此内容没有您所选择的语言版本。

19.3. Creating and Editing Password Policies


A password policy can be selective; it may only define certain elements. A global password policy sets defaults that are used for every user entry, unless a group policy takes priority.

Note

A global policy always exists, so there is no reason to add a global password policy.
Group-level policies override the global policies and offer specific policies that only apply to group members. Password policies are not cumulative. Either a group policy or the global policy is in effect for a user or group, but not both simultaneously.
Group-level policies do not exist by default, so they must be created manually.

Note

It is not possible to set a password policy for a non-existent group.

19.3.1. Creating Password Policies in the Web UI

  1. Click the Policy tab, and then click the Password Policies subtab.
  2. All of the policies in the UI are listed by group. The global password policy is defined by the global_policy group. Click the group link.
  3. Click the Add link at the top.
  4. In the pop-up box, select the group for which to create the password policy.
  5. Set the priority of the policy. The higher the number, the lower the priority. Conversely, the highest priority policy has the lowest number.
    Only one password policy is in effect for a user, and that is the highest priority policy.

    Note

    The priority cannot be changed in the UI once the policy is created.
  6. Click the Add and Edit button so that the policy form immediately opens.
  7. Set the policy fields. Leaving a field blank means that attribute is not added the password policy configuration.
    • Max lifetime sets the maximum amount of time, in days, that a password is valid before a user must reset it.
    • Min lifetime sets the minimum amount of time, in hours, that a password must remain in effect before a user is permitted to change it. This prevents a user from attempting to change a password back immediately to an older password or from cycling through the password history.
    • History size sets how many previous passwords are stored. A user cannot re-use a password that is still in the password history.
    • Character classes sets the number of different categories of character that must be used in the password. This does not set which classes must be used; it sets the number of different (unspecified) classes which must be used in a password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 19.1, “Password Policy Settings”. This is part of setting the complexity requirements.
    • Min length sets how many characters must be in a password. This is part of setting the complexity requirements.

19.3.2. Creating Password Policies with the Command Line

Password policies are added with the pwpolicy-add command.
[root@server ~]# kinit admin
[root@server ~]# ipa pwpolicy-add groupName --attribute-value
Copy to Clipboard Toggle word wrap
For example:
[root@server ~]# kinit admin
[root@server ~]# ipa pwpolicy-add exampleGroup --minlife=7 --maxlife=49 --history= --priority=1 
Group: exampleGroup
Max lifetime (days): 49
Min lifetime (hours): 7
Priority: 1
Copy to Clipboard Toggle word wrap

Note

Setting an attribute to a blank value effectively removes that attribute from the password policy.

19.3.3. Editing Password Policies with the Command Line

As with most IdM entries, a password policy is edited by using a *-mod command, pwpolicy-mod, and then the policy name. However, there is one difference with editing password policies: there is a global policy which always exists. Editing a group-level password policy is slightly different than editing the global password policy.
Editing a group-level password policy follows the standard syntax of *-mod commands. It uses the pwpolicy-mod command, the name of the policy entry, and the attributes to change. For example:
[jsmith@ipaserver ~]$ ipa pwpolicy-mod exampleGroup --lockouttime=300 --history=5 --minlength=8
Copy to Clipboard Toggle word wrap
To edit the global password policy, use the pwpolicy-mod command with the attributes to change, but without specifying a password policy name. For example:
[jsmith@ipaserver ~]$ ipa pwpolicy-mod --lockouttime=300 --history=5 --minlength=8
Copy to Clipboard Toggle word wrap
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat