Re: Users with disabled accounts are still able to login
I agree with david. snowc sent the following on 9/5/2009 8:46 PM: > Thanks BJ, I have commented out the code in LoginServices.java. > > Thinking a bit deeper about the admin screen behaviour - why would admin > only want to temporarily disable an account for 5 minutes? > > > BJ Freeman wrote: >> you can recode the re-activation service so if there is no date it will >> not re-activate. >> >> >> snowc sent the following on 9/5/2009 7:53 PM: >>> In MHO, while not permanently disabling accounts for failed logins may be >>> desirable, this behaviour is not desirable for the admin interface. The >>> default for the admin interface should be to permanently disable the >>> account. >>> >>> >>> David E Jones wrote: The reason for this (which is configuration in the security.properties file, BTW, and is documented in the production setup guide) is that repeated login attempts usually cause an account to be disabled, but people usually don't want permanent disabling because of the internal/ customer service headaches. Enabling after five minutes (and telling the user that will happen) still makes brute-force password guessing attacks pretty much impossible, but gives the user a way to get back in without making a phone call. -David On Jul 1, 2008, at 3:09 PM, Robert Volke wrote: > Wow, that did the trick. When I first saved the Enabled flag change > to N, it automatically populated the disabled date, so I deleted > this date and saved the change again. Now the disabled admin can no > longer login. It looks like if you simply disable an account and > leave the time stamp, it will automatically enable again in 5 > minutes. I'm not sure why it does this, and I didn't see a way to > change the end date for the disable so I'm going to inform my users > to use this work around. > > Thank you for all of the help, > Robert Volke > Bilgin Ibryam 7/1/2008 3:53:22 PM >>> > Hi Robert, > > try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. > > Bilgin > > > This message was sent using IMP, the Internet Messaging Program. > > >> -- >> BJ Freeman >> http://www.businessesnetwork.com/automation >> http://bjfreeman.elance.com >> http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro >> Systems Integrator. >> >> >> > -- BJ Freeman http://www.businessesnetwork.com/automation http://bjfreeman.elance.com http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro Systems Integrator.
Re: Users with disabled accounts are still able to login
Thanks BJ, I have commented out the code in LoginServices.java. Thinking a bit deeper about the admin screen behaviour - why would admin only want to temporarily disable an account for 5 minutes? BJ Freeman wrote: > > you can recode the re-activation service so if there is no date it will > not re-activate. > > > snowc sent the following on 9/5/2009 7:53 PM: >> In MHO, while not permanently disabling accounts for failed logins may be >> desirable, this behaviour is not desirable for the admin interface. The >> default for the admin interface should be to permanently disable the >> account. >> >> >> David E Jones wrote: >>> >>> The reason for this (which is configuration in the security.properties >>> file, BTW, and is documented in the production setup guide) is that >>> repeated login attempts usually cause an account to be disabled, but >>> people usually don't want permanent disabling because of the internal/ >>> customer service headaches. Enabling after five minutes (and telling >>> the user that will happen) still makes brute-force password guessing >>> attacks pretty much impossible, but gives the user a way to get back >>> in without making a phone call. >>> >>> -David >>> >>> >>> On Jul 1, 2008, at 3:09 PM, Robert Volke wrote: >>> Wow, that did the trick. When I first saved the Enabled flag change to N, it automatically populated the disabled date, so I deleted this date and saved the change again. Now the disabled admin can no longer login. It looks like if you simply disable an account and leave the time stamp, it will automatically enable again in 5 minutes. I'm not sure why it does this, and I didn't see a way to change the end date for the disable so I'm going to inform my users to use this work around. Thank you for all of the help, Robert Volke >>> Bilgin Ibryam 7/1/2008 3:53:22 PM >>> Hi Robert, try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. Bilgin This message was sent using IMP, the Internet Messaging Program. >>> >>> >> > > -- > BJ Freeman > http://www.businessesnetwork.com/automation > http://bjfreeman.elance.com > http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro > Systems Integrator. > > > -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p25314413.html Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Users with disabled accounts are still able to login
