LedgerSMB
The foundation for your business
|
Hi Michael, I'll double check later today and update if needed. On 31/08/17 05:30, Michael Chinn wrote:
While that manual is for 1.3, it is "generally" correct.Greetings, I'm configuring a new 1.5.9 install. I tried to look for the answer in the LedgerSMB manual but the manual from the website is for v1.3x... So. We are aware it needs to be updated but developer time has been focused on improving the stability of the software and fixing bugs. We could really do with some help getting the documentation updated. Ideally updating the documentation is best done by a user as us developers often overlook information the users want to see. Password Duration should be in days.Under "Security Settings" Password Duration: Is this days? minutes? seconds? What is the default? And on initial user creation this is set very short ( 1 day from memory), However, once the user changes their password, the default is 365 days I believe. Agreed, the duration should be shown in the UI.Suggestion #1: Whatever the duration period is, place it next to the description along with the default value. Like so: Password Duration, in Days (Default=2 days): Also, the currently set value should be displayed, even if it is the default. (at the moment we only display a modified value) This value is in minutes, and I can't remember what the default is. An hour or two most likelySession Lockout (Session Timeout): Is this minutes? seconds? What is the default?. Yep, once again, the units should be displayed, as should the "current" value, even if it's the default.Suggestion #2: Whatever the duration period is, place it next to the description along with the default value. Like so: Session Lockout, in Minutes (Default=10 minutes): The normal way to handle that is set an arbitrarily long Password Duration.Suggestion #3 (for next release): Enable the Sys Admin to disable the Password Duration altogether. So setting the Password Duration to "0" means that user passwords do not expire. eg: 9999 (gives 27.4 years) While being able to simply nag may be OK for single user sites, it's extremely undesirable for multiuser and Web Facing sites.You could just replace the a "hard" password expiration with just a 180-day nag like this: Your password is over 180 days old. Please consider replacing the current password with a newer one. And, include a link/button that says: "Disregard". Which will stop the nag for another 180 days. That said, Erik may have some ideas about making this more configurable. I'll arrange to get units added, and the default values displayed for the next release. I've created issue #3109 to track that Thanks for the reports Regards David G Thanks! Regards, Michael |
_______________________________________________ users mailing list ..hidden.. https://lists.ledgersmb.org/mailman/listinfo/users