Product SiteDocumentation Site

Chapter 12. Policy: Defining Password Policies

12.1. About Password Policies and Policy Attributes
12.2. Viewing Password Policies
12.2.1. Viewing the Global Password Policy
12.2.2. Viewing Group-Level Password Policies
12.2.3. Viewing the Password Policy in Effect for a User
12.3. Creating and Editing Password Policies
12.3.1. Creating Password Policies in the Web UI
12.3.2. Creating Password Policies with the Command Line
12.3.3. Editing Password Policies with the Command Line
12.4. Managing Password Expiration Limits
12.5. Changing the Priority of Group Password Policies
12.6. Setting Account Lockout Policies
12.6.1. In the UI
12.6.2. In the CLI
12.7. Enabling a Password Change Dialog
All users must have a password which they use to authenticate to the Kerberos domain. FreeIPA defines and enforces rules about password complexity, password histories, and account lockouts in order to maintain security.


FreeIPA, by default, does not expose passwords to clients, even hashed passwords, for system security.

12.1. About Password Policies and Policy Attributes

A password policy sets certain standards for passwords, such as the password complexity and the rules for changing passwords. A password policy minimizes the inherent risk of using passwords by ensuring that they meet adequate complexity standards to thwart brute force attacks and they are changed frequently enough to mitigate the risk of someone revealing or discovering a password.
There are three main configuration areas that are defined within the password policy:
  • Strength or complexity requirements
  • History
  • Account lockout
The FreeIPA password policy is enforced jointly by the KDC and the LDAP server. While the password policy is set in the LDAP directory and is based on 389 Directory Server password policy attributes, the policy is ultimately constrained by the KDC password policy framework. The KDC policy is less flexible than the 389 Directory Server policy framework, so the FreeIPA password policy can only implement password policy elements supported in the KDC. Any other policy settings made within the 389 Directory Server are not visible or enforced in FreeIPA.
Password policies are assigned either globally or to groups in FreeIPA, not to individual users. The password policy is assigned a weight, so that if a user belongs to multiple groups with different password policies, the policy with the highest priority will take precedence.
The different policy attributes that can be set are listed in Table 12.1, “Password Policy Settings”.
Table 12.1. Password Policy Settings
Configuration Property Command-Line Option Description
Options for both the UI and CLI
Minimum Password Lifetime --minlife Sets the minimum period of time, in hours, that a user's password must be in effect before the user can change it. This can prevent a user from changing a password and then immediately changing it to the original value. The default value is one hour.
Maximum Password Lifetime --maxlife Sets the maximum period of time, in days, that a user's password can be in effect before it must be changed. The default value is 90 days.
Minimum Number of Character Classes --minclasses Sets the minimum number of different classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to 3 requires that any password must have characters from at least three categories in order to be approved. The default value is zero (0), meaning there are no required classes.
There are six character classes:
  • Upper-case characters
  • Lower-case characters
  • Digits
  • Special characters (for example, punctuation)
  • 8-bit characters (characters whose decimal code starts at 128 or below)
  • Number of repeated characters
    This weights in the opposite direction, so that if you have too many repeated characters you will not meet the quorum to satisfy the "level" expressed by krbPwdMinDiffChars.
Minimum Length of Password --minlength Sets the minimum number of characters for a password. The default value is eight characters.
Password History --history Sets the number of previous passwords that are stored and which a user is prevented from using. For example, if this is set to ten, FreeIPA prevents a user from reusing any of their previous ten passwords. The default value is zero (0), which disables password history.


Even with the password history set to zero, users cannot reuse a current password.
Options for the CLI only
Priority --priority Sets the priority which determines which policy is in effect. The lower the number, the higher priority.
Although this priority is required when the policy is first created in the UI, it cannot be reset in the UI. It can only be reset using the CLI.
Maximum Consecutive Failures --maxfail Specifies the maximum number of consecutive failures to input the correct password before the user's account is locked.
Fail Interval --failinterval Specifies the period (in seconds) after which the failure count will be reset.
Lockout Time --lockouttime Specifies the period (in seconds) for which a lockout is enforced.