Top Menu

Jump to content
Home
    • Projects
    • Work packages
    • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.

    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Professional support

    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?
      Create a new account

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
  • Roadmap
  • Work packages
  • Calendars
  • Team planners
  • Boards
  • Forums
  • Wiki
    • Table of contents
      • Expanded. Click to collapseCollapsed. Click to showDeveloper
        • Hierarchy leafAccessibility Checklist
        • Hierarchy leafCode Review Guidelines
        • Expanded. Click to collapseCollapsed. Click to showContribution
          • Hierarchy leafGit Workflow
          • Hierarchy leafTranslations
        • Expanded. Click to collapseCollapsed. Click to showDeveloping Plugins
          • Hierarchy leafDeveloping an OmniAuth Authentication Plugin
        • Hierarchy leafRelease Process
        • Hierarchy leafReport a bug
        • Hierarchy leafSecurity
        • Hierarchy leafSetting up an OpenLDAP server for testing
        • Hierarchy leafTheme Features
      • Hierarchy leafDownload
      • Expanded. Click to collapseCollapsed. Click to showFeature tour
        • Hierarchy leafRelease Notes OpenProject 30
        • Expanded. Click to collapseCollapsed. Click to showRelease Notes OpenProject 30 - Overview
          • Hierarchy leafGlossary
          • Hierarchy leafRelease Notes - Accessibility
          • Hierarchy leafRelease Notes - Accessibility changes
          • Hierarchy leafRelease Notes - Add work package queries as menu items to sidebar
          • Hierarchy leafRelease Notes - Copy projects based on Templates
          • Hierarchy leafRelease Notes - Design changes
          • Hierarchy leafRelease Notes - Fixed Bugs
          • Hierarchy leafRelease Notes - Keyboard Shortcuts
          • Hierarchy leafRelease Notes - Project settings
          • Hierarchy leafRelease Notes - Ruby&Rails Update
          • Hierarchy leafRelease Notes - Security
          • Hierarchy leafRelease Notes - Timelines
          • Hierarchy leafRelease Notes - Work packages
      • Hierarchy leafHowto create animated gifs
      • Hierarchy leafMigration Squashing
      • Hierarchy leafMod security
      • Hierarchy leafNew work package page
      • Hierarchy leafOP3 to OP4 Debian upgrade
      • Hierarchy leafOP4 Ubuntu1404 Stable with MySQL in production
      • Hierarchy leafOpenProject 40 Development Setup
      • Expanded. Click to collapseCollapsed. Click to showOpenProject Foundation
        • Hierarchy leafBoards
        • Hierarchy leafMembers
        • Hierarchy leafOPF-Meetings
        • Hierarchy leafStatutes
      • Expanded. Click to collapseCollapsed. Click to showRelease Notes
        • Hierarchy leafOpenProject released on Bitnami
      • Expanded. Click to collapseCollapsed. Click to showRelease Notes OpenProject 40 - Overview
        • Hierarchy leafRelease Notes OpenProject 40 - Accessibility improvements
        • Hierarchy leafRelease Notes OpenProject 40 - Column header functions in work package table
        • Hierarchy leafRelease Notes OpenProject 40 - Improved Design
        • Hierarchy leafRelease Notes OpenProject 40 - Integrated query title on work package page
        • Hierarchy leafRelease Notes OpenProject 40 - Integrated toolbar on work package page
        • Hierarchy leafRelease Notes OpenProject 40 - OmniAuth integration for OpenProject
        • Hierarchy leafRelease Notes OpenProject 40 - Work package details pane
      • Expanded. Click to collapseCollapsed. Click to showSecurity and privacy
        • Hierarchy leafFAQ
      • Expanded. Click to collapseCollapsed. Click to showSupport
        • Expanded. Click to collapseCollapsed. Click to showDownload and Installation
          • Hierarchy leafInstallation MacOS
          • Expanded. Click to collapseCollapsed. Click to showInstallation OpenProject 3 0
            • Hierarchy leafDebian Stable with MySQL in production
            • Hierarchy leafInstallation Ubuntu
            • Hierarchy leafInstallation Windows
            • Hierarchy leafInstallation on Centos 65 x64 with Apache and PostgreSQL 93
          • Expanded. Click to collapseCollapsed. Click to showInstallation OpenProject 40
            • Hierarchy leafOP4 Debian Stable with MySQL in production
          • Expanded. Click to collapseCollapsed. Click to showMigration paths
            • Hierarchy leafFrom Chilliproject to OpenProject
            • Hierarchy leafMigration 15 to 30
            • Hierarchy leafMigration 24 to 30
            • Hierarchy leafMigration Redmine 2x › OpenProject 30
            • Hierarchy leafOpenProject 3 Migration
          • Hierarchy leafOpenProject 40
        • Expanded. Click to collapseCollapsed. Click to showNews
          • Hierarchy leafNew OpenProject Translations Plugin
          • Hierarchy leafNew Plugin on OpenProjectorg Local Avatars
          • Hierarchy leafNew design for OpenProject
          • Hierarchy leafNews Accessibility workshop for OpenProject
          • Hierarchy leafNews Glossary for OpenProject
          • Hierarchy leafNews Heartbleed fixed
          • Hierarchy leafNews Icon Fonts
          • Hierarchy leafNews OpenProject 30 Release
          • Hierarchy leafNews Release GitHub Integration Plugin
          • Hierarchy leafNews Success Story Deutsche Telekom
          • Hierarchy leafNews Timelines
          • Hierarchy leafOpenProject 3013 released
          • Hierarchy leafOpenProject 3017 released
          • Hierarchy leafOpenProject 40 released
          • Hierarchy leafOpenProject 40 will be coming soon
          • Hierarchy leafOpenProject 405 released
          • Hierarchy leafOpenProject and pkgrio
          • Hierarchy leafOpenProject news moved to a new blog
          • Hierarchy leafOpenProjectBitnami
          • Hierarchy leafPackager version with plugins released ("Community edition")
          • Hierarchy leafRegistration OpenProject-Foundation
          • Hierarchy leafRelease OpenProject AuthPlugins
          • Hierarchy leafUpdates on OpenProject
          • Hierarchy leafWe need your feedback for the the new fullscreen view for work packages
        • Hierarchy leafOpenProject Plug-Ins
      • Hierarchy leafWiki
You are here:
  • Forums
  • Development

