1 Improved Password Management and Authentication
2 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
3 Evergreen user passwords are now stored with additional layers of
4 encryption and may only be accessed directly by the database, not
7 All API changes are backwards compatible with existing 3rd-party
13 Passwords are migrated for each user automatically the first time a user
14 logs in under the new setup. However, it is also possible to force
15 password migration for a given user via a database function:
18 ------------------------------------------------------------
19 evergreen=# SELECT actor.migrate_passwd(<USER_ID>);
20 ------------------------------------------------------------
22 Using this, admins could perform manual batch updates to force all
23 users to use the new, more secure passwords, regardless of when or
24 whether a patron logs back into the system. Beware that doing this
25 for all users in the a large database will take a long time and
26 should proably be performed in batches.
28 open-ils.auth_internal
29 ++++++++++++++++++++++
30 To support the new storage mechanism, a new Evergreen service has
31 been added called "open-ils.auth_internal". This service runs on
32 the private OpenSRF/XMPP domain and is used to store authenticated
33 user data in the authentication cache.
35 This is a required service and changes to opensrf.xml (typically
36 /openils/conf/opensrf.xml) are needed to run the new service.
38 .Modifying opensrf.xml
39 * A new <open-ils.auth_internal> app stanza is added to define the
41 * Cache timeout settings are moved from the app stanza for open-ils.auth
42 into open-ils.auth_internal
43 * open-ils.auth_internal is added to the set of running services for the
49 ---------------------------------------------------------------------
50 diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
51 index 3b47481..59f737a 100644
52 --- a/Open-ILS/examples/opensrf.xml.example
53 +++ b/Open-ILS/examples/opensrf.xml.example
54 @@ -424,6 +424,29 @@ vim:et:ts=4:sw=4:
57 <!-- defined app-specific settings here -->
59 + <seed>30</seed> <!-- amount of time a seed request is valid for -->
60 + <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
61 + <block_count>10</block_count> <!-- number of failures before blocking access -->
66 + <!-- Internal authentication server -->
67 + <open-ils.auth_internal>
68 + <keepalive>5</keepalive>
69 + <stateless>1</stateless>
70 + <language>c</language>
71 + <implementation>oils_auth_internal.so</implementation>
73 + <max_requests>1000</max_requests>
74 + <min_children>1</min_children>
75 + <max_children>15</max_children>
76 + <min_spare_children>1</min_spare_children>
77 + <max_spare_children>5</max_spare_children>
80 + <!-- defined app-specific settings here -->
82 <!-- default login timeouts based on login type -->
84 @@ -431,13 +454,10 @@ vim:et:ts=4:sw=4:
86 <persist>2 weeks</persist>
89 - <seed>30</seed> <!-- amount of time a seed request is valid for -->
90 - <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
91 - <block_count>10</block_count> <!-- number of failures before blocking access -->
95 + </open-ils.auth_internal>
99 <!-- Authentication proxy server -->
100 <open-ils.auth_proxy>
101 @@ -1177,6 +1197,7 @@ vim:et:ts=4:sw=4:
102 <appname>open-ils.circ</appname>
103 <appname>open-ils.actor</appname>
104 <appname>open-ils.auth</appname>
105 + <appname>open-ils.auth_internal</appname>
106 <appname>open-ils.auth_proxy</appname>
107 <appname>open-ils.storage</appname>
108 <appname>open-ils.justintime</appname>
109 ---------------------------------------------------------------------