--- loncom/html/adm/help/tex/Domain_Configuration_LangTZAuth.tex	2015/03/26 18:49:02	1.10
+++ loncom/html/adm/help/tex/Domain_Configuration_LangTZAuth.tex	2017/03/30 02:07:20	1.11
@@ -10,19 +10,19 @@ information saved from the {}``Domain Co
 is stored. Any information in the domain.tab file will no longer be
 consulted, except by servers running pre-2.7 versions of LON-CAPA.
 
-Default domain configurations can be assigned for: 
+\textbf{Default domain configurations} can be assigned for: 
 
 \begin{itemize}
-\item default language used by users in your domain, unless overridden by
+\item \textit{default language} used by users in your domain, unless overridden by
 a user preference
-\item default authentication type for new users in the domain. You will
+\item \textit{default authentication type} for new users in the domain. You will
 need to set the default authentication if you intend to allow a user
 to create a LON-CAPA account if the user successfully authenticated
 via a central service at your institution (e.g., Kerberos), but is
 without a LON-CAPA account. The default authentication is also the
 default offered when Course Coordinators or Authors create new accounts,
 assuming user creation is permitted in these contexts.
-\item default timezone - this will be the timezone used when showing any
+\item \textit{default timezone} - this will be the timezone used when showing any
 times in your domain, unless overridden at a course level, by a course-wide
 timezone. The timezones available are mostly in the form Continent/City,
 although for the USA there are some in the form America/State/City
@@ -31,13 +31,38 @@ Central, Mountain, Pacific and Hawaii Ti
 daylight savings as appropriate). If no default timezone is set times
 will be displayed according to the timezone of the server hosting
 the user's LON-CAPA session.
-\item portal/default URL - starting with LON-CAPA 2.10, a default URL can
+\item \textit{portal/default URL} - starting with LON-CAPA 2.10, a default URL can
 be specified.  This URL will be included in e-mail sent to confirm self-enrollment etc.
 and might be for a load-balancer LON-CAPA server, or in the case of a multi-domain server,
 for a specific alias used for the domain.
 \end{itemize}
 
-Domain configurations can also be set for institutional user types via the same screen.
+\textbf{Domain settings for internal authentication} can also be set via the same screen.
+
+\begin{itemize}
+\item \textit{Encryption cost for bcrypt} (positive integer). Starting with 2.11.2, 
+bcrypt is used to encrypt the password for an internally authenticated user.
+The complexity of the encryption is determined by the bcrypt cost value. A higher 
+value means more complexity (and more time to validate a user's password). The
+cost needs to be a positive integer. If no value is set in a domain, a default
+of 10 will be used.
+\item \textit{Check bcrypt cost if authenticated}. When an internally authenticated user
+logins and the credentials are validated, the bcrypt cost used for the original
+encryption can be compared with the current domain default. If the cost for
+the stored encryption is less than the current domain setting, there are two 
+options - either allow login and update the stored encryption using the higher cost,
+or disallow login.  The default is not to compare the original cost with the
+current domain setting.
+\item \textit{Existing crypt-based switched to bcrypt if authenticated}. When an internally 
+authenticated user logs-in and the credentials are validated, if the stored
+credentials are currently encrypted with crypt, there is an option to update
+the stored encryption to use bcrypt, with or without backing-up the existing passwd
+file to a passwd.bak file.  The default is not to update the stored passwd file,
+so existing users who have crypt-based stored passwords will continue to do so 
+until such time as they change their password.
+\end{itemize}
+
+\textbf{Institutional user types} can also be defined for the domain via the same screen.
 
 Prior to LON-CAPA 2.11, institutional user types were defined in the \&inst\_usertypes
 subroutine in localenroll.pm, which would be customized for consistency with types 
@@ -45,10 +70,9 @@ defined in institutional data feeds.  Se
 web GUI supersedes use of localenroll::inst\_usertypes().  Items that can be set are:
 
 \begin{itemize}
-\item Internal ID (e.g., faculty)
-\item Name Displayed (e.g., Faculty/Academic Staff)
-\item Order (Listing order, 1 through N, when the type is to be selected from a list).
-\item Whether status type can also be assigned to a non-institutional user with an e-mail
- address as username
+\item \textit{Internal ID} (e.g., faculty)
+\item \textit{Name Displayed} (e.g., Faculty/Academic Staff)
+\item \textit{Order} (Listing order, 1 through N, when the type is to be selected from a list).
+\item \textit{Assignment to ``email-based'' usernames} Whether status type can also be assigned to a non-institutional user with an e-mail address as username
 \end{itemize}