External DB Authentication password

External DB Authentication password

by Dawid Strzyż -
Number of replies: 7

Hello.

I'm trying to use external authentication. I have Wordpress site with custom user fields, so this plugin is the best one. The main problem is the password... Passtype i can choose are as you know - MD5, SHA-1, Plain Text and Crypt One Way String Hashing (what is this!?).  As you know - wordpress passwords are salted and it starst with $P$B in the database. Moodle 3.5 cant handle it! What's the point in using so outdated cryprography like SHA-1? SSO are not and option - they cant handle custom fields and at the moment - are not compatible with WP 5.2. Any help? I cant downgrade WP's password hashing - too much security risk. 

Regards

Average of ratings: -
In reply to Dawid Strzyż

Re: External DB Authentication password

by Mathew Gancarz -
Picture of Core developers
"Crypt one-way string hashing" is bcrypt compatible. I'm not sure what the $P$B that Wordpress uses is, but if it's bcrypt, you should be able to just have it work.
Average of ratings: -
In reply to Mathew Gancarz

Re: Re: External DB Authentication password

by Dawid Strzyż -
Well, turns out "$P$B" stands for "phpass": https://www.openwall.com/phpass/

I was able to use external password from wordpress on moodle 3.4, thanks to this:

http://programmingcollections.blogspot.com/2013/07/moodle-and-wordpress-single-sign-on-in.html

Of course - there is no /auth/db/config.html in moodle 3.x, there is settings.php file. Also require_once($CFG->libdir."/class-phpass.php"); should be placed in auth.php.
auth.php:

131-->149 $rs->Close();
132-->150 $authdb->Close();

Feel free to correct me if im wrong.

This method is not working properly with 3.5 and 3.6. Im able to login with username and password - but moodle says "cannot continue, please change your password" (even if i turn off password policies). I cannot login using e-mail instead of password either - it's a dealbreaker for me.
Average of ratings: -
In reply to Dawid Strzyż

Re: Re: Re: External DB Authentication password

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers
I've tried this — the instructions from the link with your additional changes — and it works for me on Moodle 3.6. Can you post a screenshot of the error you are seeing on your site?
Average of ratings: -
In reply to Leon Stringer

Re: Re: Re: Re: External DB Authentication password

by Dawid Strzyż -
I'm afraid I cant do this at this moment. I've downgraded whole moodle site. I will try to update id eventually - I'll let you know what I have achieved. Considering the fact that this method is working - I do wonder how to use it for external DB enrollment with WooCommerce.
Average of ratings: -
In reply to Dawid Strzyż

Re: External DB Authentication password

by Jon Bolton -
Picture of Particularly helpful Moodlers Picture of Testers

See MDL-42715

Average of ratings: -
In reply to Jon Bolton

Re: Re: External DB Authentication password

by Dawid Strzyż -
Thanks, it's something, I'll analyze it. I'm pretty sure that Wordpress uses phpass, not bcrypt thou. But hey - one can change phpass to bcrypt thanks to plugins, or it might be used somewhere else. Thank you very much uśmiech
Average of ratings: -