The policy management commands in MIT kadmin utility were modified to work with an LDAP directory. The policies control the password of the Kerberos principals. The Kerberos password policies come into effect only when the Kerberos passwords of the principals are different from the eDirectory user passwords. When the Kerberos passwords are the same as the user's passwords, NSPM password policy is effective.
You can add a password policy using either of the following methods:
This command creates a password policy object, with the 'policy' argument referring to the DN of the same:
add_policy [-maxlife time] [-minlife time] [-minlength length] [-minclasses number] [-history number] policy
Table 33. add_policy Parameter Description
For example, enter the following at the kadmin prompt:
add_policy -maxlife "2 days" -minlength 5 cn=realm-policy,o=org
You can modify the password policy using either of the following methods:
To modify a policy, enter the following at the kadmin prompt:
modify_policy [-maxlife time] [-minlife time] [-minlength length] [-minclasses number] [-history number] policy
For more information on the options, refer to Table 33, add_policy Parameter Description.
For example, enter the following at the kadmin prompt:
modify_policy -minlife "1 day" -minclasses 2 cn=realm-policy,o=org
You can delete a password policy using either of the following methods:
This command deletes the specified policy DN from the directory. It fails if the policy is in use by any principal.
To delete a policy, enter the following at the kadmin prompt:
delete_policy [-force] policy
For example, enter the following at the kadmin prompt:
delete_policy cn=realm-policy,o=org
You are prompted to confirm the deletion as follows:
Are you sure you want to delete the policy "cn=realm-policy,o=org"? (yes/no):
Enter "yes" to proceed with the deletion.
You can view the values of the specified policy as follows:
get_policy [-terse] policy
The -terse flag outputs the fields as quoted strings separated by tabs.
For example:
get_policy cn=realm-policy,o=org
This gives the following output:
Policy: cn=realm-policy,o=org
Maximum password life: 172800
Minimum password life: 86400
Minimum password length: 5
Minimum number of password character classes: 2
Number of old keys kept: 1
Reference count: 0