Security

The security page allows you to control security-specific application settings, such as authentication and password policies. Security has the following properties:

Property

Description

Expire Idle Sessions After

The number of minutes of inactivity allowed before a login expires.

Authentication Type

Multiple types of authentication are supported through a pluggable authentication architecture. The following authentication types are provided in the base product package:

Standard
LDAP/Active Directory

Refer to the appropriate topics below for more information on configuring these authentication types.

Standard Authentication

Standard authentication provides basic login management and strong password support from with the application - no external authentication sources are required. Passwords are stored securely in the database using a one-way encryption algorithm. Standard authentication has the following properties:

Property	Description
Maximum Invalid Login Attempts	The maximum number of invalid login attempts before the account is locked. Locked accounts must be either unlocked by an administrator, or can be unlocked by the user by requesting a new temporary password. To disable this feature enter a blank value.
Maximum Password Age	The number of days before employees are asked to create a new password. To disable this feature enter a blank value.
Maximum Password History	Password history keeps employees from reusing previous passwords. Enter the number of passwords you want to keep in the history, or blank to disable this feature.
Minimum Password Length	The minimum number of characters allowed in new passwords. To disable this feature enter a blank value.
Minimum Lower Case Characters	The minimum number of lower case characters allowed in new passwords (a..z). To disable this feature enter a blank value.
Minimum Upper Case Characters	The minimum number of upper case characters allowed in new passwords (A..Z). To disable this feature enter a blank value.
Minimum Numeric Characters	The minimum number of numeric characters allowed in new passwords (0..9). To disable this feature enter a blank value.
Minimum Special Characters	The minimum number of special characters allowed in new passwords (for example !,$#,%). To disable this feature enter a blank value.

LDAP/Active Directory Authentication

LDAP/Active Directory authentication allows you to authenticate employees against an LDAP (Lightweight Directory Access Protocol) server. This includes Microsoft Active Directory when it is configured with LDAP support (see the notes below).

LDAP/Active Directory authentication has the following properties:

Property	Description
LDAP Server	The host name or IP address of the LDAP server.
LDAP Server Port	The port number of the LDAP server. The default port number is 389 (or 636 if using SSL).
Use SSL	Check this option if you want to connect to the LDAP server using SSL (Secure Socket Layer). This option will increase your security by encrypting all communications between the timesheet application and the LDAP server. Your LDAP server must be configured for SSL for this to work.
Login	The login name of a technical or administrative user, if this LDAP server requires authentication. Depending upon your directory server a simple login name might work, such as "Directory Manager", or you might need to enter a distinguished name such as "CN=ADMINISTRATOR,CN=USERS,DC=PACIFICTIMESHEET,DC=COM". Note that for some Active Directory installations you need to enter this in upper-case. Another variant for Active Directory is of the form admin@pacifictimesheet.com. This is the SAM account name followed by the domain of the Active Directory server.
Password	The login password.
Search Base	The LDAP search base, which determines where a search for employees will start. This is a distinguished name (DN), such as "DC=pacifictimesheet,DC=com".
Search Filter	The LDAP search filter, which is used to find employees in the directory. The value depends on the type of of directory server and how it is configured. For many open source LDAP servers the following will work: (&(objectClass=inetOrgPerson)(uid={0})) For Microsoft Active Directory the following will generally work: (&(objectClass=user)(sAMAccountName={0}))
Logging	Check this option to help troubleshoot authentication failures. The log files can be viewed with a text editor, and are located in the <PacificTimesheet>/tomcat/logs directory.

You can test these settings by clicking the "Test Configuration" button. This will connect to the specified LDAP server and perform a search, reporting any errors that arise.

You will still need to have an employee account in Pacific Timesheet for each employee that will use the system. If an employee has an LDAP login but does not have a Pacific Timesheet login they will not be able to log in.

In the event of an LDAP failure, such as the directory server being unavailable, or no matching user account being found in the directory, Pacific Timesheet will fail over to standard authentication. The entered login name and password will be checked against the Pacific Timesheet database. This ensures an administrator will still be able to log in using the Pacific Timesheet account, and change the LDAP settings if need be. This also allows you to have accounts in Pacific Timesheet that are not in the directory server, such as 'admin'.

When using LDAP authentication your employees will no longer see the "Change Password" link on their home page (unless an LDAP failure occurred and the standard authentication was used instead, as described above).

Microsoft Active Directory Notes

You will need to enable LDAP support in Active Directory. Then add the object classes and related attributes for the "inetOrgPerson" and "groupOfUniqueNames" object classes to the Active Directory schema by using the Active Directory Management Console snap-in, ADSIEdit. "groupOfUniqueNames" is defined in RFC 2256, "inetOrgPerson" in RFC 2798.