OJS OCS OMP OHS

You are viewing the PKP Support Forum | PKP Home Wiki



Is LDAP password saved in OJS database?

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
What to do if you have a technical problem with OJS:

1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.

2. Check the FAQ to see if your question or error has already been resolved.

3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.

Is LDAP password saved in OJS database?

Postby concordia » Thu Nov 18, 2010 7:00 am

Hi,

I am using the LDAP plugin, and what I absolutely do not want is for the LDAP password to be stored in the OJS database. I do not have the boxes checked for profile synchronization, password-changing, etc., but I want to confirm that the users' LDAP passwords are not on my server.

I've looked in the code for the plugin, and it seems like the password encoding option is only used with the synchronization options, but I cannot figure out what password is actually in the database. For OJS local users, I can tell that the password is the hashed username + password. For LDAP users, the password is not the hashed username + password, and it must not even be a salted version, because when I disable LDAP and set the authorization source for the user back to NULL in the database, I cannot log in with the generated password that was created along with the user.

So, my two questions are:

1) Could you please tell me if a user's LDAP password is stored in the OJS database.

2) What actually is stored for them as the password in the OJS database?

Thanks,
Laurie
concordia
 
Posts: 4
Joined: Fri Nov 05, 2010 8:52 am

Re: Is LDAP password saved in OJS database?

Postby mcrider » Thu Nov 25, 2010 2:34 pm

Hi Laurie,

As stated in other posts, our expertise with the LDAP plugin is minimal since we didn't write it and none of us have successfully set up the plugin with an LDAP source. That said, what I believe happens is that while the base password is the same in OJS and the LDAP source, the different salts result in the password being encoded differently in each place. The password stored in OJS is as you say, an MD5/SHA hash of (username+password), but on the LDAP side, it could be any of the encodings written in plugins/auth/ldap/LDAPAuthPlugin::encodePassword() (e.g. for md5, it would be '{MD5}' . base64_encode(pack('H*', md5($password)))).

Cheers,
Matt
mcrider
 
Posts: 952
Joined: Mon May 05, 2008 10:29 am
Location: Vancouver, BC

Re: Is LDAP password saved in OJS database?

Postby bradspry » Wed Aug 31, 2011 10:27 am

I too am wondering about this. I believe what is stored is the password entered at time of new account registration. If someone supplies their LDAP password at time of registration, I believe their LDAP password IS is being stored. I have verified this by creating an new account with a non-LDAP password. Upon registration submit, the system asks me to login again. I use my actual LDAP password and I'm in. As a test, I modified the password hash for the new user. I could still login with my LDAP password. In summary, my theory is the password stored in the database is the password entered at time of new account registration. If someone enters their actual LDAP password at time of registration, then it appears the LDAP password IS being stored. I'm hoping someone proves me wrong...
bradspry
 
Posts: 6
Joined: Wed Aug 31, 2011 6:50 am


Return to OJS Technical Support

Who is online

Users browsing this forum: tgc99 and 4 guests