Configuring workload password policies

In order to bring your workload password complexity requirements in line with company policy, you can set your FreeIPA password policies via CDP web interface and CDP CLI. Password policies can be configured for length, complexity, expiration, and scope.

Workload password policy types

There are two types of password policies:

  • Global policies - Apply to all users including machine users

  • Machine user policies - Apply to machine users only

You can set either or both policies. By default, global policies are applied to all users, including machine users. An optional override for configuring a different policy for machine users is available. For example, setting strict password expiration policies for machine users may not be desired, as password expiration in those accounts may cause upstream failures in the applications that use them.

Default workload password policy

If a password policy has not been set, the following default password policy is used:

  • A minimum password length of 8 characters

  • Must include at least 1 upper case character, lowercase character, number and special character. Supported special characters are: "#", "&", "*", "$", "%", "@", "^", ".", "_", and "!".

  • All previous passwords can be reused

  • The password can be changed at any time

  • The password never expires

For detailed information on how to manage workload password policies, refer to the following documentation:

Check the current workload password policy

You can check your current password policy from the Workload Password Policies page or using the cdp iam get-account CLI command.

Required role: PowerUser

Steps

You can check the current password policy from the Workload Password Policies page. To access this page:

  1. Log in to the CDP web interface.

  2. Navigate to the Management Console > User Management > Workload Password Policies:

Use the cdp iam get-account to obtain your current password policy.

Set a password policy

You can set password policies from the Workload Password Policies page or using the via CDP CLI using the cdp iam set-workload-password-policy command.

Required role: PowerUser

Steps

  1. Log in to the CDP web interface.

  2. Navigate to the Management Console > User Management > Workload Password Policies:

  3. In the Global tab, specify a policy that applies to all CDP users and machine users. The following options are available:
    UI option Description
    Minimum lifetime of password (in days) Once set, the password must remain the same for this period of time.

    Note: If a user forgets their password, they will be unable to reset it until the minimum period has passed or until the PowerUser unsets the minimum lifetime of the password for them.

    Maximum lifetime of password (in days) Allows you to specify password expiration period in days.
    Minimum password length Allows you to specify minimum password length, must be between 6 and 256 characters.
    Number of previous passwords that can’t be reused If set to 0, all previous passwords can be reused. Any number larger than 0 indicates the number of most recent passwords that can't be reused. The maximum allowed value for this parameter is 20, so you can prevent users from reusing up to 20 recent passwords.

    Note: Password history information is only recorded when password history size is set to a value other than zero. This means that when the password history size is initially set from zero to non-zero, the previous passwords that were set (while the password history size was as at 0) are not considered when the password history check is done.

    Must include uppercase characters When checked, at least one uppercase character is required
    Must include lowercase characters When checked, at least one lowercase character is required
    Must include numbers When checked, at least one number is required
    Must include symbols When checked, at least one special character is required. Supported special characters are: "#", "&", "*", "$", "%", "@", "^", ".", "_", and "!".
  4. Click Update.

  5. By default, global policies are applied to machine users. If you would like to set a different policy for machine users:

    1. Navigate to the Machine User tab.

    2. Uncheck Inherit from global policy.

    3. Set a desired policy (the available options are the same as for global policy).

    4. Click Update.

The following example creates a global policy:

cdp iam set-workload-password-policy --global-password-policy minPasswordLength=8,mustIncludeUpperCaseCharacters=true,mustIncludeLowerCaseCharacters=true,mustIncludeNumbers=true,mustIncludeSymbols=false

The following example creates a machine user policy. This overrides the global policy for machine users:

cdp iam set-workload-password-policy --machine-users-password-policy minPasswordLength=8,mustIncludeUpperCaseCharacters=true,mustIncludeLowerCaseCharacters=true,mustIncludeNumbers=true,mustIncludeSymbols=true

The following password complexity requirements can be set as part of your policy:

CLI option Type Description Default value
minPasswordLifetimeDays integer Minimum period in days during which password cannot be changed once it is set

Note: If a user forgets their password, they will be unable to reset it until the minimum period has passed or until the PowerUser unsets the minimum lifetime of the password for them.

0
maxPasswordLifetimeDays integer Expiration period in days 0
minPasswordLength integer Minimum password length; must be between 6 and 256 characters. 8
passwordHistorySize integer Number of previous passwords that can't be reused. 0 indicates that all previous passwords can be reused. Any number above 0 indicates the number of most recent passwords that can’t be reused. The maximum allowed value for this parameter is 20, so you can prevent users from reusing up to 20 recent passwords.

Note: Password history information is only recorded when password history size is set to a value other than zero. This means that when the password history size is initially set from zero to non-zero, the previous passwords that were set (while the password history size was as at 0) are not considered when the password history check is done.

0
mustIncludeUpperCaseCharacters true|false At least one uppercase character is required true
mustIncludeLowerCaseCharacters true|false At least one lowercase character is required true
mustIncludeNumbers true|false At least one number is required true
mustIncludeSymbols true|false At least one special character is required. Supported special characters are: "#", "&", "*", "$", "%", "@", "^", ".", "_", and "!". true

Reset a password policy

You can reset password policies via CDP CLI using the cdp iam unset-workload-password-policy command. As a result, default password policies will be reinstated.

A global password policy is always present for an account. When the global password policy is unset, the policy will revert to the documented defaults. A machine user password policy may or may not be present in the account. When the machine user policy is not set for the account, the global password policy will be enforced for machine users.

Required role: PowerUser

Steps

  1. Log in to the CDP web interface.

  2. Navigate to the Management Console > User Management > Workload Password Policies:

  3. Navigate to the Machine User tab and make sure that Inherit from global policy is checked.
  4. Click on Reset to default values.

  5. Click OK to confirm.

Use the following commands to reset password policies:

cdp iam unset-workload-password-policy --unset-global-password-policy
cdp iam unset-workload-password-policy --unset-machine-users-password-policy

Unset user’s minimum password lifetime

With the minimum workload password lifetime enabled, it may happen in very rare cases that a user becomes locked out of their account and their minimum password lifetime needs to be temporarily unset.

If your organization’s workload password policy has the minimum password lifetime enabled, a user is unable to set a new workload password until the minimum password lifetime duration has passed. Consequently, a user who forgets their password will be unable to set a new password until the minimum password lifetime duration has passed. In such a case, a PowerUser can unset the minimum lifetime date for the user who has been locked out of their account. This is a one-time override that will allow the user to set a new workload password.

Required role: PowerUser

Steps

Use the following command to unset the minimum password lifetime for a specific user:
cdp iam unset-workload-password-min-lifetime --user <USER-CRN-OR-ID>

This is a one-time override. Once the user sets their password, the minimum password lifetime will be reset to the original value that you set for your organization.