Recently got Icinga set-up and have started to provide my team with their login details.
As part of this I’ve been instructing them to change their passwords on login, however I was wondering if there was a way to enforce this? Ideally I’d like to be able to do the below;
Force password change on first login
Make all passwords expire every 90 days and thus be forced to change them
Enforce password rules such as character limits and special characters
Thanks Ben, unfortunately our Org isn’t allowing any new LDAP/AD integrations and is requiring application authentication go via our SSO SAML authentication, which Icinga currently doesn’t support (as far as Im aware).
Even if Icinga Web 2 does not support it, you can use it via Apache authentication and External authentication in Icinga Web 2. But there would still be a need for AD/LDAP integration for group membership for role mapping in most cases.
And for the original question no there is no password policy management in Icinga Web 2.
Forcing a password change on first login is sensible. But I would strongly discourage you from forcing further changes every 90 days. Periodic forced changes are known to be harmful to security, because they encourage people to choose bad passwords. They also don’t protect against most security risks. (In particular, a change every 90 days means that somebody who acquires a password has up to 90 days to do harm, and somebody who gets the encrypted password file has 90 days to crack it. That’s almost the same as giving them infinite time. So you’re annoying your users at no benefit to security.)