Home

Brushtail Administrator's Guide

User accounts

Introduction



Only the administrator user can make create/edit user accounts.

Click on the link "Intranet Administration".




 

Click on "User accounts".



The User accounts page has an Add user form at the top of the page, below this is a list of user accounts that can be edited.


Adding a user authenticated by MySQL



Click on the "Add user" link to create an account.

Authentication method
The default authentication method is MySQL.

Password
If password length and complexity requirements are enabled in the intranet preferences this will be enforced here.

Change password at next logon
This can be used to force a user to change pasword.

Password never expires
If this is set to "no" then the maxmimum password age defined in the intranet preferences will be enforced. Once a password has expired a user will be forced to change password at next logon..

Account disabled
This can be used to disable an account temporarily.






Email authentication

Intranet users may be authenticted via a pop or imap email account. The login name of the email acount needs to be entered into the User account field.


Email authentication requires IMAP to be compiled/enabled in PHP. The hostname and port number of the mailserver used for authentication needs to be entered in the confg.php file. For fuller documentation on the possible configurations, have a look at the PHP web site.

Examples:
$MAILSERVER = "{hostname:143/imap}";
$MAILSERVER = "{hostname:110/pop3}";

Adding a user authenticated by LDAP/Active Directory

LDAP authentication requires LDAP to be compiled/enabled in PHP.

Click on the "Add user" link to create an account.

LDAP can be used in a "read only" capacity for authenticating passwords. If you want to be able to force users to update Active Directory passwords you will also need to the read the "LDAP" page of this manual.



Authentication method
Select the authentication method LDAP/Active Directroy.

User account
This is the LDAP distinguashed name (DN) of the user. Examples:


fred.frog@foo.org
CN=fred frog,CN=Users,DC=foo,DC=org

(this last format must be used if you want users to be able to update their windows password)

Change password at next logon
This parameter is not relevant if LDAP is used in a read only capacity.
This can be used to force a user to change pasword. This parameter can be used to update Active Directory passwords. If the Windows password has been changed by the administrator on the windows server, then “User change password at next login” must be set on the Intranet not active directory.

Password never expires
This parameter is not relevant if LDAP is used in a read only capacity.
If this is set to "no" then the maxmimum password age defined in the intranet preferences will be enforced. Once a password has expired a user will be forced to change password at next logon. This parameter can be used to update Active Directory passwords.

Account disabled
This can be used to disable an account temporarily.





Active Directory passwords

If you want to enforce password expiry, or to force a user to change a user at next logon, this can be implemented via the intranet or via Active Directory. If The password has expired in Active Directory then the intranet can force the user to change password. Disabling an account in the intranet will not disable an account in Active Directory. Disabling the account in Active Directory will cause LDAP authentication to fail.





Home