Groups.
   2. Click managers.
   3. Click Add.
   4. In the Add users into user group 'managers' page, check test_user.
   5. Click the > arrow to move the user to the Prospective column.
   6. Click Add.

3. Reset the password for the test user:

   1. Go to Identity Users.
   2. Click test_user.
   3. In the Actions menu, click Reset Password.
   4. Enter a temporary password for the user.

4. On the command line, try to obtain a Kerberos ticket-granting ticket (TGT) for the test_user:

   $ kinit test_user

   1. Enter the temporary password.

   2. The system informs you that you must change your password. Enter a password that contains the user name of test_user:

      Password expired. You must change it now.
      Enter new password:
      Enter it again:
      Password change rejected: Password not changed.
      Unspecified password quality failure while trying to change password.
      Please try again.

      注意

      Kerberos does not have fine-grained error password policy reporting and, in certain cases, does not provide a clear reason why a password was rejected.

   3. The system informs you that the entered password was rejected. Enter a password that contains three or more identical characters in succession:

      Password change rejected: Password not changed.
      Unspecified password quality failure while trying to change password.
      Please try again.
      
      Enter new password:
      Enter it again:

   4. The system informs you that the entered password was rejected. Enter a password that meets the criteria of the managers password policy:

      Password change rejected: Password not changed.
      Unspecified password quality failure while trying to change password.
      Please try again.
      
      Enter new password:
      Enter it again:

5. View the obtained TGT:

   $ klist
   Ticket cache: KCM:0:33945
   Default principal: test_user@IDM.EXAMPLE.COM
   
   Valid starting       Expires              Service principal
   07/07/2021 12:44:44  07/08/2021 12:44:44  krbtgt@IDM.EXAMPLE.COM@IDM.EXAMPLE.COM