Return to Domain_Configuration_Passwords.tex CVS log

Up to [LON-CAPA] / loncom / html / adm / help / tex

- Documentation for domain configuration for Passwords (Internal auth).
- Configuration of encryption for stored passwords (internal auth) moved
  from "Default authentication/language/timezone/portal/types" to
  "Passwords (Internal authentication)" section in "Set domain configuration".

    1: \label{Domain_Configuration_Passwords}
    2: For user accounts in LON-CAPA for which the authentication type is set to internal,
    3: domain settings are available for: (a) User reset of a forgotten password;
    4: (b) Encryption used to store passwords; (c) Rules for password length, complexity and
    5: reuse; (d) Course Owner changes to passwords of enrolled students.
    6: 
    7: \textbf{Resetting Forgotten Password}
    8: 
    9: Users have been able to reset a forgotten password since LON-CAPA 2.3, by
   10: entering username, domain and e-mail address in a web form reached via the
   11: "Forgot Password?" link on the log-in page. If the information submitted 
   12: via the web form matches that stored in LON-CAPA for that user (and the user's
   13: authentication type is ``internal''), then an e-mail will be sent to the user's e-mail 
   14: address, containing a time-limited link, which when followed will display a
   15: second web form, in which the user enters e-mail address, username, e-mail
   16: address, and a new password.
   17: 
   18: Starting with LON-CAPA 2.11.3 this procedure can be customized in the following ways:
   19: \begin{itemize}
   20: \item Type of Captcha (for robot suppression) to use with the initial web form.
   21: \item Expiration time of the time-limited link in the generated e-mail.
   22: \item Whether checking of username and/or e-mail address is/are case-sensitive.
   23: \item Whether just username, or just e-mail address or both are submitted in the first form.
   24: \item Whether information besides the new password is required in the second form.
   25: \item Which e-mail address(es) stored for a user in LON-CAPA may be used in the password reset.
   26: \item Whether custom text should be used as a preamble for the initial web form.
   27: \end{itemize} 
   28: If ``Institutional Types'' (e.g., faculty, student etc.) have been defined for a domain
   29: then some of the customizations can be made dependent on a user's institutional type.
   30: 
   31: \textbf{Encryption of Stored Passwords}
   32: \begin{itemize}
   33: \item \textit{Encryption cost for bcrypt} (positive integer). Starting with 2.11.2 
   34: bcrypt is used to encrypt the password for an internally authenticated user.
   35: The complexity of the encryption is determined by the bcrypt cost value. A higher
   36: value means more complexity (and more time to validate a user's password). The
   37: cost needs to be a positive integer. If no value is set in a domain, a default
   38: of 10 will be used.
   39: \item \textit{Check bcrypt cost if authenticated}. When an internally authenticated user
   40: logins and the credentials are validated, the bcrypt cost used for the original
   41: encryption can be compared with the current domain default. If the cost for
   42: the stored encryption is less than the current domain setting, there are two
   43: options - either allow login and update the stored encryption using the higher cost,
   44: or disallow login.  The default is not to compare the original cost with the
   45: current domain setting.
   46: \item \textit{Existing crypt-based switched to bcrypt if authenticated}. When an internally
   47: authenticated user logs-in and the credentials are validated, if the stored
   48: credentials are currently encrypted with crypt, there is an option to update
   49: the stored encryption to use bcrypt, with or without backing-up the existing passwd
   50: file to a passwd.bak file.  The default is not to update the stored passwd file,
   51: so existing users who have crypt-based stored passwords will continue to do so
   52: until such time as they change their password.
   53: \end{itemize}
   54: 
   55: \textbf{Rules for LON-CAPA Passwords}
   56: 
   57: Starting with LON-CAPA 2.11.3 requirements can be set for password length, 
   58: whether special characters or mixed case are required, and how many (if any)
   59: previous passwords to save for a user (disallow reuse).
   60: 
   61: \textbf{Course Owner Changing Student Passwords}
   62: 
   63: Starting with LON-CAPA 2.11.3 a domain can be configured to allow a course owner 
   64: to change a student's password, if the following conditions are met:
   65: \begin{itemize}
   66: \item same domain is used by owner, course, and student,
   67: \item student has no active or future roles besides student role in courses
   68:  owned by the course owner making the change,
   69: \item course container is not a Community.
   70: \item owner is course coordinator in the course,
   71: \item setting to disable this action has not been set for the specific course. 
   72: \end{itemize}
   73: If ``Institutional Types'' (e.g., faculty, staff, student etc.) have been defined 
   74: for a domain then which course owners may change student passwords can be restricted
   75: to specific types.  In addition, which students may have their passwords changed can 
   76: also be restricted to specific types.
   77: 
   78: The default is to not allow Course owners to change a student's password.