docs/RELEASE_NOTES_NEXT/Administration/password-storage.lp1468422.adoc

   1 Improved Password Management and Authentication
   2 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   3 Evergreen user passwords are now stored with additional layers of
   4 encryption and may only be accessed directly by the database, not
   5 the application layer.
   6
   7 All API changes are backwards compatible with existing 3rd-party
   8 clients.
   9
  10 Migrating Passwords
  11 +++++++++++++++++++
  12
  13 Passwords are migrated for each user automatically the first time a user
  14 logs in under the new setup.  However, it is also possible to force
  15 password migration for a given user via a database function:
  16
  17 [source,sql]
  18 ------------------------------------------------------------
  19 evergreen=# SELECT actor.migrate_passwd(<USER_ID>);
  20 ------------------------------------------------------------
  21
  22 Using this, admins could perform manual batch updates to force all
  23 users to use the new, more secure passwords, regardless of when or
  24 whether a patron logs back into the system.  Beware that doing this
  25 for all users in the a large database will take a long time and
  26 should proably be performed in batches.
  27
  28 open-ils.auth_internal
  29 ++++++++++++++++++++++
  30 To support the new storage mechanism, a new Evergreen service has
  31 been added called "open-ils.auth_internal".  This service runs on
  32 the private OpenSRF/XMPP domain and is used to store authenticated
  33 user data in the authentication cache.
  34
  35 This is a required service and changes to opensrf.xml (typically
  36 /openils/conf/opensrf.xml) are needed to run the new service.
  37
  38 .Modifying opensrf.xml
  39 * A new <open-ils.auth_internal> app stanza is added to define the
  40   new service
  41 * Cache timeout settings are moved from the app stanza for open-ils.auth
  42   into open-ils.auth_internal
  43 * open-ils.auth_internal is added to the set of running services for the
  44   domain.
  45
  46 Example diff:
  47
  48 [source,diff]
  49 ---------------------------------------------------------------------
  50 diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
  51 index 3b47481..59f737a 100644
  52 --- a/Open-ILS/examples/opensrf.xml.example
  53 +++ b/Open-ILS/examples/opensrf.xml.example
  54 @@ -424,6 +424,29 @@ vim:et:ts=4:sw=4:
  55                  </unix_config>
  56                  <app_settings>
  57                      <!-- defined app-specific settings here -->
  58 +                    <auth_limits>
  59 +                        <seed>30</seed> <!-- amount of time a seed request is valid for -->
  60 +                        <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
  61 +                        <block_count>10</block_count> <!-- number of failures before blocking access -->
  62 +                    </auth_limits>
  63 +                </app_settings>
  64 +            </open-ils.auth>
  65 +
  66 +            <!-- Internal authentication server -->
  67 +            <open-ils.auth_internal>
  68 +                <keepalive>5</keepalive>
  69 +                <stateless>1</stateless>
  70 +                <language>c</language>
  71 +                <implementation>oils_auth_internal.so</implementation>
  72 +                <unix_config>
  73 +                    <max_requests>1000</max_requests>
  74 +                    <min_children>1</min_children>
  75 +                    <max_children>15</max_children>
  76 +                    <min_spare_children>1</min_spare_children>
  77 +                    <max_spare_children>5</max_spare_children>
  78 +                </unix_config>
  79 +                <app_settings>
  80 +                    <!-- defined app-specific settings here -->
  81                      <default_timeout>
  82                          <!-- default login timeouts based on login type -->
  83                          <opac>420</opac>
  84 @@ -431,13 +454,10 @@ vim:et:ts=4:sw=4:
  85                          <temp>300</temp>
  86                          <persist>2 weeks</persist>
  87                      </default_timeout>
  88 -                    <auth_limits>
  89 -                        <seed>30</seed> <!-- amount of time a seed request is valid for -->
  90 -                        <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
  91 -                        <block_count>10</block_count> <!-- number of failures before blocking access -->
  92 -                    </auth_limits>
  93                  </app_settings>
  94 -            </open-ils.auth>
  95 +            </open-ils.auth_internal>
  96 +
  97 +
  98
  99              <!-- Authentication proxy server -->
 100              <open-ils.auth_proxy>
 101 @@ -1177,6 +1197,7 @@ vim:et:ts=4:sw=4:
 102                  <appname>open-ils.circ</appname>
 103                  <appname>open-ils.actor</appname>
 104                  <appname>open-ils.auth</appname>
 105 +                <appname>open-ils.auth_internal</appname>
 106                  <appname>open-ils.auth_proxy</appname>
 107                  <appname>open-ils.storage</appname>
 108                  <appname>open-ils.justintime</appname>
 109 ---------------------------------------------------------------------
 110
 111
 112
 113