docs/RELEASE_NOTES_NEXT/Administration/password-storage.lp1468422.adoc

   1 Improved Password Management and Authentication
   2 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   3 Evergreen user passwords are now stored with additional layers of
   4 encryption and may only be accessed directly by the database, not
   5 the application layer.
   6
   7 All API changes are backwards compatible with existing 3rd-party
   8 clients.
   9
  10 open-ils.auth_internal
  11 ++++++++++++++++++++++
  12 To support the new storage mechanism, a new Evergreen service has
  13 been added called "open-ils.auth_internal".  This service runs on
  14 the private OpenSRF/XMPP domain and is used to store authenticated
  15 user data in the authentication cache.
  16
  17 This is a required service and changes to opensrf.xml (typically
  18 /openils/conf/opensrf.xml) are needed to run the new service.
  19
  20 .Modifying opensrf.xml
  21 * A new <open-ils.auth_internal> app stanza is added to define the
  22   new service
  23 * Cache timeout settings are moved from the app stanza for open-ils.auth
  24   into open-ils.auth_internal
  25 * open-ils.auth_internal is added to the set of running services for the
  26   domain.
  27
  28 Example diff:
  29
  30 [source,diff]
  31 ---------------------------------------------------------------------
  32 diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
  33 index 3b47481..59f737a 100644
  34 --- a/Open-ILS/examples/opensrf.xml.example
  35 +++ b/Open-ILS/examples/opensrf.xml.example
  36 @@ -424,6 +424,29 @@ vim:et:ts=4:sw=4:
  37                  </unix_config>
  38                  <app_settings>
  39                      <!-- defined app-specific settings here -->
  40 +                    <auth_limits>
  41 +                        <seed>30</seed> <!-- amount of time a seed request is valid for -->
  42 +                        <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
  43 +                        <block_count>10</block_count> <!-- number of failures before blocking access -->
  44 +                    </auth_limits>
  45 +                </app_settings>
  46 +            </open-ils.auth>
  47 +
  48 +            <!-- Internal authentication server -->
  49 +            <open-ils.auth_internal>
  50 +                <keepalive>5</keepalive>
  51 +                <stateless>1</stateless>
  52 +                <language>c</language>
  53 +                <implementation>oils_auth_internal.so</implementation>
  54 +                <unix_config>
  55 +                    <max_requests>1000</max_requests>
  56 +                    <min_children>1</min_children>
  57 +                    <max_children>15</max_children>
  58 +                    <min_spare_children>1</min_spare_children>
  59 +                    <max_spare_children>5</max_spare_children>
  60 +                </unix_config>
  61 +                <app_settings>
  62 +                    <!-- defined app-specific settings here -->
  63                      <default_timeout>
  64                          <!-- default login timeouts based on login type -->
  65                          <opac>420</opac>
  66 @@ -431,13 +454,10 @@ vim:et:ts=4:sw=4:
  67                          <temp>300</temp>
  68                          <persist>2 weeks</persist>
  69                      </default_timeout>
  70 -                    <auth_limits>
  71 -                        <seed>30</seed> <!-- amount of time a seed request is valid for -->
  72 -                        <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
  73 -                        <block_count>10</block_count> <!-- number of failures before blocking access -->
  74 -                    </auth_limits>
  75                  </app_settings>
  76 -            </open-ils.auth>
  77 +            </open-ils.auth_internal>
  78 +
  79 +
  80
  81              <!-- Authentication proxy server -->
  82              <open-ils.auth_proxy>
  83 @@ -1177,6 +1197,7 @@ vim:et:ts=4:sw=4:
  84                  <appname>open-ils.circ</appname>
  85                  <appname>open-ils.actor</appname>
  86                  <appname>open-ils.auth</appname>
  87 +                <appname>open-ils.auth_internal</appname>
  88                  <appname>open-ils.auth_proxy</appname>
  89                  <appname>open-ils.storage</appname>
  90                  <appname>open-ils.justintime</appname>
  91 ---------------------------------------------------------------------
  92
  93
  94
  95