Bug 488904

Summary:	Document how to set different password policies for different (non-overlapping) groups of users
Product:	[Retired] freeIPA	Reporter:	David O'Brien <daobrien>
Component:	Documentation	Assignee:	David O'Brien <daobrien>
Status:	CLOSED DUPLICATE	QA Contact:	Chandrasekar Kannan <ckannan>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	2.0	CC:	benl, dpal, jgalipea, rcritten
Target Milestone:	v2 release	Keywords:	Documentation
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	646213 (view as bug list)		Environment:
Last Closed:	2011-01-13 08:50:05 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	431020, 431022, 489811, 646213, 646217

Description David O'Brien 2009-03-06 05:24:40 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 David O'Brien 2009-03-08 21:55:25 UTC

Version set to 1.1 by  mistake. Resetting to 2.0

Comment 2 David O'Brien 2010-02-01 04:29:03 UTC

need info on  how to do this. emailed the list for help.

Comment 3 Dmitri Pal 2010-02-01 15:09:27 UTC

Rob please provide additional info.

Comment 4 Rob Crittenden 2010-02-01 15:56:45 UTC

The ipa-pwpolicy plugin handles both global and per-group password policy.

To show the global policy: ipa pwpolicy-show

To add a new policy for a specfic group: ipa pwpolicy-add --minlife=10 --priority=10 --group=example

The priority determines which policy wins. The lower the number the higher priority. This is important if a user is in several groups, each with a password policy set.

The group needs to already exist but does not need to have any members.

To show the password policy for a specific group: ipa pwpolicy-show --group=example

To see the policy set for a given user: ipa pwpolicy-show --user=tuser1

A password policy is not cumulative. In other words, you cannot override just one setting in a policy and let it fall back to the global policy on the others, it is all or nothing.

In the following example I create a user and two groups. I create a separate password policy for each group with a different priority and add the user to each group. Then I show the policy for the user to demonstrate how priority works.

$ ipa user-add --first=Tim --last=User tuser1
---------
user-add:
---------
  User login: tuser1
  First name: Tim
  Last name: User
  Home directory: /home/tuser1
  GECOS field: tuser1
  Login shell: /bin/sh
  Kerberos principal: tuser1
-------------------
Added user "tuser1"
-------------------
$ ipa group-add --desc=g1 g1
----------
group-add:
----------
  Group name: g1
  Description: g1
----------------
Added group "g1"
----------------
$ ipa group-add --desc=g2 g2
----------
group-add:
----------
  Group name: g2
  Description: g2
----------------
Added group "g2"
----------------
$ ipa pwpolicy-add --minlife=10 --priority=10 --group=g1
  <krbminpwdlife>: 10
$ ipa group-add-member --users=tuser1 g1
$ ipa pwpolicy-show --user=tuser1
  cn: g1
  group: g1
  krbminpwdlife: 10
  objectclass: top, nscontainer, krbpwdpolicy
$ ipa pwpolicy-add --minlife=20 --priority=20 --group=g2
  <krbminpwdlife>: 20
$ ipa group-add-member --users=tuser1 g2
$ ipa pwpolicy-show --user=tuser1
  cn: g1
  group: g1
  krbminpwdlife: 10
  objectclass: top, nscontainer, krbpwdpolicy

Remove the user from g1 to show that they still have a custom policy.

$ ipa group-remove-member --users=tuser1 g1
$ ipa pwpolicy-show --user=tuser1
  cn: g2
  group: g2
  krbminpwdlife: 20
  objectclass: top, nscontainer, krbpwdpolicy

Comment 5 David O'Brien 2010-02-17 06:39:21 UTC

To help make the documentation more useful, can I have a use case for this?

Comment 6 Rob Crittenden 2010-02-17 14:06:19 UTC

The use case is you may have users whose passwords you never want to expire , or a set of users (say contractors) whose passwords will always expire after 30 days.

We are providing overlapping group policy, using the priority setting to sort out which policy gets applied. I don't make it explicity in comment #4 but the last command shows the policy for a specific user.

Comment 7 David O'Brien 2010-02-18 12:43:08 UTC

$ ipa pwpolicy-add --minlife=10 --priority=10 --group=g1  <krbminpwdlife>: 10

I don't understand the following:
<krbminpwdlife>: 10

I gather it's the min Kerberos pwd lifetime, but how do you use it? It's not discussed in the help/man page, and entering it as-is gives (me) an error:
"bash: krbminpwdlife: No such file or directory"

thanks

Comment 8 Rob Crittenden 2010-02-18 14:43:50 UTC

<krbminpwdlife>: 10 is the result of the command, not part of it.

We recently changed the way attributes are displayed and not every attribute has a helpful, localizable label yet. This happens to be one of them.

Comment 9 Dmitri Pal 2010-02-18 19:36:06 UTC

This part will be fixed with Jason's patches but I am not sure all of them made Alpha 2.

Comment 11 David O'Brien 2011-01-13 08:50:05 UTC


*** This bug has been marked as a duplicate of bug 646213 ***