Authentication ============== Authentication in SeedDMS is either accomplished by an external service (namely LDAP or ADS) or by the internal user database. Either way, there must be an entry for the user in the internal database to be able to log in. The LDAP authentication service of SeedDMS can create an user in the internal database if one is missing and if this is allowed in the configuration ('Restrict access' must be disabled). In that case the initial user data is taken from LDAP. Once a user account is created, it will not be updated with data from the LDAP Server again. Password security ----------------- SeedDMS has various mechanism to ensure passwords are save and hard to compromise. SeedDMS can keep track on how old a password is, whether a password has been used before and when the user is forced to choose a new one. Passwords can be required to have at least a given strength. There are two possible strength algorithms. A rather simple one that takes the length and the used chars into account, and the advanced algorithm, which takes various aspects into account, like the length, the use of special chars, the entropy of the password, etc. Password can be forced to expire after a configurable number of days. The user will than still be able to log in but will be redirected to a page for changing the password. For even more security the new password can be checked against the last `n` passwords to ensure a new password has not been used before. Both can be configured in the section *Authentication settings* on the *System* tab. Protection against login attempts --------------------------------- Brute-force attacks try to login with possible user/password combinations. SeedDMS can detect this by counting the number of login failures. If the number exceeds a configurable limit, the account will be disabled until an administrator reenables it. The counter is reset on a successful login. Accounts of administrators will never be disabled due to failed logins, as it would allow attackers to disable certain accounts. Therefore, administrator logins can be restricted to a given list of IP numbers. This all must explicitly be configured in the settings. Guest Login ------------- Any login usually requires to specify a login name and a password, but a designated guest account can be configured to login without a password. Despite its name 'guest account', such an account can be of any type (administrator, regular user, or guest) but for security reasons it is often an account for a guest user. In order to enable such a guest account, 'Enable Guest Login:' must be turned on in the settings and the 'Guest ID' has to be set to a valid user. Once configured the login page will contain a link below the submit button to sign in as this user without entering a username and password, thought the selected theme and language will be taken into account. Auto Login ------------ If the guest login is configured a user can be automatically logged in if this is turned on in the configuration. On any page (except the login page) the guest user will automatically be logged in. For those cases where a user (e.g. the administrator) would like to log into her own account, the login page (`op/op.Login.php`) has to be opened explicitly.