you can recode the re-activation service so if there is no date it will not re-activate. snowc sent the following on 9/5/2009 7:53 PM: > In MHO, while not permanently disabling accounts for failed logins may be > desirable, this behaviour is not desirable for the admin interface. The > default for the admin interface should be to permanently disable the > account. > > > David E Jones wrote: >> >> The reason for this (which is configuration in the security.properties >> file, BTW, and is documented in the production setup guide) is that >> repeated login attempts usually cause an account to be disabled, but >> people usually don't want permanent disabling because of the internal/ >> customer service headaches. Enabling after five minutes (and telling >> the user that will happen) still makes brute-force password guessing >> attacks pretty much impossible, but gives the user a way to get back >> in without making a phone call. >> >> -David >> >> >> On Jul 1, 2008, at 3:09 PM, Robert Volke wrote: >> >>> Wow, that did the trick. When I first saved the Enabled flag change >>> to N, it automatically populated the disabled date, so I deleted >>> this date and saved the change again. Now the disabled admin can no >>> longer login. It looks like if you simply disable an account and >>> leave the time stamp, it will automatically enable again in 5 >>> minutes. I'm not sure why it does this, and I didn't see a way to >>> change the end date for the disable so I'm going to inform my users >>> to use this work around. >>> >>> Thank you for all of the help, >>> Robert Volke >>> >> Bilgin Ibryam 7/1/2008 3:53:22 PM >>> >>> Hi Robert, >>> >>> try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. >>> >>> Bilgin >>> >>> >>> This message was sent using IMP, the Internet Messaging Program. >>> >>> >> >> > -- BJ Freeman http://www.businessesnetwork.com/automation http://bjfreeman.elance.com http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro Systems Integrator.
Re: Users with disabled accounts are still able to login
In MHO, while not permanently disabling accounts for failed logins may be desirable, this behaviour is not desirable for the admin interface. The default for the admin interface should be to permanently disable the account. David E Jones wrote: > > > The reason for this (which is configuration in the security.properties > file, BTW, and is documented in the production setup guide) is that > repeated login attempts usually cause an account to be disabled, but > people usually don't want permanent disabling because of the internal/ > customer service headaches. Enabling after five minutes (and telling > the user that will happen) still makes brute-force password guessing > attacks pretty much impossible, but gives the user a way to get back > in without making a phone call. > > -David > > > On Jul 1, 2008, at 3:09 PM, Robert Volke wrote: > >> Wow, that did the trick. When I first saved the Enabled flag change >> to N, it automatically populated the disabled date, so I deleted >> this date and saved the change again. Now the disabled admin can no >> longer login. It looks like if you simply disable an account and >> leave the time stamp, it will automatically enable again in 5 >> minutes. I'm not sure why it does this, and I didn't see a way to >> change the end date for the disable so I'm going to inform my users >> to use this work around. >> >> Thank you for all of the help, >> Robert Volke >> > Bilgin Ibryam 7/1/2008 3:53:22 PM >>> >> >> Hi Robert, >> >> try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. >> >> Bilgin >> >> >> This message was sent using IMP, the Internet Messaging Program. >> >> > > > -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p25314222.html Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Users with disabled accounts are still able to login
Do you speak about https://localhost:8443/partymgr/control/editlogin?partyId=admin&userLoginId=flexadmin ? If yes, did you try to set "Disabled Date Time" ? Jacques From: "masionas" Ok. My concern is about functional design of Disable/Enable status section in Party manager for UserLogin entity. It looks, it is the right place to control it for a given party. The only design drawback I see there as it is now is that it disables login for 5 min and then re-enable it. In a real world scenario who needs this funcitonlity? Why you would disable login for 5 min manually and as I remember it does not give a note that it was disabled only for 5 min? I think no need to have it as a separate function in Webtools as it is already exists in Party Manager context and is the right place to be. just a bit strange behaviour of 5 min re-enabling. Do you see my point, Jacques? jacques.le.roux wrote: From: "masionas" HI Jacques, Thanks for your reply. But in a real world I think other scenario actually happens. For example, company fires an employee and obviously respective user account should be Disabled PERMANENTLY. Since userlogin is disabled by the SYSTEM automatically in the case of wrong login reties I do not see why UI in Party manager should duplicate it? It looks more logical to me have that UI for permanent disable. Sorry I'm not sure to understand you. What I proposed was to create a new section in Webtools (admin tools) where someone (with admin right) would be able to disable permanently a login (beware a party may have several logins...).? Have a look at updateUserLoginSecurity service Jacques jacques.le.roux wrote: This is used for disabling an UserLogin temporarily after some (3?) tries (in case, for instance, someone tried to force it). So I'm not seeing what is to fix here. If you need an UI to permanently disable a login you could contribute a patch. I'd suggest using Webtools as place with a new general entry about parties then... You could even use the new service to parametrize the above behaviour with a property. Jacques From: "masionas" Hi Guys, Any updates on whether it was fixed lately? With 9.04 release it