You are viewing the PKP Support Forum | PKP Home Wiki

Is LDAP password saved in OJS database?

Are you responsible for making OJS work -- installing, upgrading, migrating or troubleshooting? Do you think you've found a bug? Post in this forum.

Moderators: jmacgreg, btbell, michael, bdgregg, barbarah, asmecher

Forum rules
The Public Knowledge Project Support Forum is moving to http://forum.pkp.sfu.ca

This forum will be maintained permanently as an archived historical resource, but all new questions should be added to the new forum. Questions will no longer be monitored on this old forum after March 30, 2015.

Is LDAP password saved in OJS database?

Postby concordia » Thu Nov 18, 2010 7:00 am


I am using the LDAP plugin, and what I absolutely do not want is for the LDAP password to be stored in the OJS database. I do not have the boxes checked for profile synchronization, password-changing, etc., but I want to confirm that the users' LDAP passwords are not on my server.

I've looked in the code for the plugin, and it seems like the password encoding option is only used with the synchronization options, but I cannot figure out what password is actually in the database. For OJS local users, I can tell that the password is the hashed username + password. For LDAP users, the password is not the hashed username + password, and it must not even be a salted version, because when I disable LDAP and set the authorization source for the user back to NULL in the database, I cannot log in with the generated password that was created along with the user.

So, my two questions are:

1) Could you please tell me if a user's LDAP password is stored in the OJS database.

2) What actually is stored for them as the password in the OJS database?

Posts: 4
Joined: Fri Nov 05, 2010 8:52 am

Re: Is LDAP password saved in OJS database?

Postby mcrider » Thu Nov 25, 2010 2:34 pm

Hi Laurie,

As stated in other posts, our expertise with the LDAP plugin is minimal since we didn't write it and none of us have successfully set up the plugin with an LDAP source. That said, what I believe happens is that while the base password is the same in OJS and the LDAP source, the different salts result in the password being encoded differently in each place. The password stored in OJS is as you say, an MD5/SHA hash of (username+password), but on the LDAP side, it could be any of the encodings written in plugins/auth/ldap/LDAPAuthPlugin::encodePassword() (e.g. for md5, it would be '{MD5}' . base64_encode(pack('H*', md5($password)))).

Posts: 952
Joined: Mon May 05, 2008 10:29 am
Location: Vancouver, BC

Re: Is LDAP password saved in OJS database?

Postby bradspry » Wed Aug 31, 2011 10:27 am

I too am wondering about this. I believe what is stored is the password entered at time of new account registration. If someone supplies their LDAP password at time of registration, I believe their LDAP password IS is being stored. I have verified this by creating an new account with a non-LDAP password. Upon registration submit, the system asks me to login again. I use my actual LDAP password and I'm in. As a test, I modified the password hash for the new user. I could still login with my LDAP password. In summary, my theory is the password stored in the database is the password entered at time of new account registration. If someone enters their actual LDAP password at time of registration, then it appears the LDAP password IS being stored. I'm hoping someone proves me wrong...
Posts: 6
Joined: Wed Aug 31, 2011 6:50 am

Return to OJS Technical Support

Who is online

Users browsing this forum: No registered users and 2 guests