Living

On December 22nd, as soon the time rolls from 2008-12-22 7:59 to 2008-12-22 08:00, our seven Blackboard application servers will be changed over to authenticate against LDAP instead of the standard Blackboard RDBMS (passwords stored in the Oracle database). This transition is not without issues, and this blog post will serve to inform FTRC members of several support scenarios and other important information on how to handle them. Support Personnel: Please be sure to read this post throughly, and feel free to ask questions in the comments.

The Security Center and You

On the test system (Coke) there is a new homepage module that everyone will see when they log in, it is called the security center. Please log in to coke (link only works on campus!) and see things for yourself. You’ll need an account on coke to do this, and you’ll login with your 6+2 and current LDAP/OneStop/etc. password. The Security Center was something I wrote to provide feedback about password related issues such as expiration and grace logins. If the user’s password is expires, but they still have grace logins remaining on their account, they will be able to login to Blackboard but it will consume a grace login and decrement the user’s grace logins available by one. By default, all UC accounts provide six grace logins, and therefor users have six logins before they are locked out and must change their password. I am investigating a way to display grace login and password expiration date in SysOp, but it’s not there yet.

Things to look for in SysOp

Examine Unique Ids Source when you lookup the user’s data. There is a known issue with accounts coming from “B – Grandfathered Beecher accounts”, those accounts do not exist in the LDAP tree that Blackboard authenticates against, and the caller should use their standard 6+2 login name with blackboard instead. This issue should be very rare. When Blackboard attempts to authenticate these users against LDAP, they will be treated in the same way as visitor and other non-LDAP accounts, meaning Blackboard will fall back to their RDBMS (database) password. If the user wishes to continue using the account, inform them they must login with the same password as they did before the conversion to LDAP since their account is being handled as a non-LDAP account.

Sysop showing my LDAP-authenticated account: if the password is expired, there will be a message showing it’s expired

Sysop showing showing a non-LDAP account

Here are a few scenarios that could occur when a user calls with password issues, beyond the standard bad password errors you are accustomed to.

First Scenario

User is unable to log in and receives message a message that their password is expired. The user’s password has expired and they have no grace logins remaining. The user must visit the UCit Password Self Service portal and reset their password, or contact the UC Help Desk for further assistance.

Second Scenario

User’s password is expired, but they were able login by consuming a grace login. Immediately advise the user to visit the UCit Password Self Service before they run out of grace logins. Nota bene: logging in to Password Self Service with an expired password requires at least one available grace login! If the user has just used their last grace login by logging in to Blackboard, and the Security Center displays a value of zero (0) for remaining grace logins, the user must contact the UCit Help Desk to reset their account.

Third scenario

User’s password will expired in less than the warning period (160 days in this case, but it is set to 7 days on the production system, this is for illustration only.) Advise the user to visit the UCit Password Self Service before their password expires.

Fourth Scenario

All is well, user’s password will expire within the configured seven-day warning period. I guess it’s not really a scenario at all.

Password Resets for accounts

Can be done through the UCit Password Self Service portal, or by having the user contact the UCit Help Desk.

Security Center and non-LDAP accounts

Security Center displays a message that the user’s password will not expire. Eventually this module will be hidden for non-LDAP authenticated user accounts. Of course, that “eventually” may be before December 22nd, but not at the time of the writing of this document.

Password Resets for non-LDAP accounts

I am currently doing the engineering before coding my own password reset utility for Blackboard to accommodate the fact that the built-in password reset functionality is not available when bb-config.properties is configured for LDAP authentication. This is very frustrating and I may give Blackboard a call to see if they can tell me how to force it on even with LDAP turned on. If this functionality is not restored, password resets for non-LDAP users will to be handled by the FTRC Blackboard Support Team via phone.

In Conclusion

If you run into issues not covered by this post, please feel free to come find me and ask. Once we solve the issue, we might even add it here. Consider this an experiment in work blogging. I’m looking forward to your comments on this post.