[LON-CAPA-admin] [was LON-CAPA-users] mass resetting internal aauth passwords

Todd Ruskell truskell at mines.edu
Fri Sep 15 14:53:46 EDT 2006 

Lars,

Going to LDAP was amazingly simple.  I talked to our LDAP/kerberos person and 
explained what I wanted.  He then sent me an appropriate config 
file: /etc/krb5.conf and a binary access key of sorts (you can tell I'm a 
kerberos expert, eh <g>?):  /etc/krb5.keytab 

I installed them both with the permissions the LDAP guy suggested:
-rw-r--r--  1 root root 659 Jun 12 12:34 krb5.conf
-rw-------  1 root root 302 Jun 12 12:35 krb5.keytab

and it "just worked".  You can use 'kinit' and 'klist' at the command line of 
the server to check and see if the authentication works.  It did, so I went 
in to LON-CAPA and changed authentication to Kerberos 5 and bingo, all done, 
and worked the first time.

Your LDAP/kerberos person will have to tell you what to put in the krb5.conf 
file, and will probably have to provide the keytab. 

In my experimentation it appears best, if not required, to do this 
authentication change while logged into the library server.  It also seemed 
that the kerberos domain was case sensitive.

We've had no problems at all with this since implementing this summer.

However, we are currently in a "mixed mode" where people that already had 
accounts are still internally authenticated, but all new accounts, and 
password reset requests are done via LDAP.  So I will soon be out of the 
password-resetting business!

If it is available, I highly recommend it over internal authentication.

Todd


On Friday 15 September 2006 09:49 am, Lars Jensen wrote:
> Hi Todd,
>
> What has to be done to use LDAP with lon-capa. Did you have to write any
> scripts?
>
> Lars.
>
> Todd Ruskell wrote:
> > Jim,
> >
> > When I converted to LDAP authentication the "Change Password" option was
> > removed.  That means I have to use the officially sanctioned LDAP
> > password changer to do that.  Personally, I see that as a plus, since
> > most students know how to change their email password, which on our
> > campus equates to changing the password on the LDAP server.
> >
> > Todd
> >
> > On Friday 15 September 2006 01:40 am, Jim Maxka wrote:
> >> While this topic is open, maybe someone can help me with this
> >> hypothetical situation -- which has never happened as far as I know.
> >>
> >> We use ldap authentication and so there should not be internal passwords
> >> in the loncapa system for the students.  What happens if a student
> >> changes the password in Change Preferences.  Does this become the
> >> student's internal password?  If this were to happen and the student
> >> forgot the password, would this have to be reset to local
> >> authentication?
> >>
> >> Just wondering -- Jim
> >>
> >> Lars Jensen wrote:
> >>> Hi Gerd and Ray,
> >>>
> >>> What's really needed is a service by which students can enter a
> >>> registered email address and get a new password, so instructors/DC's
> >>> doesn't have to be involved. I realize tha tnot all students
> >>> necessarily have a registered email with lon-capa, but whenever it
> >>> exists, it ought to be possible to get a new password via email.
> >>>
> >>> Lars.
> >>>
> >>> Gerd Kortemeyer wrote:
> >>>> Hi,
> >>>>
> >>>>> On Thu, 14 Sep 2006, Ray Batchelor wrote:
> >>>>>>     How can one quickly reset the passwords for a bunch of
> >>>>>> internally authenticated students in a hosted course??  Course
> >>>>>> coordinators can't reset
> >>>>>> passwords, it seems to me.
> >>>>
> >>>> On Sep 14, 2006, at 8:05 PM, lucasm at ohiou.edu wrote:
> >>>>> Have fun, Ray. This is a domain coordinator only ability as far as I
> >>>>> know.
> >>>>
> >>>> Yep. At some point, I would like to add the functionality that if a
> >>>> domain coordinator impersonates a course coordinator, they can upload
> >>>> class lists and overwrite the password. I have spend longer than I
> >>>> care to admit resetting passwords one-by-one by hand.
> >>>>
> >>>>> I have considered writing a script to do this, but I'm not sure this
> >>>>> is sanctioned behavior for root!
> >>>>
> >>>> A script is the way to go for now, I think. The file is
> >>>>
> >>>> /home/httpd/lonUsers/(your_domain)/(first)/(second)/(third)/(username)
> >>>>/p assword
> >>>>
> >>>>
> >>>> for example
> >>>>
> >>>> /home/httpd/lonUsers/msu/k/o/r/kortemey/password
> >>>>
> >>>> For internally authenticated, it looks like this:
> >>>>
> >>>> internal:3XbDe45Bh
> >>>>
> >>>> where the latter is the encrypted password.
> >>>>
> >>>> Reset one password by hand, and copy that file to the rest of the
> >>>> users. Somebody probably already has a script like that ...
> >>>>
> >>>> BTW, the reason that course coordinators cannot do this is that the
> >>>> confusion would be great if a kid is already in some courses, and
> >>>> then their password gets messed up because they were added to another
> >>>> course. We didn't want passwords to bounce around like that at the
> >>>> discretion of just any course coordinator.
> >>>>
> >>>> - Gerd.
> >>>> _______________________________________________
> >>>> LON-CAPA-admin mailing list
> >>>> LON-CAPA-admin at mail.lon-capa.org
> >>>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
> >>>
> >>> _______________________________________________
> >>> LON-CAPA-admin mailing list
> >>> LON-CAPA-admin at mail.lon-capa.org
> >>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
> >>
> >> _______________________________________________
> >> LON-CAPA-admin mailing list
> >> LON-CAPA-admin at mail.lon-capa.org
> >> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

-- 
Dr. Todd Ruskell
Senior Lecturer, Department of Physics       Office:  Meyer Hall 326
Colorado School of Mines                     Phone: 303-384-2080
1523 Illinois Street                         Fax: 303-273-3919
Golden, CO 80401

More information about the LON-CAPA-admin mailing list