[BACK]Return to Domain_Configuration_LangTZAuth.tex CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom / html / adm / help / tex
File:  [LON-CAPA] / loncom / html / adm / help / tex / Domain_Configuration_LangTZAuth.tex
Revision 1.11: download - view: text, annotated - select for diffs
Thu Mar 30 02:07:20 2017 UTC (7 years, 3 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_11_2_uiuc, version_2_11_2_msu, version_2_11_2_educog, version_2_11_2, HEAD
- Document domain configuration for internal authentication using bcrypt
  to encrypt a user's password.

\label{Domain_Configuration_LangTZAuth}
Prior to LON-CAPA 2.7, default language and authentication type/argument
were defined in the domain's entry in the domain.tab file. Those settings
will continue to be used by servers in your domain until you have
displayed and saved the Default authentication, language, timezone data
table. Once that has been done, whenever values need to be determined
for these settings in the domain they will be retrieved from the configuration.db
file on the primary library server in your domain, which is where
information saved from the {}``Domain Configuration'' data tables
is stored. Any information in the domain.tab file will no longer be
consulted, except by servers running pre-2.7 versions of LON-CAPA.

\textbf{Default domain configurations} can be assigned for: 

\begin{itemize}
\item \textit{default language} used by users in your domain, unless overridden by
a user preference
\item \textit{default authentication type} for new users in the domain. You will
need to set the default authentication if you intend to allow a user
to create a LON-CAPA account if the user successfully authenticated
via a central service at your institution (e.g., Kerberos), but is
without a LON-CAPA account. The default authentication is also the
default offered when Course Coordinators or Authors create new accounts,
assuming user creation is permitted in these contexts.
\item \textit{default timezone} - this will be the timezone used when showing any
times in your domain, unless overridden at a course level, by a course-wide
timezone. The timezones available are mostly in the form Continent/City,
although for the USA there are some in the form America/State/City
as well as EST5EDT, CST6CDT, MST7MDT, PST8PDT and HST (for Eastern,
Central, Mountain, Pacific and Hawaii Timezones, which adjust for
daylight savings as appropriate). If no default timezone is set times
will be displayed according to the timezone of the server hosting
the user's LON-CAPA session.
\item \textit{portal/default URL} - starting with LON-CAPA 2.10, a default URL can
be specified.  This URL will be included in e-mail sent to confirm self-enrollment etc.
and might be for a load-balancer LON-CAPA server, or in the case of a multi-domain server,
for a specific alias used for the domain.
\end{itemize}

\textbf{Domain settings for internal authentication} can also be set via the same screen.

\begin{itemize}
\item \textit{Encryption cost for bcrypt} (positive integer). Starting with 2.11.2, 
bcrypt is used to encrypt the password for an internally authenticated user.
The complexity of the encryption is determined by the bcrypt cost value. A higher 
value means more complexity (and more time to validate a user's password). The
cost needs to be a positive integer. If no value is set in a domain, a default
of 10 will be used.
\item \textit{Check bcrypt cost if authenticated}. When an internally authenticated user
logins and the credentials are validated, the bcrypt cost used for the original
encryption can be compared with the current domain default. If the cost for
the stored encryption is less than the current domain setting, there are two 
options - either allow login and update the stored encryption using the higher cost,
or disallow login.  The default is not to compare the original cost with the
current domain setting.
\item \textit{Existing crypt-based switched to bcrypt if authenticated}. When an internally 
authenticated user logs-in and the credentials are validated, if the stored
credentials are currently encrypted with crypt, there is an option to update
the stored encryption to use bcrypt, with or without backing-up the existing passwd
file to a passwd.bak file.  The default is not to update the stored passwd file,
so existing users who have crypt-based stored passwords will continue to do so 
until such time as they change their password.
\end{itemize}

\textbf{Institutional user types} can also be defined for the domain via the same screen.

Prior to LON-CAPA 2.11, institutional user types were defined in the \&inst\_usertypes
subroutine in localenroll.pm, which would be customized for consistency with types 
defined in institutional data feeds.  Setting of user types via the Domain Configuration
web GUI supersedes use of localenroll::inst\_usertypes().  Items that can be set are:

\begin{itemize}
\item \textit{Internal ID} (e.g., faculty)
\item \textit{Name Displayed} (e.g., Faculty/Academic Staff)
\item \textit{Order} (Listing order, 1 through N, when the type is to be selected from a list).
\item \textit{Assignment to ``email-based'' usernames} Whether status type can also be assigned to a non-institutional user with an e-mail address as username
\end{itemize}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>