Content
Added by jean-marie verdun over 8 years ago
Hi,
I am trying to implement a very basic SSO, which is not using LDAP, but system login/password. I am trying to figure out how the password is encrypted into the database is this using MD5 hash or any other algorithm ? What does the salt value correspond to ?
vejmarie
Replies (5)
Hi,
I can’t recommend creating a SSO system against the OpenProject database as it’s database format for passwords may (and very likely will) change in the future. I’m pretty sure you’d be better off with using an external system with a stable interface like LDAP (that’s already supported by OpenProject).
If you want to ignore these warnings and implement this nevertheless, you can find the hashing implementation in lib/models/user_password.rb in
hash_with_salt. Basically, it’s SHA-1 with a salt.As I said, the format will probably change in the future, especially since SHA-1 without key-stretching is quite an outdated way to store passwords.
Cheers,
Michael
Hi,
Thanks for your answer. The issue I have currently is that I can’t use LDAP due to the specific implementation. I will have a look to the source code and track changes !
vejmarie
What might be great in fact could be to support HTTP Authentication process. I don’t know if this is something in the roadmap somewhere ?
What exactly do you mean with “HTTP Authentication” - HTTP Basic Authentication
OpenProject’s API supports HTTP authentication at the moment, but we highly discourage it for use in a browser due to possible Cross-Site Scripting (XSS). In the future, HTTP authentication will probably be removed (with XSS being one reason) with API v3. It might be replaced by something like OAuth 2, but I can’t promise you anything here.
You could of course write a plugin that offers the functionality you need, but also here, OpenProject can’t offer a stable interface, so you might end up with more problems than with direct database access.
So if you’re looking for a way to verify user credentials via a stable interface, I’m sorry I can’t offer you a future-proof solution except recommending again to not use OpenProject as authentication source.
Hi,
Thanks for your quick answer. In fact OpenProject is part of a VM where I have SOGo as a mail client, as well as Wordpress as a CMS. Wordpress is the entry point of the system, and SOGo and OpenProject are included into it through iFrame trick and hint. Each software has its own login interface and this is a little bit boring for the user to type the same login password 3 times.
SOGo do support what they call ProxyAuthentificationm which is based on Auth Digest auth. When the user login to wordpress, the login script setup a cookie with the Digest Auth algorithm, which can be used for SOGo. I am trying to re implement this with Open Project which is a great piece of software anyway !
Wordpress and SOGo can work with WebAuth, not sure if this might be the path to follow with Open Project. LDAP is not solving this issue, as the login password still have to be edited by the user.
Jm