Content

User password encryption algorithm in database

Added by jean-marie verdun over 8 years ago

Hi,

I am trying to implement a very basic SSO, which is not using LDAP, but system login/password. I am trying to figure out how the password is encrypted into the database is this using MD5 hash or any other algorithm ? What does the salt value correspond to ?

vejmarie


Replies (5)

RE: User password encryption algorithm in database - Added by Michael Frister over 8 years ago

Hi,

I can’t recommend creating a SSO system against the OpenProject database as it’s database format for passwords may (and very likely will) change in the future. I’m pretty sure you’d be better off with using an external system with a stable interface like LDAP (that’s already supported by OpenProject).

If you want to ignore these warnings and implement this nevertheless, you can find the hashing implementation in lib/models/user_password.rb in hash_with_salt. Basically, it’s SHA-1 with a salt.

As I said, the format will probably change in the future, especially since SHA-1 without key-stretching is quite an outdated way to store passwords.

Cheers,
Michael

RE: User password encryption algorithm in database - Added by jean-marie verdun over 8 years ago

Hi,

Thanks for your answer. The issue I have currently is that I can’t use LDAP due to the specific implementation. I will have a look to the source code and track changes !

vejmarie

RE: User password encryption algorithm in database - Added by jean-marie verdun over 8 years ago

What might be great in fact could be to support HTTP Authentication process. I don’t know if this is something in the roadmap somewhere ?

RE: User password encryption algorithm in database - Added by Michael Frister over 8 years ago

What exactly do you mean with “HTTP Authentication” - HTTP Basic Authentication

OpenProject’s API supports HTTP authentication at the moment, but we highly discourage it for use in a browser due to possible Cross-Site Scripting (XSS). In the future, HTTP authentication will probably be removed (with XSS being one reason) with API v3. It might be replaced by something like OAuth 2, but I can’t promise you anything here.

You could of course write a plugin that offers the functionality you need, but also here, OpenProject can’t offer a stable interface, so you might end up with more problems than with direct database access.

So if you’re looking for a way to verify user credentials via a stable interface, I’m sorry I can’t offer you a future-proof solution except recommending again to not use OpenProject as authentication source.

RE: User password encryption algorithm in database - Added by jean-marie verdun over 8 years ago

Hi,

Thanks for your quick answer. In fact OpenProject is part of a VM where I have SOGo as a mail client, as well as Wordpress as a CMS. Wordpress is the entry point of the system, and SOGo and OpenProject are included into it through iFrame trick and hint. Each software has its own login interface and this is a little bit boring for the user to type the same login password 3 times.
SOGo do support what they call ProxyAuthentificationm which is based on Auth Digest auth. When the user login to wordpress, the login script setup a cookie with the Digest Auth algorithm, which can be used for SOGo. I am trying to re implement this with Open Project which is a great piece of software anyway !

Wordpress and SOGo can work with WebAuth, not sure if this might be the path to follow with Open Project. LDAP is not solving this issue, as the login password still have to be edited by the user.

Jm

  • (1 - 5/5)
Loading...