Bug 488904 - Document how to set different password policies for different (non-overlapping) groups of users
Summary: Document how to set different password policies for different (non-overlappin...
Status: CLOSED DUPLICATE of bug 646213
Alias: None
Product: freeIPA
Classification: Retired
Component: Documentation
Version: 2.0
Hardware: All
OS: Linux
Target Milestone: v2 release
Assignee: David O'Brien
QA Contact: Chandrasekar Kannan
Keywords: Documentation
Depends On:
Blocks: 431020 freeipa20 489811 646213 646217
TreeView+ depends on / blocked
Reported: 2009-03-06 05:24 UTC by David O'Brien
Modified: 2015-01-04 23:37 UTC (History)
4 users (show)

Clone Of:
: 646213 (view as bug list)
Last Closed: 2011-01-13 08:50:05 UTC

Attachments (Terms of Use)

Description David O'Brien 2009-03-06 05:24:40 UTC
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 David O'Brien 2009-03-08 21:55:25 UTC
Version set to 1.1 by  mistake. Resetting to 2.0

Comment 2 David O'Brien 2010-02-01 04:29:03 UTC
need info on  how to do this. emailed the list for help.

Comment 3 Dmitri Pal 2010-02-01 15:09:27 UTC
Rob please provide additional info.

Comment 4 Rob Crittenden 2010-02-01 15:56:45 UTC
The ipa-pwpolicy plugin handles both global and per-group password policy.

To show the global policy: ipa pwpolicy-show

To add a new policy for a specfic group: ipa pwpolicy-add --minlife=10 --priority=10 --group=example

The priority determines which policy wins. The lower the number the higher priority. This is important if a user is in several groups, each with a password policy set.

The group needs to already exist but does not need to have any members.

To show the password policy for a specific group: ipa pwpolicy-show --group=example

To see the policy set for a given user: ipa pwpolicy-show --user=tuser1

A password policy is not cumulative. In other words, you cannot override just one setting in a policy and let it fall back to the global policy on the others, it is all or nothing.

In the following example I create a user and two groups. I create a separate password policy for each group with a different priority and add the user to each group. Then I show the policy for the user to demonstrate how priority works.

$ ipa user-add --first=Tim --last=User tuser1
  User login: tuser1
  First name: Tim
  Last name: User
  Home directory: /home/tuser1
  GECOS field: tuser1
  Login shell: /bin/sh
  Kerberos principal: tuser1@EXAMPLE.COM
Added user "tuser1"
$ ipa group-add --desc=g1 g1
  Group name: g1
  Description: g1
Added group "g1"
$ ipa group-add --desc=g2 g2
  Group name: g2
  Description: g2
Added group "g2"
$ ipa pwpolicy-add --minlife=10 --priority=10 --group=g1
  <krbminpwdlife>: 10
$ ipa group-add-member --users=tuser1 g1
$ ipa pwpolicy-show --user=tuser1
  cn: g1
  group: g1
  krbminpwdlife: 10
  objectclass: top, nscontainer, krbpwdpolicy
$ ipa pwpolicy-add --minlife=20 --priority=20 --group=g2
  <krbminpwdlife>: 20
$ ipa group-add-member --users=tuser1 g2
$ ipa pwpolicy-show --user=tuser1
  cn: g1
  group: g1
  krbminpwdlife: 10
  objectclass: top, nscontainer, krbpwdpolicy

Remove the user from g1 to show that they still have a custom policy.

$ ipa group-remove-member --users=tuser1 g1
$ ipa pwpolicy-show --user=tuser1
  cn: g2
  group: g2
  krbminpwdlife: 20
  objectclass: top, nscontainer, krbpwdpolicy

Comment 5 David O'Brien 2010-02-17 06:39:21 UTC
To help make the documentation more useful, can I have a use case for this?

Comment 6 Rob Crittenden 2010-02-17 14:06:19 UTC
The use case is you may have users whose passwords you never want to expire , or a set of users (say contractors) whose passwords will always expire after 30 days.

We are providing overlapping group policy, using the priority setting to sort out which policy gets applied. I don't make it explicity in comment #4 but the last command shows the policy for a specific user.

Comment 7 David O'Brien 2010-02-18 12:43:08 UTC
$ ipa pwpolicy-add --minlife=10 --priority=10 --group=g1  <krbminpwdlife>: 10

I don't understand the following:
<krbminpwdlife>: 10

I gather it's the min Kerberos pwd lifetime, but how do you use it? It's not discussed in the help/man page, and entering it as-is gives (me) an error:
"bash: krbminpwdlife: No such file or directory"


Comment 8 Rob Crittenden 2010-02-18 14:43:50 UTC
<krbminpwdlife>: 10 is the result of the command, not part of it.

We recently changed the way attributes are displayed and not every attribute has a helpful, localizable label yet. This happens to be one of them.

Comment 9 Dmitri Pal 2010-02-18 19:36:06 UTC
This part will be fixed with Jason's patches but I am not sure all of them made Alpha 2.

Comment 11 David O'Brien 2011-01-13 08:50:05 UTC

*** This bug has been marked as a duplicate of bug 646213 ***

Note You need to log in before you can comment on or make changes to this bug.