OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



Importing User File- Password Conversion?

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
What to do if you have a technical problem with OJS:

1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.

2. Check the FAQ to see if your question or error has already been resolved.

3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.

Importing User File- Password Conversion?

Postby samkalb » Tue Mar 09, 2010 9:45 am

When attempting to import a user from another location, I get the following message:
Cannot use passwords hashed with sha1; OJS is configured to use md5. If you continue, you will need to reset the imported users' passwords.

Is it possible to convert the passwords in the file to use md5?

Sam
samkalb
 
Posts: 33
Joined: Wed Feb 06, 2008 8:52 am

Re: Importing User File- Password Conversion?

Postby asmecher » Wed Mar 10, 2010 9:27 am

Hi Sam,

Unfortunately not -- these are one-way hashes and cannot be converted. Some passwords will need to be reset -- if you do the import, any imported users; if you change the hash configuration in config.inc.php, then any existing users.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 8470
Joined: Wed Aug 10, 2005 12:56 pm

Re: Importing User File- Password Conversion?

Postby samkalb » Mon Mar 29, 2010 11:47 am

Hi Alec,
Even if the users do have to re-enter their password, how can I alter the password element in the exported user file for OJS to accept the imported user data?
samkalb
 
Posts: 33
Joined: Wed Feb 06, 2008 8:52 am

Re: Importing User File- Password Conversion?

Postby asmecher » Mon Mar 29, 2010 12:24 pm

Hi Sam,

Have a look at the "password" element in plugins/importexport/users/users.dtd:

Code: Select all
<!ELEMENT password (#PCDATA)>
        <!ATTLIST password change (true|false) "false">
        <!ATTLIST password encrypted (plaintext|md5|sha1) #IMPLIED>
                <!-- How the password is encrypted (if applicable).
                     Encrypted assumes it was encrypted by Validation::encryptCredentials()
                     and is using the same encryption algorithm used by the system.
                     Default is "plaintext" (unencrypted). -->
For those cases where a hash won't work, you can specify the password in plaintext, and if you like, require the user to change it when they next log in.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 8470
Joined: Wed Aug 10, 2005 12:56 pm

Re: Importing User File- Password Conversion?

Postby sttis » Wed Jul 31, 2013 4:18 pm

Hi,

We are receiving the same error trying to export/import users between one OJS instance that uses sha1 encryption and another instance that users md5 encryption.

"Cannot use passwords hashed with sha1; OJS is configured to use md5. If you continue, you will need to reset the imported users' passwords."

Is there anyway to avoid having users reset their passwords?

e.g. Can we change the config on the sha1 encrypted instance to md5, then do the export? Or will that still require a password change? Can we configure a plain text export somehow?

Thanks,
Suzy
sttis
 
Posts: 27
Joined: Tue May 14, 2013 3:35 am

Re: Importing User File- Password Conversion?

Postby asmecher » Wed Jul 31, 2013 4:35 pm

Hi Suzy,

Unfortunately password hashes are used specifically so that passwords can't be extracted; there is no way to get the passwords out in plaintext, nor to convert from one hashing algorithm to another. I'm afraid you have no option but to reset passwords for one of the two groups of users.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 8470
Joined: Wed Aug 10, 2005 12:56 pm

Re: Importing User File- Password Conversion?

Postby sttis » Thu Aug 08, 2013 7:17 pm

Thanks Alec. I can see how to reset users' passwords in the SQL database, and set the change password to true, but I can't workout how to tell users what their new password is.

Is there a way to generate a "forgot password" style email from the command line or database?

We'd like to randomly generate passwords (but not usernames) and email the details to users. I checked the "Send a notification email to each imported user containing the user's username and password" on import, but no emails were generated. I presume this is because our XML file has usernames in it?

Thanks,
Suzy
sttis
 
Posts: 27
Joined: Tue May 14, 2013 3:35 am

Re: Importing User File- Password Conversion?

Postby asmecher » Fri Aug 09, 2013 4:37 pm

Hi Suzy,

Once the passwords are in the database, they're stored hashed, and you can't recover the original password back again. I'm not sure why the email notification wouldn't be sent on import -- have you checked your server's mail logs to see if they were rejected there? Are other emails received properly? Have you checked spam folders to see if the messages are being trapped there?

If you want to set passwords manually via the database, you'll have to send emails separately; you can't send emails from the DB. If that's OK, and you have other tools to send the emails, I can describe how the password reset would go in the database.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 8470
Joined: Wed Aug 10, 2005 12:56 pm

Re: Importing User File- Password Conversion?

Postby sttis » Mon Aug 12, 2013 10:58 pm

Hi Alec,

I haven't checked the server's mail logs, but other emails are received properly and there is nothing in my spam folders. I'll chat to our technical support about that avenue. Otherwise, it sounds like I'm going to have to click on the "forgot my password" link 1000 times. Eek.

Thanks,
Suzy
sttis
 
Posts: 27
Joined: Tue May 14, 2013 3:35 am

Re: Importing User File- Password Conversion?

Postby asmecher » Tue Aug 13, 2013 8:57 am

Hi Suzy,

Let me know what they come back with. We can come up with something to avoid all that clicking.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 8470
Joined: Wed Aug 10, 2005 12:56 pm

Re: Importing User File- Password Conversion?

Postby sttis » Thu Aug 15, 2013 9:29 pm

Hi Alec,

The outcome:

If we delete all the imported users in the database and re-import them with no/blank passwords in the XML file, we are able to generate email notification to users.

The problem was, we imported the file with encrypted passwords initially. This meant we couldn't generate the email notification, even when trying to re-import the modified file with no passwords (after deleting passwords in the database).

Not sure I actually want to delete all the users as it means I need to re-do a bunch of work around the editorial team, so I might just use Selenium (or similar) to automate clicking on the "Forgot password" link.

Thanks again,
Suzy
sttis
 
Posts: 27
Joined: Tue May 14, 2013 3:35 am

Re: Importing User File- Password Conversion?

Postby asmecher » Fri Aug 16, 2013 10:16 am

Hi Suzy,

That makes sense. Sorry we don't have an easier solution for you.

Regards,
Alec Smecher
Public Knowledge Project Team
asmecher
 
Posts: 8470
Joined: Wed Aug 10, 2005 12:56 pm


Return to OJS Technical Support

Who is online

Users browsing this forum: Bing [Bot] and 5 guests