seems still needs the workaround instead of directly to disable login permanently. Robert Volke wrote: Wow, that did the trick. When I first saved the Enabled flag change to N, it automatically populated the disabled date, so I deleted this date and saved the change again. Now the disabled admin can no longer login. It looks like if you simply disable an account and leave the time stamp, it will automatically enable again in 5 minutes. I'm not sure why it does this, and I didn't see a way to change the end date for the disable so I'm going to inform my users to use this work around. Thank you for all of the help, Robert Volke Bilgin Ibryam 7/1/2008 3:53:22 PM >>> Hi Robert, try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. Bilgin This message was sent using IMP, the Internet Messaging Program. -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24922534.html Sent from the OFBiz - User mailing list archive at Nabble.com. -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24971362.html Sent from the OFBiz - User mailing list archive at Nabble.com. -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24972825.html Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Users with disabled accounts are still able to login
Maybe all that is needed is a tooltip stating what to do to permanently disable the account. -Adrian masionas wrote: Ok. My concern is about functional design of Disable/Enable status section in Party manager for UserLogin entity. It looks, it is the right place to control it for a given party. The only design drawback I see there as it is now is that it disables login for 5 min and then re-enable it. In a real world scenario who needs this funcitonlity? Why you would disable login for 5 min manually and as I remember it does not give a note that it was disabled only for 5 min? I think no need to have it as a separate function in Webtools as it is already exists in Party Manager context and is the right place to be. just a bit strange behaviour of 5 min re-enabling. Do you see my point, Jacques? jacques.le.roux wrote: From: "masionas" HI Jacques, Thanks for your reply. But in a real world I think other scenario actually happens. For example, company fires an employee and obviously respective user account should be Disabled PERMANENTLY. Since userlogin is disabled by the SYSTEM automatically in the case of wrong login reties I do not see why UI in Party manager should duplicate it? It looks more logical to me have that UI for permanent disable. Sorry I'm not sure to understand you. What I proposed was to create a new section in Webtools (admin tools) where someone (with admin right) would be able to disable permanently a login (beware a party may have several logins...).? Have a look at updateUserLoginSecurity service Jacques jacques.le.roux wrote: This is used for disabling an UserLogin temporarily after some (3?) tries (in case, for instance, someone tried to force it). So I'm not seeing what is to fix here. If you need an UI to permanently disable a login you could contribute a patch. I'd suggest using Webtools as place with a new general entry about parties then... You could even use the new service to parametrize the above behaviour with a property. Jacques From: "masionas" Hi Guys, Any updates on whether it was fixed lately? With 9.04 release it seems still needs the workaround instead of directly to disable login permanently. Robert Volke wrote: Wow, that did the trick. When I first saved the Enabled flag change to N, it automatically populated the disabled date, so I deleted this date and saved the change again. Now the disabled admin can no longer login. It looks like if you simply disable an account and leave the time stamp, it will automatically enable again in 5 minutes. I'm not sure why it does this, and I didn't see a way to change the end date for the disable so I'm going to inform my users to use this work around. Thank you for all of the help, Robert Volke Bilgin Ibryam 7/1/2008 3:53:22 PM >>> Hi Robert, try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. Bilgin This message was sent using IMP, the Internet Messaging Program. -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24922534.html Sent from the OFBiz - User mailing list archive at Nabble.com. -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24971362.html Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Users with disabled accounts are still able to login
Ok. My concern is about functional design of Disable/Enable status section in Party manager for UserLogin entity. It looks, it is the right place to control it for a given party. The only design drawback I see there as it is now is that it disables login for 5 min and then re-enable it. In a real world scenario who needs this funcitonlity? Why you would disable login for 5 min manually and as I remember it does not give a note that it was disabled only for 5 min? I think no need to have it as a separate function in Webtools as it is already exists in Party Manager context and is the right place to be. just a bit strange behaviour of 5 min re-enabling. Do you see my point, Jacques? jacques.le.roux wrote: > > From: "masionas" >> HI Jacques, >> >> Thanks for your reply. But in a real world I think other scenario >> actually >> happens. For example, company fires an employee and obviously respective >> user account should be Disabled PERMANENTLY. Since userlogin is disabled >> by >> the SYSTEM automatically in the case of wrong login reties I do not see >> why >> UI in Party manager should duplicate it? It looks more logical to me >> have >> that UI for permanent disable. > > Sorry I'm not sure to understand you. What I proposed was to create a new > section in Webtools (admin tools) where someone (with > admin right) would be able to disable permanently a login (beware a party > may have several logins...).? > Have a look at updateUserLoginSecurity service > > Jacques > >> >> jacques.le.roux wrote: >>> >>> This is used for disabling an UserLogin temporarily after some (3?) >>> tries >>> (in case, for instance, someone tried to force it). >>> So I'm not seeing what is to fix here. If you need an UI to permanently >>> disable a login you could contribute a patch. >>> I'd suggest using Webtools as place with a new general entry about >>> parties >>> then... >>> You could even use the new service to parametrize the above behaviour >>> with >>> a property. >>> >>> Jacques >>> >>> From: "masionas" Hi Guys, Any updates on whether it was fixed lately? With 9.04 release it seems still needs the workaround instead of directly to disable login permanently. Robert Volke wrote: > > Wow, that did the trick. When I first saved the Enabled flag change > to > N, > it automatically populated the disabled date, so I deleted this date > and > saved the change again. Now the disabled admin can no longer login. > It > looks like if you simply disable an account and leave the time stamp, > it > will automatically enable again in 5 minutes. I'm not sure why it > does > this, and I didn't see a way to change the end date for the disable so > I'm > going to inform my users to use this work around. > > Thank you for all of the help, > Robert Volke > Bilgin Ibryam 7/1/2008 3:53:22 PM >>> > > Hi Robert, > > try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. > > Bilgin > > > This message was sent using IMP, the Internet Messaging Program. > > > > -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24922534.html Sent from the OFBiz - User mailing list archive at Nabble.com. >>> >>> >>> >> >> -- >> View this message in context: >> http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24971362.html >> Sent from the OFBiz - User mailing list archive at Nabble.com. >> > > > > -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24972825.html Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Users with disabled accounts are still able to login
From: "masionas" HI Jacques, Thanks for your reply. But in a real world I think other scenario actually happens. For example, company fires an employee and obviously respective user account should be Disabled PERMANENTLY. Since userlogin is disabled by the SYSTEM automatically in the case of wrong login reties I do not see why UI in Party manager should duplicate it? It looks more logical to me have that UI for permanent disable. Sorry I'm not sure to understand you. What I proposed was to create a new section in Webtools (admin tools) where someone (with admin right) would be able to disable permanently a login (beware a party may have several logins...).? Have a look at updateUserLoginSecurity service Jacques jacques.le.roux wrote: This is used for disabling an UserLogin temporarily after some (3?) tries (in case, for instance, someone tried to force it). So I'm not seeing what is to fix here. If you need an UI to permanently disable a login you could contribute a patch. I'd suggest using Webtools as place with a new general entry about parties then... You could even use the new service to parametrize the above behaviour with a property. Jacques From: "masionas" Hi Guys, Any updates on whether it was fixed lately? With 9.04 release it seems still needs the workaround instead of directly to disable login permanently. Robert Volke wrote: Wow, that did the trick. When I first saved the Enabled flag change to N, it automatically populated the disabled date, so I deleted this date and saved the change again. Now the disabled admin can no longer login. It looks like if you simply disable an account and leave the time stamp, it will automatically enable again in 5 minutes. I'm not sure why it does this, and I didn't see a way to change the end date for the disable so I'm going to inform my users to use this work around. Thank you for all of the help, Robert Volke Bilgin Ibryam 7/1/2008 3:53:22 PM >>> Hi Robert, try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. Bilgin This message was sent using IMP, the Internet Messaging Program. -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24922534.html Sent from the OFBiz - User mailing list archive at Nabble.com. -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24971362.html Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Users with disabled accounts are still able to login
