[LON-CAPA-cvs] cvs: loncom /html/adm/help/tex Domain_Configuration_LangTZAuth.tex Domain_Configuration_Passwords.tex

raeburn raeburn at source.lon-capa.org
Wed Jan 8 14:03:55 EST 2020 

raeburn		Wed Jan  8 19:03:55 2020 EDT

  Added files:                 
    /loncom/html/adm/help/tex	Domain_Configuration_Passwords.tex 

  Modified files:              
    /loncom/html/adm/help/tex	Domain_Configuration_LangTZAuth.tex 
  Log:
  - Documentation for domain configuration for Passwords (Internal auth).
  - Configuration of encryption for stored passwords (internal auth) moved
    from "Default authentication/language/timezone/portal/types" to
    "Passwords (Internal authentication)" section in "Set domain configuration".
  
  
Index: loncom/html/adm/help/tex/Domain_Configuration_LangTZAuth.tex
diff -u loncom/html/adm/help/tex/Domain_Configuration_LangTZAuth.tex:1.11 loncom/html/adm/help/tex/Domain_Configuration_LangTZAuth.tex:1.12
--- loncom/html/adm/help/tex/Domain_Configuration_LangTZAuth.tex:1.11	Thu Mar 30 02:07:20 2017
+++ loncom/html/adm/help/tex/Domain_Configuration_LangTZAuth.tex	Wed Jan  8 19:03:55 2020
@@ -37,31 +37,6 @@
 for a specific alias used for the domain.
 \end{itemize}
 
-\textbf{Domain settings for internal authentication} can also be set via the same screen.
-
-\begin{itemize}
-\item \textit{Encryption cost for bcrypt} (positive integer). Starting with 2.11.2, 
-bcrypt is used to encrypt the password for an internally authenticated user.
-The complexity of the encryption is determined by the bcrypt cost value. A higher 
-value means more complexity (and more time to validate a user's password). The
-cost needs to be a positive integer. If no value is set in a domain, a default
-of 10 will be used.
-\item \textit{Check bcrypt cost if authenticated}. When an internally authenticated user
-logins and the credentials are validated, the bcrypt cost used for the original
-encryption can be compared with the current domain default. If the cost for
-the stored encryption is less than the current domain setting, there are two 
-options - either allow login and update the stored encryption using the higher cost,
-or disallow login.  The default is not to compare the original cost with the
-current domain setting.
-\item \textit{Existing crypt-based switched to bcrypt if authenticated}. When an internally 
-authenticated user logs-in and the credentials are validated, if the stored
-credentials are currently encrypted with crypt, there is an option to update
-the stored encryption to use bcrypt, with or without backing-up the existing passwd
-file to a passwd.bak file.  The default is not to update the stored passwd file,
-so existing users who have crypt-based stored passwords will continue to do so 
-until such time as they change their password.
-\end{itemize}
-
 \textbf{Institutional user types} can also be defined for the domain via the same screen.
 
 Prior to LON-CAPA 2.11, institutional user types were defined in the \&inst\_usertypes

Index: loncom/html/adm/help/tex/Domain_Configuration_Passwords.tex
+++ loncom/html/adm/help/tex/Domain_Configuration_Passwords.tex
\label{Domain_Configuration_Passwords}
For user accounts in LON-CAPA for which the authentication type is set to internal,
domain settings are available for: (a) User reset of a forgotten password;
(b) Encryption used to store passwords; (c) Rules for password length, complexity and
reuse; (d) Course Owner changes to passwords of enrolled students.

\textbf{Resetting Forgotten Password}

Users have been able to reset a forgotten password since LON-CAPA 2.3, by
entering username, domain and e-mail address in a web form reached via the
"Forgot Password?" link on the log-in page. If the information submitted 
via the web form matches that stored in LON-CAPA for that user (and the user's
authentication type is ``internal''), then an e-mail will be sent to the user's e-mail 
address, containing a time-limited link, which when followed will display a
second web form, in which the user enters e-mail address, username, e-mail
address, and a new password.

Starting with LON-CAPA 2.11.3 this procedure can be customized in the following ways:
\begin{itemize}
\item Type of Captcha (for robot suppression) to use with the initial web form.
\item Expiration time of the time-limited link in the generated e-mail.
\item Whether checking of username and/or e-mail address is/are case-sensitive.
\item Whether just username, or just e-mail address or both are submitted in the first form.
\item Whether information besides the new password is required in the second form.
\item Which e-mail address(es) stored for a user in LON-CAPA may be used in the password reset.
\item Whether custom text should be used as a preamble for the initial web form.
\end{itemize} 
If ``Institutional Types'' (e.g., faculty, student etc.) have been defined for a domain
then some of the customizations can be made dependent on a user's institutional type.

\textbf{Encryption of Stored Passwords}
\begin{itemize}
\item \textit{Encryption cost for bcrypt} (positive integer). Starting with 2.11.2 
bcrypt is used to encrypt the password for an internally authenticated user.
The complexity of the encryption is determined by the bcrypt cost value. A higher
value means more complexity (and more time to validate a user's password). The
cost needs to be a positive integer. If no value is set in a domain, a default
of 10 will be used.
\item \textit{Check bcrypt cost if authenticated}. When an internally authenticated user
logins and the credentials are validated, the bcrypt cost used for the original
encryption can be compared with the current domain default. If the cost for
the stored encryption is less than the current domain setting, there are two
options - either allow login and update the stored encryption using the higher cost,
or disallow login.  The default is not to compare the original cost with the
current domain setting.
\item \textit{Existing crypt-based switched to bcrypt if authenticated}. When an internally
authenticated user logs-in and the credentials are validated, if the stored
credentials are currently encrypted with crypt, there is an option to update
the stored encryption to use bcrypt, with or without backing-up the existing passwd
file to a passwd.bak file.  The default is not to update the stored passwd file,
so existing users who have crypt-based stored passwords will continue to do so
until such time as they change their password.
\end{itemize}

\textbf{Rules for LON-CAPA Passwords}

Starting with LON-CAPA 2.11.3 requirements can be set for password length, 
whether special characters or mixed case are required, and how many (if any)
previous passwords to save for a user (disallow reuse).

\textbf{Course Owner Changing Student Passwords}

Starting with LON-CAPA 2.11.3 a domain can be configured to allow a course owner 
to change a student's password, if the following conditions are met:
\begin{itemize}
\item same domain is used by owner, course, and student,
\item student has no active or future roles besides student role in courses
 owned by the course owner making the change,
\item course container is not a Community.
\item owner is course coordinator in the course,
\item setting to disable this action has not been set for the specific course. 
\end{itemize}
If ``Institutional Types'' (e.g., faculty, staff, student etc.) have been defined 
for a domain then which course owners may change student passwords can be restricted
to specific types.  In addition, which students may have their passwords changed can 
also be restricted to specific types.

The default is to not allow Course owners to change a student's password.

More information about the LON-CAPA-cvs mailing list