Forum Discussion

john_howson's avatar
john_howson
Occasional Contributor
8 years ago

How do I make Collaborator 9.4 forget users passwords?

I am running Collaborator 9.4.9401 in a UNIX environment and authenticating users via LDAP.  I have users who are able to login to Collaborator, from a windows/AD domain, sometimes for months after their UNIX/LDAP account password has expired. 

How can I make Collaborator authenticate each user to LDAP at each Collaborator logon, and/or, make Collaborator not allow user login if their LDAP account is expired?

  • MrDubya's avatar
    MrDubya
    Occasional Contributor

    There may be two options (I know are in version 11, and I'm assuming are also in version 9) which could help, both around invalidating a user's login ticket, requiring Administrator access:

     

    • You can manually invalidate the login ticket immediately for any user by editing their settings and clicking "Invalidate Login Ticket".
    • You can set the external client "Login ticket time-to-live" value from the default 0 (eternal) to invalidate a user's login ticket after X hours.  I'm assuming this would also require a user to re-login via the web user interface, but I'm not 100% sure.

     

    • john_howson's avatar
      john_howson
      Occasional Contributor

      Thank you, "Dubs".
      I haven't had the opportunity to implement or test your solution yet - paperwork.  I'll let you know the outcome!

  • john_howson's avatar
    john_howson
    Occasional Contributor

    Now I have a new requirement.  The authentication expiration, the time-to-live, ticket has to expire for all users EXCEPT for one admin user.  That admin user is the ccollab administrator account and it is the account used by the scripts run by various triggers in coco.  If this account expires the scripts will not run.

    I may have to post this as a new question to the forum, but I'm thinking about changing collaborators authentication mechanism from LDAP to collaborators own internal authentication.  That will break the 60 day PW change requirement and nullify the original problem. 

    I don't know how that will affect the existing user accounts, existing inspections, etc. At this point I'm not even sure if it's possible to make that change without a fresh installation.

    • MrDubya's avatar
      MrDubya
      Occasional Contributor

      Happy to hear you're almost there, one workaround I thought of is to create another "dummy" script to run at a frequency just a bit higher than your time-to-live value to ensure the script account doesn't time out.  I do like the idea of configuring accounts that don't expire to avoid having to do that - I suggest you log that in the feature requests board.

      • john_howson's avatar
        john_howson
        Occasional Contributor

        Dummy script is not a bad idea!  Thanks Dubya!