HI Jacques, Thanks for your reply. But in a real world I think other scenario actually happens. For example, company fires an employee and obviously respective user account should be Disabled PERMANENTLY. Since userlogin is disabled by the SYSTEM automatically in the case of wrong login reties I do not see why UI in Party manager should duplicate it? It looks more logical to me have that UI for permanent disable. jacques.le.roux wrote: > > This is used for disabling an UserLogin temporarily after some (3?) tries > (in case, for instance, someone tried to force it). > So I'm not seeing what is to fix here. If you need an UI to permanently > disable a login you could contribute a patch. > I'd suggest using Webtools as place with a new general entry about parties > then... > You could even use the new service to parametrize the above behaviour with > a property. > > Jacques > > From: "masionas" >> >> Hi Guys, >> >> Any updates on whether it was fixed lately? With 9.04 release it seems >> still >> needs the workaround instead of directly to disable login permanently. >> >> >> Robert Volke wrote: >>> >>> Wow, that did the trick. When I first saved the Enabled flag change to >>> N, >>> it automatically populated the disabled date, so I deleted this date and >>> saved the change again. Now the disabled admin can no longer login. It >>> looks like if you simply disable an account and leave the time stamp, it >>> will automatically enable again in 5 minutes. I'm not sure why it does >>> this, and I didn't see a way to change the end date for the disable so >>> I'm >>> going to inform my users to use this work around. >>> >>> Thank you for all of the help, >>> Robert Volke >>> >> Bilgin Ibryam 7/1/2008 3:53:22 PM >>> >>> >>> Hi Robert, >>> >>> try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. >>> >>> Bilgin >>> >>> >>> This message was sent using IMP, the Internet Messaging Program. >>> >>> >>> >>> >> >> -- >> View this message in context: >> http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24922534.html >> Sent from the OFBiz - User mailing list archive at Nabble.com. >> > > > -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24971362.html Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Users with disabled accounts are still able to login
This is used for disabling an UserLogin temporarily after some (3?) tries (in case, for instance, someone tried to force it). So I'm not seeing what is to fix here. If you need an UI to permanently disable a login you could contribute a patch. I'd suggest using Webtools as place with a new general entry about parties then... You could even use the new service to parametrize the above behaviour with a property. Jacques From: "masionas" Hi Guys, Any updates on whether it was fixed lately? With 9.04 release it seems still needs the workaround instead of directly to disable login permanently. Robert Volke wrote: Wow, that did the trick. When I first saved the Enabled flag change to N, it automatically populated the disabled date, so I deleted this date and saved the change again. Now the disabled admin can no longer login. It looks like if you simply disable an account and leave the time stamp, it will automatically enable again in 5 minutes. I'm not sure why it does this, and I didn't see a way to change the end date for the disable so I'm going to inform my users to use this work around. Thank you for all of the help, Robert Volke Bilgin Ibryam 7/1/2008 3:53:22 PM >>> Hi Robert, try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. Bilgin This message was sent using IMP, the Internet Messaging Program. -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24922534.html Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Users with disabled accounts are still able to login
Hi Guys, Any updates on whether it was fixed lately? With 9.04 release it seems still needs the workaround instead of directly to disable login permanently. Robert Volke wrote: > > Wow, that did the trick. When I first saved the Enabled flag change to N, > it automatically populated the disabled date, so I deleted this date and > saved the change again. Now the disabled admin can no longer login. It > looks like if you simply disable an account and leave the time stamp, it > will automatically enable again in 5 minutes. I'm not sure why it does > this, and I didn't see a way to change the end date for the disable so I'm > going to inform my users to use this work around. > > Thank you for all of the help, > Robert Volke > Bilgin Ibryam 7/1/2008 3:53:22 PM >>> > > Hi Robert, > > try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. > > Bilgin > > > This message was sent using IMP, the Internet Messaging Program. > > > > -- View this message in context: http://www.nabble.com/Users-with-disabled-accounts-are-still-able-to-login-tp18223799p24922534.html Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Users with disabled accounts are still able to login
Interesting trick, I put at link to Nabble Forum http://www.nabble.com/forum/Permalink.jtp?root=18223799&post=18223799&page=y from http://docs.ofbiz.org/display/OFBIZ/FAQ+-+Tips+-+Tricks+-+Cookbook+-+HowTo#FAQ-Tips-Tricks-Cookbook-HowTo-ProductionTips Jacques From: "Robert Volke" <[EMAIL PROTECTED]> Wow, that did the trick. When I first saved the Enabled flag change to N, it automatically populated the disabled date, so I deleted this date and saved the change again. Now the disabled admin can no longer login. It looks like if you simply disable an account and leave the time stamp, it will automatically enable again in 5 minutes. I'm not sure why it does this, and I didn't see a way to change the end date for the disable so I'm going to inform my users to use this work around. Thank you for all of the help, Robert Volke Bilgin Ibryam <[EMAIL PROTECTED]> 7/1/2008 3:53:22 PM >>> Hi Robert, try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. Bilgin This message was sent using IMP, the Internet Messaging Program.
