Configuring workload password policies
In order to bring your workload password complexity requirements in line with company policy, you can set your FreeIPA password policies via CDP web interface and CDP CLI. Password policies can be configured for length, complexity, expiration, and scope.
Workload password policy types
There are two types of password policies:
-
Global policies - Apply to all users including machine users
-
Machine user policies - Apply to machine users only
You can set either or both policies. By default, global policies are applied to all users, including machine users. An optional override for configuring a different policy for machine users is available. For example, setting strict password expiration policies for machine users may not be desired, as password expiration in those accounts may cause upstream failures in the applications that use them.
Default workload password policy
If a password policy has not been set, the following default password policy is used:
-
A minimum password length of 8 characters
-
Must include at least 1 upper case character, lowercase character, number and special character. Supported special characters are: "#", "&", "*", "$", "%", "@", "^", ".", "_", and "!".
-
All previous passwords can be reused
-
The password can be changed at any time
-
The password never expires
For detailed information on how to manage workload password policies, refer to the following documentation:
Check the current workload password policy
You can check your current password policy from the Workload Password Policies page or
using the cdp iam get-account CLI command.
Required role: PowerUser
Steps
You can check the current password policy from the Workload Password Policies page. To access this page:
-
Log in to the CDP web interface.
-
Navigate to the Management Console > User Management > Workload Password Policies:
Use the cdp iam get-account to obtain your current password policy.
Set a password policy
You can set password policies from the Workload Password Policies page or using the
via CDP CLI using the cdp iam set-workload-password-policy command.
Required role: PowerUser
Steps
-
Log in to the CDP web interface.
-
Navigate to the Management Console > User Management > Workload Password Policies:
-
In the Global tab, specify a policy that applies to all CDP users and machine users. The following options are available:
UI option Description Minimum lifetime of password (in days) Once set, the password must remain the same for this period of time. Note: If a user forgets their password, they will be unable to reset it until the minimum period has passed or until the PowerUser unsets the minimum lifetime of the password for them.
Maximum lifetime of password (in days) Allows you to specify password expiration period in days. Minimum password length Allows you to specify minimum password length, must be between 6 and 256 characters. Number of previous passwords that can’t be reused If set to 0, all previous passwords can be reused. Any number larger than 0 indicates the number of most recent passwords that can't be reused. The maximum allowed value for this parameter is 20, so you can prevent users from reusing up to 20 recent passwords. Note: Password history information is only recorded when password history size is set to a value other than zero. This means that when the password history size is initially set from zero to non-zero, the previous passwords that were set (while the password history size was as at 0) are not considered when the password history check is done.
Must include uppercase characters When checked, at least one uppercase character is required Must include lowercase characters When checked, at least one lowercase character is required Must include numbers When checked, at least one number is required Must include symbols When checked, at least one special character is required. Supported special characters are: "#", "&", "*", "$", "%", "@", "^", ".", "_", and "!". -
Click Update.
-
By default, global policies are applied to machine users. If you would like to set a different policy for machine users:
-
Navigate to the Machine User tab.
-
Uncheck Inherit from global policy.
-
Set a desired policy (the available options are the same as for global policy).
-
Click Update.
-
The following example creates a global policy:
cdp iam set-workload-password-policy --global-password-policy minPasswordLength=8,mustIncludeUpperCaseCharacters=true,mustIncludeLowerCaseCharacters=true,mustIncludeNumbers=true,mustIncludeSymbols=falseThe following example creates a machine user policy. This overrides the global policy for machine users:
cdp iam set-workload-password-policy --machine-users-password-policy minPasswordLength=8,mustIncludeUpperCaseCharacters=true,mustIncludeLowerCaseCharacters=true,mustIncludeNumbers=true,mustIncludeSymbols=trueThe following password complexity requirements can be set as part of your policy:
| CLI option | Type | Description | Default value |
minPasswordLifetimeDays |
integer |
Minimum period in days during which password cannot be changed once it is set Note: If a user forgets their password, they will be unable to reset it until the minimum period has passed or until the PowerUser unsets the minimum lifetime of the password for them. |
0 |
maxPasswordLifetimeDays |
integer |
Expiration period in days | 0 |
minPasswordLength |
integer |
Minimum password length; must be between 6 and 256 characters. | 8 |
passwordHistorySize |
integer |
Number of previous passwords that can't be reused. 0 indicates that all previous
passwords can be reused. Any number above 0 indicates the number of most recent passwords
that can’t be reused. The maximum allowed value for this parameter is 20, so you can
prevent users from reusing up to 20 recent passwords. Note: Password history information is only recorded when password history size is set to a value other than zero. This means that when the password history size is initially set from zero to non-zero, the previous passwords that were set (while the password history size was as at 0) are not considered when the password history check is done. |
0 |
mustIncludeUpperCaseCharacters |
true|false |
At least one uppercase character is required | true |
mustIncludeLowerCaseCharacters |
true|false |
At least one lowercase character is required | true |
mustIncludeNumbers |
true|false |
At least one number is required | true |
mustIncludeSymbols |
true|false |
At least one special character is required. Supported special characters are: "#", "&", "*", "$", "%", "@", "^", ".", "_", and "!". | true |
Reset a password policy
You can reset password policies via CDP CLI using the cdp iam
unset-workload-password-policy command. As a result, default password policies will be
reinstated.
A global password policy is always present for an account. When the global password policy is unset, the policy will revert to the documented defaults. A machine user password policy may or may not be present in the account. When the machine user policy is not set for the account, the global password policy will be enforced for machine users.
Required role: PowerUser
Steps
-
Log in to the CDP web interface.
-
Navigate to the Management Console > User Management > Workload Password Policies:
-
Navigate to the Machine User tab and make sure that Inherit from global policy is checked.
-
Click on Reset to default values.
-
Click OK to confirm.
Use the following commands to reset password policies:
cdp iam unset-workload-password-policy --unset-global-password-policycdp iam unset-workload-password-policy --unset-machine-users-password-policyUnset user’s minimum password lifetime
With the minimum workload password lifetime enabled, it may happen in very rare cases that a user becomes locked out of their account and their minimum password lifetime needs to be temporarily unset.
If your organization’s workload password policy has the minimum password lifetime enabled, a user is unable to set a new workload password until the minimum password lifetime duration has passed. Consequently, a user who forgets their password will be unable to set a new password until the minimum password lifetime duration has passed. In such a case, a PowerUser can unset the minimum lifetime date for the user who has been locked out of their account. This is a one-time override that will allow the user to set a new workload password.
Required role: PowerUser
Steps
cdp iam unset-workload-password-min-lifetime --user <USER-CRN-OR-ID>This is a one-time override. Once the user sets their password, the minimum password lifetime will be reset to the original value that you set for your organization.
