--- /dev/null
+Improved Password Management and Authentication
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Evergreen user passwords are now stored with additional layers of
+encryption and may only be accessed directly by the database, not
+the application layer.
+
+All API changes are backwards compatible with existing 3rd-party
+clients.
+
+open-ils.auth_internal
+++++++++++++++++++++++
+To support the new storage mechanism, a new Evergreen service has
+been added called "open-ils.auth_internal". This service runs on
+the private OpenSRF/XMPP domain and is used to store authenticated
+user data in the authentication cache.
+
+This is a required service and changes to opensrf.xml (typically
+/openils/conf/opensrf.xml) are needed to run the new service.
+
+.Modifying opensrf.xml
+* A new <open-ils.auth_internal> app stanza is added to define the
+ new service
+* Cache timeout settings are moved from the app stanza for open-ils.auth
+ into open-ils.auth_internal
+* open-ils.auth_internal is added to the set of running services for the
+ domain.
+
+Example diff:
+
+[source,diff]
+---------------------------------------------------------------------
+diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
+index 3b47481..59f737a 100644
+--- a/Open-ILS/examples/opensrf.xml.example
++++ b/Open-ILS/examples/opensrf.xml.example
+@@ -424,6 +424,29 @@ vim:et:ts=4:sw=4:
+ </unix_config>
+ <app_settings>
+ <!-- defined app-specific settings here -->
++ <auth_limits>
++ <seed>30</seed> <!-- amount of time a seed request is valid for -->
++ <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
++ <block_count>10</block_count> <!-- number of failures before blocking access -->
++ </auth_limits>
++ </app_settings>
++ </open-ils.auth>
++
++ <!-- Internal authentication server -->
++ <open-ils.auth_internal>
++ <keepalive>5</keepalive>
++ <stateless>1</stateless>
++ <language>c</language>
++ <implementation>oils_auth_internal.so</implementation>
++ <unix_config>
++ <max_requests>1000</max_requests>
++ <min_children>1</min_children>
++ <max_children>15</max_children>
++ <min_spare_children>1</min_spare_children>
++ <max_spare_children>5</max_spare_children>
++ </unix_config>
++ <app_settings>
++ <!-- defined app-specific settings here -->
+ <default_timeout>
+ <!-- default login timeouts based on login type -->
+ <opac>420</opac>
+@@ -431,13 +454,10 @@ vim:et:ts=4:sw=4:
+ <temp>300</temp>
+ <persist>2 weeks</persist>
+ </default_timeout>
+- <auth_limits>
+- <seed>30</seed> <!-- amount of time a seed request is valid for -->
+- <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
+- <block_count>10</block_count> <!-- number of failures before blocking access -->
+- </auth_limits>
+ </app_settings>
+- </open-ils.auth>
++ </open-ils.auth_internal>
++
++
+
+ <!-- Authentication proxy server -->
+ <open-ils.auth_proxy>
+@@ -1177,6 +1197,7 @@ vim:et:ts=4:sw=4:
+ <appname>open-ils.circ</appname>
+ <appname>open-ils.actor</appname>
+ <appname>open-ils.auth</appname>
++ <appname>open-ils.auth_internal</appname>
+ <appname>open-ils.auth_proxy</appname>
+ <appname>open-ils.storage</appname>
+ <appname>open-ils.justintime</appname>
+---------------------------------------------------------------------
+
+
+
+
projects / evergreen / pines.git / commitdiff