Re: Users with disabled accounts are still able to login
The reason for this (which is configuration in the security.properties file, BTW, and is documented in the production setup guide) is that repeated login attempts usually cause an account to be disabled, but people usually don't want permanent disabling because of the internal/ customer service headaches. Enabling after five minutes (and telling the user that will happen) still makes brute-force password guessing attacks pretty much impossible, but gives the user a way to get back in without making a phone call. -David On Jul 1, 2008, at 3:09 PM, Robert Volke wrote: Wow, that did the trick. When I first saved the Enabled flag change to N, it automatically populated the disabled date, so I deleted this date and saved the change again. Now the disabled admin can no longer login. It looks like if you simply disable an account and leave the time stamp, it will automatically enable again in 5 minutes. I'm not sure why it does this, and I didn't see a way to change the end date for the disable so I'm going to inform my users to use this work around. Thank you for all of the help, Robert Volke Bilgin Ibryam <[EMAIL PROTECTED]> 7/1/2008 3:53:22 PM >>> Hi Robert, try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. Bilgin This message was sent using IMP, the Internet Messaging Program.
Re: Users with disabled accounts are still able to login
Wow, that did the trick. When I first saved the Enabled flag change to N, it automatically populated the disabled date, so I deleted this date and saved the change again. Now the disabled admin can no longer login. It looks like if you simply disable an account and leave the time stamp, it will automatically enable again in 5 minutes. I'm not sure why it does this, and I didn't see a way to change the end date for the disable so I'm going to inform my users to use this work around. Thank you for all of the help, Robert Volke >>> Bilgin Ibryam <[EMAIL PROTECTED]> 7/1/2008 3:53:22 PM >>> Hi Robert, try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. Bilgin This message was sent using IMP, the Internet Messaging Program.
Re: Users with disabled accounts are still able to login
I am guessing there is a bug that when you entered the disable time. this is normally set by the system when there is a login try. Robert Volke sent the following on 7/1/2008 12:41 PM: > I can' t seem to figure out how to disable user IDs properly. I reviewed the > documentation I could find and followed the disable process for one of my > admin accounts but I can still login using the disabled account. The steps I > used are below: > - Logged into the Party Manager as a different administrator with full rights > - searched for the 'admin' party > - Under the user Name(s) section I clicked the Edit link for the target admin > account > - I set the Enabled Flag to "N" and set a Disabled Date Time to the current > time before clicking the appropriate save link. > > After doing these steps, the Disabled status shows up in the User Name(s) > section of the Profile page for the target admin, but if I log off, and try > to login again as the disabled administrator I am still able to login. Is > there some step I am missing? > > Note: We are running on Apache OFBiz Release 4.0 > > Thank you, > Robert Volke > > > >
Re: Users with disabled accounts are still able to login
Hi Robert, try to set the Enabled Flag to "N" WITHOUT Disabled Date Time. Bilgin This message was sent using IMP, the Internet Messaging Program.
