On 10/11/2016 07:36 PM, Bennett, Chip wrote:
I just joined this list, so if this question has been asked before (and
I’ll bet it has), I apologize in advance.

A google search was unrevealing, so I’m asking here: we’re running
FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
complexity requirements are limited to setting the number of character
classes to require, i.e. setting it to “2” would require your new
password to be any two of the character classes.

What if you wanted new passwords to meet specific class requirements,
i.e. a mix of UL, LC, and numbers.  It looks like you would use a value
of “3” to accomplish this, but that would also allow UC, LC, and
special, or LC, numbers, and special, but you don’t want to allow the
those:  how would you specify that?


as far as I know, it is only possible to specify the number of different character classes. The doc chapter "Creating Password Policies in the Web UI" [1] describes the following:
Character classes sets the number of different categories of character that must be used in the password. This does not set which classes must be used; it sets the number of different (unspecified) classes which must be used in a password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 22.1, “Password Policy Settings”. This is part of setting the complexity requirements.

hope this clarifies,

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.html#creating-group-policy-ui

Also, what if you had a requirement for more than one of the character
classes, i.e. you want to require two UC characters or two special

Thanks in advance for the help,

Chip Bennett

This message is solely for the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited.  ­­

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to