code.uoa.gr
Fork me on GitHub
Arcanum

Features

User-centric Features

  • Change my password
  • Fill in secondary account information
  • I have forgotten my password: reset password via alternative methods:
    • Alternative E-mail address
    • Mobile SMS
  • Notification (via e-mail and/or SMS message):
    • that there has been a failed login attempt
    • that the password has been changed
    • that a secondary account (mobile number, e-mail address) has been changed.

User-centric Features by way of Login Server (CAS)

These features will be enabled if the Single Sign-On Server that can interact with Arcanum is installed:

  • If user has not filled in any secondary account information which is needed for a password reset, then he is instructed to do so upon successful login in a web application. There is an option to opt out of the functionality as well.
  • If password is about to expire, a notification is shown upon login and user can change his password on the spot
  • If password is expired or if grace authentication has been granted, user is redirected to change it

Administration-centric Features

  • Support for many password hashes and digests:
    • CRYPT (MD5)
    • SHA
    • SSHA
    • NT Hash (for Samba, Windows Services, Radius authentication etc.)
    • Digest (for HTTP proxy authentication, SIP services etc.)
  • Web-based configuration and deployment
  • Migration tools for existing LDAP server
  • Operations upon the users:
    • Manually reset a user's password
    • Force a user to change his password upon next login
    • Permanently lock the account and prevent the user from logging in
  • Set password policy (password age, minimum age, number of grace authentications and generally all features supported by LDAP ppolicy)
  • Summary page — shows how many users exist in LDAP server, which password hashes are filled-in, which users have failed login attempts, which users have filled in secondary account information, and many other statistics
  • Summary page shows if there are users with problems such as no password filled in, no required objectClass etc. and offers solutions for these problems
  • Support for multiple password policies
  • Massive change of user policies or user lockdowns based on LDAP filters
  • Customized administration levels
    • An admin can reset users' passwords, but can also change the policy
    • An admin can see a subset of the directory users, based on a custom admin filter; a form of delegated administration
  • A simple web API that allows granting a password reset token, to tie to different password recovery backends easily

Planned Features

The Arcanum web application is also planned to support these features:

  • More fine-grained user service levels
  • Support for two-factor authentication, for users as well as administrators