Annotation of loncom/html/adm/help/tex/Domain_Configuration_Passwords.tex, revision 1.1
1.1 ! raeburn 1: \label{Domain_Configuration_Passwords}
! 2: For user accounts in LON-CAPA for which the authentication type is set to internal,
! 3: domain settings are available for: (a) User reset of a forgotten password;
! 4: (b) Encryption used to store passwords; (c) Rules for password length, complexity and
! 5: reuse; (d) Course Owner changes to passwords of enrolled students.
! 6:
! 7: \textbf{Resetting Forgotten Password}
! 8:
! 9: Users have been able to reset a forgotten password since LON-CAPA 2.3, by
! 10: entering username, domain and e-mail address in a web form reached via the
! 11: "Forgot Password?" link on the log-in page. If the information submitted
! 12: via the web form matches that stored in LON-CAPA for that user (and the user's
! 13: authentication type is ``internal''), then an e-mail will be sent to the user's e-mail
! 14: address, containing a time-limited link, which when followed will display a
! 15: second web form, in which the user enters e-mail address, username, e-mail
! 16: address, and a new password.
! 17:
! 18: Starting with LON-CAPA 2.11.3 this procedure can be customized in the following ways:
! 19: \begin{itemize}
! 20: \item Type of Captcha (for robot suppression) to use with the initial web form.
! 21: \item Expiration time of the time-limited link in the generated e-mail.
! 22: \item Whether checking of username and/or e-mail address is/are case-sensitive.
! 23: \item Whether just username, or just e-mail address or both are submitted in the first form.
! 24: \item Whether information besides the new password is required in the second form.
! 25: \item Which e-mail address(es) stored for a user in LON-CAPA may be used in the password reset.
! 26: \item Whether custom text should be used as a preamble for the initial web form.
! 27: \end{itemize}
! 28: If ``Institutional Types'' (e.g., faculty, student etc.) have been defined for a domain
! 29: then some of the customizations can be made dependent on a user's institutional type.
! 30:
! 31: \textbf{Encryption of Stored Passwords}
! 32: \begin{itemize}
! 33: \item \textit{Encryption cost for bcrypt} (positive integer). Starting with 2.11.2
! 34: bcrypt is used to encrypt the password for an internally authenticated user.
! 35: The complexity of the encryption is determined by the bcrypt cost value. A higher
! 36: value means more complexity (and more time to validate a user's password). The
! 37: cost needs to be a positive integer. If no value is set in a domain, a default
! 38: of 10 will be used.
! 39: \item \textit{Check bcrypt cost if authenticated}. When an internally authenticated user
! 40: logins and the credentials are validated, the bcrypt cost used for the original
! 41: encryption can be compared with the current domain default. If the cost for
! 42: the stored encryption is less than the current domain setting, there are two
! 43: options - either allow login and update the stored encryption using the higher cost,
! 44: or disallow login. The default is not to compare the original cost with the
! 45: current domain setting.
! 46: \item \textit{Existing crypt-based switched to bcrypt if authenticated}. When an internally
! 47: authenticated user logs-in and the credentials are validated, if the stored
! 48: credentials are currently encrypted with crypt, there is an option to update
! 49: the stored encryption to use bcrypt, with or without backing-up the existing passwd
! 50: file to a passwd.bak file. The default is not to update the stored passwd file,
! 51: so existing users who have crypt-based stored passwords will continue to do so
! 52: until such time as they change their password.
! 53: \end{itemize}
! 54:
! 55: \textbf{Rules for LON-CAPA Passwords}
! 56:
! 57: Starting with LON-CAPA 2.11.3 requirements can be set for password length,
! 58: whether special characters or mixed case are required, and how many (if any)
! 59: previous passwords to save for a user (disallow reuse).
! 60:
! 61: \textbf{Course Owner Changing Student Passwords}
! 62:
! 63: Starting with LON-CAPA 2.11.3 a domain can be configured to allow a course owner
! 64: to change a student's password, if the following conditions are met:
! 65: \begin{itemize}
! 66: \item same domain is used by owner, course, and student,
! 67: \item student has no active or future roles besides student role in courses
! 68: owned by the course owner making the change,
! 69: \item course container is not a Community.
! 70: \item owner is course coordinator in the course,
! 71: \item setting to disable this action has not been set for the specific course.
! 72: \end{itemize}
! 73: If ``Institutional Types'' (e.g., faculty, staff, student etc.) have been defined
! 74: for a domain then which course owners may change student passwords can be restricted
! 75: to specific types. In addition, which students may have their passwords changed can
! 76: also be restricted to specific types.
! 77:
! 78: The default is to not allow Course owners to change a student's password.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>