Moodle
  1. Moodle
  2. MDL-18182

Added Django support in the external authentication plugin

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.9.4
    • Fix Version/s: DEV backlog
    • Component/s: Authentication
    • Labels:
      None
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_19_STABLE
    • Rank:
      5009

      Description

      The external database authentication plugin has supports SHA1 passwords, but in some applications or frameworks like Django, the password is stored like:
      alg$salt$hash
      Where alg is the algoritm, salt is a random string and hash is the hash of the concatenation of the salt and the clear password

      This patch adds support for authentication in Django databases.

      This is my very first contribution to Moodle, I hope I've followed all the guidelines, I'd be happy if any developer provides me some feedback comments.

      Regards,

      Adrián Ribao Martínez

      1. auth.php.patch
        2 kB
        Adrian Ribao Martínez
      2. config.html.patch
        0.5 kB
        Adrian Ribao Martínez

        Activity

        Hide
        Alex S. Brown, PMP IPMA-C added a comment -

        I agree that this change would be very helpful for the Django community. Zen Cart also has a similar issue where it has the MD5 + a salt value stored in the external database.

        In both cases, the routine needs the external password value in order to do the comparison. I recommend changing the 'db' authentication method a little more radically, so that it looks up the external password value FIRST, then does the comparison in memory.

        Adrian's solution, although it should work, requires an additional SQL check for every password check. First it retrieves the password from the database, calculates the hash, then uses the hash result in a second SQL lookup. A better approach is to just retrieve the password hash from the external database in one SQL check, and then perform the hash calculations and comparison in memory.

        I am working on another patch file using this method. I will also include another password format, based on the Zen Cart salt.

        Show
        Alex S. Brown, PMP IPMA-C added a comment - I agree that this change would be very helpful for the Django community. Zen Cart also has a similar issue where it has the MD5 + a salt value stored in the external database. In both cases, the routine needs the external password value in order to do the comparison. I recommend changing the 'db' authentication method a little more radically, so that it looks up the external password value FIRST, then does the comparison in memory. Adrian's solution, although it should work, requires an additional SQL check for every password check. First it retrieves the password from the database, calculates the hash, then uses the hash result in a second SQL lookup. A better approach is to just retrieve the password hash from the external database in one SQL check, and then perform the hash calculations and comparison in memory. I am working on another patch file using this method. I will also include another password format, based on the Zen Cart salt.

          People

          • Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated: