Caution: This documentation is for eZ Publish legacy, from version 3.x to 6.x.
For 5.x documentation covering Platform see eZ Documentation Center, for difference between legacy and Platform see 5.x Architecture overview.

Use

After you have installed the eZ MB Password Expiry Extension, the new datatype "Password Expiration" will be available to be added as an attribute in the User and User Group classes. In order for the extension to function correctly this attribute must be added to your User and User Group classes.

Once added in the class the "Password Expiration" attribute looks like this:

The attribute will add the following field to the Edit User page:

The values set in the site.ini file are used as the default values when a "Password Expiration" attribute is added. But a script has been provided to prevent all existing users to be forced to change their passwords. This script resets the Password Last Update value of all the users to current time and can be run with the following command:

$ php extension/ezmbpaex/install/scripts/setpasswordlastupdated.php


When you customize the values in a user group itself, a checkbox will help you to update children nodes with the values of the current group. This allows you to easily customize the password lifetime and validation expiration per group. (See point "Update Children Features")

A function is added to control if a user can edit the password expiry data. If you want to allow anyone other than the administrator to be able to update the password expiry data, a new policy with this function should be added to the users role. Through the "Roles and Policies"-link in your Administration Interface (which can be accessed both in the left menu under the "Setup"-tab, as wall as in the left menu "Access control" under the "User Accounts"-tab) you can grant full or limited access to one or all functions ("editpaex" and "password") of the module Userpaex. When a user or usergroup is created, they will automatically inherit the password expiry permissions of their parent, except if they have "editpaex" permissions set in their own roles. If a user has "editpaex" permission, he will be able to set his own password expiration values, but if these fields are left empty the parent values will be used. When someone changes the password of another user, the Password Last Update Time of this password is set to 0 to force the user to change his password the next time he tries to log in. But in order to be able to force a user to change his password, the password lifetime must be defined. If the Password Life Time is set to 0 the user will never be forced to change his password because the password will never expire.

After the password for a user has expired, the user cannot log in. He will only be permitted to access the change password view from the Userpaex module in order to change his password. When a user changes his password, the system prevents him from submitting the same password as the one currently set. This is done to ensure that the new password always differs from the former one.

Ester Heylen (28/09/2009 3:00 pm)

Ester Heylen (29/09/2009 12:13 pm)


Comments

There are no comments.