File:
[LON-CAPA] /
loncom /
html /
adm /
help /
tex /
Domain_Configuration_Passwords.tex
Revision
1.1:
download - view:
text,
annotated -
select for diffs
Wed Jan 8 19:03:55 2020 UTC (5 years, 5 months ago) by
raeburn
Branches:
MAIN
CVS tags:
version_2_12_X,
version_2_11_X,
version_2_11_6_msu,
version_2_11_6,
version_2_11_5_msu,
version_2_11_5,
version_2_11_4_uiuc,
version_2_11_4_msu,
version_2_11_4,
version_2_11_3_uiuc,
version_2_11_3_msu,
version_2_11_3,
HEAD
- Documentation for domain configuration for Passwords (Internal auth).
- Configuration of encryption for stored passwords (internal auth) moved
from "Default authentication/language/timezone/portal/types" to
"Passwords (Internal authentication)" section in "Set domain configuration".
1: \label{Domain_Configuration_Passwords}
2: For user accounts in LON-CAPA for which the authentication type is set to internal,
3: domain settings are available for: (a) User reset of a forgotten password;
4: (b) Encryption used to store passwords; (c) Rules for password length, complexity and
5: reuse; (d) Course Owner changes to passwords of enrolled students.
6:
7: \textbf{Resetting Forgotten Password}
8:
9: Users have been able to reset a forgotten password since LON-CAPA 2.3, by
10: entering username, domain and e-mail address in a web form reached via the
11: "Forgot Password?" link on the log-in page. If the information submitted
12: via the web form matches that stored in LON-CAPA for that user (and the user's
13: authentication type is ``internal''), then an e-mail will be sent to the user's e-mail
14: address, containing a time-limited link, which when followed will display a
15: second web form, in which the user enters e-mail address, username, e-mail
16: address, and a new password.
17:
18: Starting with LON-CAPA 2.11.3 this procedure can be customized in the following ways:
19: \begin{itemize}
20: \item Type of Captcha (for robot suppression) to use with the initial web form.
21: \item Expiration time of the time-limited link in the generated e-mail.
22: \item Whether checking of username and/or e-mail address is/are case-sensitive.
23: \item Whether just username, or just e-mail address or both are submitted in the first form.
24: \item Whether information besides the new password is required in the second form.
25: \item Which e-mail address(es) stored for a user in LON-CAPA may be used in the password reset.
26: \item Whether custom text should be used as a preamble for the initial web form.
27: \end{itemize}
28: If ``Institutional Types'' (e.g., faculty, student etc.) have been defined for a domain
29: then some of the customizations can be made dependent on a user's institutional type.
30:
31: \textbf{Encryption of Stored Passwords}
32: \begin{itemize}
33: \item \textit{Encryption cost for bcrypt} (positive integer). Starting with 2.11.2
34: bcrypt is used to encrypt the password for an internally authenticated user.
35: The complexity of the encryption is determined by the bcrypt cost value. A higher
36: value means more complexity (and more time to validate a user's password). The
37: cost needs to be a positive integer. If no value is set in a domain, a default
38: of 10 will be used.
39: \item \textit{Check bcrypt cost if authenticated}. When an internally authenticated user
40: logins and the credentials are validated, the bcrypt cost used for the original
41: encryption can be compared with the current domain default. If the cost for
42: the stored encryption is less than the current domain setting, there are two
43: options - either allow login and update the stored encryption using the higher cost,
44: or disallow login. The default is not to compare the original cost with the
45: current domain setting.
46: \item \textit{Existing crypt-based switched to bcrypt if authenticated}. When an internally
47: authenticated user logs-in and the credentials are validated, if the stored
48: credentials are currently encrypted with crypt, there is an option to update
49: the stored encryption to use bcrypt, with or without backing-up the existing passwd
50: file to a passwd.bak file. The default is not to update the stored passwd file,
51: so existing users who have crypt-based stored passwords will continue to do so
52: until such time as they change their password.
53: \end{itemize}
54:
55: \textbf{Rules for LON-CAPA Passwords}
56:
57: Starting with LON-CAPA 2.11.3 requirements can be set for password length,
58: whether special characters or mixed case are required, and how many (if any)
59: previous passwords to save for a user (disallow reuse).
60:
61: \textbf{Course Owner Changing Student Passwords}
62:
63: Starting with LON-CAPA 2.11.3 a domain can be configured to allow a course owner
64: to change a student's password, if the following conditions are met:
65: \begin{itemize}
66: \item same domain is used by owner, course, and student,
67: \item student has no active or future roles besides student role in courses
68: owned by the course owner making the change,
69: \item course container is not a Community.
70: \item owner is course coordinator in the course,
71: \item setting to disable this action has not been set for the specific course.
72: \end{itemize}
73: If ``Institutional Types'' (e.g., faculty, staff, student etc.) have been defined
74: for a domain then which course owners may change student passwords can be restricted
75: to specific types. In addition, which students may have their passwords changed can
76: also be restricted to specific types.
77:
78: The default is to not allow Course owners to change a student's password.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>