Managing Password Policies

The policy management commands in MIT kadmin utility were modified to work with an LDAP directory. The policies control the password of the Kerberos principals. The Kerberos password policies come into effect only when the Kerberos passwords of the principals are different from the eDirectory user passwords. When the Kerberos passwords are the same as the user's passwords, NSPM password policy is effective.


Adding a Password Policy

You can add a password policy using either of the following methods:


Command Line

This command creates a password policy object, with the 'policy' argument referring to the DN of the same:

add_policy [-maxlife time] [-minlife time] [-minlength length] [-minclasses number] [-history number] policy


Table 33. add_policy Parameter Description

Parameter Description

-maxlife

Sets the maximum lifetime of a password

-minlife

Sets the minimum lifetime of a password

-minlength

Sets the minimum length of a password

-minclasses

Sets the minimum number of character classes allowed in a password

-history

Sets the number of past keys kept for a principal

For example, enter the following at the kadmin prompt: 

add_policy -maxlife "2 days" -minlength 5 cn=realm-policy,o=org


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > New Password Policy.

Refer to the iManager online help for more information.


Modifying a Password Policy

You can modify the password policy using either of the following methods:


Command Line

To modify a policy, enter the following at the kadmin prompt:

modify_policy [-maxlife time] [-minlife time] [-minlength length] [-minclasses number] [-history number] policy

For more information on the options, refer to Table 33, add_policy Parameter Description.

For example, enter the following at the kadmin prompt:

modify_policy -minlife "1 day" -minclasses 2 cn=realm-policy,o=org


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Edit Password Policy.

Refer to the iManager online help for more information.


Deleting a Password Policy

You can delete a password policy using either of the following methods:


Command Line

This command deletes the specified policy DN from the directory. It fails if the policy is in use by any principal.

To delete a policy, enter the following at the kadmin prompt:

delete_policy [-force] policy

For example, enter the following at the kadmin prompt:

delete_policy cn=realm-policy,o=org

You are prompted to confirm the deletion as follows:

Are you sure you want to delete the policy "cn=realm-policy,o=org"? (yes/no):

Enter "yes" to proceed with the deletion.


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Delete Password Policy.

Refer to the iManager online help for more information.


Viewing Policy Values

You can view the values of the specified policy as follows:

get_policy [-terse] policy

The -terse flag outputs the fields as quoted strings separated by tabs.

For example: 

get_policy cn=realm-policy,o=org

This gives the following output: 

Policy: cn=realm-policy,o=org 
Maximum password life: 172800 
Minimum password life: 86400 
Minimum password length: 5 
Minimum number of password character classes: 2 
Number of old keys kept: 1 
Reference count: 0


Listing Policies

You can list all the policy DNs as follows: 

list_policies

This gives the following output:

cn=policy1,o=org 
cn=realm-policy,o=org