3.9 Managing Password Policies

The policy management commands in the MIT kadmin utility were modified to work with an LDAP directory. The policies control the password of the Kerberos principals. The Kerberos password policies come into effect only when the Kerberos passwords of the principals are different from the eDirectory user passwords. When the Kerberos passwords are the same as the user's passwords, the NSPM password policy is effective.

3.9.1 Adding a Password Policy

You can use one of the following methods to add a password policy:

Command Line

This command creates a password policy object, in the directory.

add_policy [-maxlife time] [-minlife time] [-minlength length] [-minclasses number] [-history number] policy

Table 3-26 add_policy Parameters

Parameter

Description

-maxlife

Maximum lifetime of a password.

-minlife

Minimum lifetime of a password.

-minlength

Minimum length of a password.

-minclasses

Minimum number of character classes allowed in a password.

-history

Number of past keys kept for a principal. Not supported.

For example, enter the following at the kadmin prompt: 

add_policy -maxlife "2 days" -minlength 5 guestpolicy

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > New Password Policy.

Refer to the iManager online help for more information.

3.9.2 Modifying a Password Policy

You can use one of the following methods to modify the password policy:

Command Line

To modify a policy, enter the following at the kadmin prompt:

modify_policy [-maxlife time] [-minlife time] [-minlength length] [-minclasses number] [-history number] policy

For more information on the options, refer to Table 3-26.

For example, enter the following at the kadmin prompt:

modify_policy -minlife "1 day" -minclasses 2 guestpolicy

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Edit Password Policy.

Refer to the iManager online help for more information.

3.9.3 Deleting a Password Policy

You can use one of the following methods to delete a password policy:

Command Line

This command deletes the specified policy from the directory. It fails if the policy is in use by any principal.

To delete a policy, enter the following at the kadmin prompt:

delete_policy [-force] policy

For example, enter the following at the kadmin prompt:

delete_policy guestpolicy

You are prompted to confirm the deletion as follows:

Are you sure you want to delete the policy "guestpolicy"? (yes/no):

Enter yes to proceed with the deletion.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Delete Password Policy.

Refer to the iManager online help for more information.

3.9.4 Viewing Policy Values

You can view the values of the specified policy as follows:

get_policy [-terse] policy

The -terse flag outputs the fields as quoted strings separated by tabs.

For example: 

get_policy guestpolicy

This gives the following output: 

Policy: guestpolicy
Maximum password life: 172800
Minimum password life: 86400
Minimum password length: 5
Minimum number of password character classes: 2
Number of old keys kept: 1
Reference count: 0

3.9.5 Listing Policies

You can list all the password policies as follows: 

list_policies

This gives the following output:

kadmin:  listpols

test-pol

dict-only

once-a-min

test-pol-nopw


kadmin:  listpols t*

test-pol

test-pol-nopw

kadmin: