Ldap -> External DB failthrough

Re: Ldap -> External DB failthrough

by CG G -
Number of replies: 2
Thanks for that.


Now onto my next question regarding authentication:

I've tested LDAP, which works, including through our global catalog (thanks Emma from a previous post!)

I've tested our MySQL external database, and that also works, with one issue. The passwords in that database were put in the user table using the PASSWORD (string) function in MySQL. This isn't MD5, SHA-1, or any other hash that is available in Moodle. If I copy the actual encoded password string, select plain text in Moodle for the password encoding, then log in, it works fine. MD5 and SHA-1 doesn't work, because MySQL doesn't use those encoding methods for storing passwords using the PASSWORD (string) function.

I've tested the password using external encoders. MD5 and SHA-1 don't work, but encoding via the MySQL PASSWORD() hash matches what I have in the database exactly.

Short of adding another field for MD5 or SHA-1 encoded passwords in the database, do I have any other options for using the native MySQL PASSWORD() encoded hashes? Is there a way to tell Moodle to encode the passwords using that MySQL function?
Average of ratings: -
In reply to CG G

Re: Ldap -> External DB failthrough

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

If I've understood correctly then Moodle can't use this database for authenticating users. You could still use it to manage users and their profile data. You could then manage a process to change affected users' passwords, perhaps using Password format = "Internal" in Moodle. But if the database is being used for authentication with other systems then this may be an issue as users would have one password for Moodle and another for other systems.

Another option could be to change Moodle adding support for this password format. You'd need to edit two files, first auth/db/settings.php to add a new $passtype[] element (line 98 in Moodle 3.8):

    $passtype["mysqlfunction"]    = "MySQL Function";

Then edit auth/db/auth.php to handle this new type (line 141):

            } else if ($this->config->passtype === 'mysqlfunction') {
                $authdb = $this->db_init();
                $rs = $authdb->Execute("SELECT PASSWORD('$extpassword') AS password");
                $password_function = $rs->fields['password'];
                $authdb->Close();
                return ($fromdb === $password_function);
            } else {

This would add "MySQL Function" to the plugin's Password format field. It seems to work correctly in my tests.

Caveats:

  • Modifying Moodle isn't generally recommended, changes may delay updates being installed and the changes must be re-applied as part of the update.
  • When you modify Moodle it's more difficult to get support, either in these forums or elsewhere, as your Moodle doesn't match anyone else's.
  • MySQL's PASSWORD() has been deprecated for some time and has been removed from MySQL 8.0 so ideally plan to move away from this regardless of what you do.

But this change may be an option for you in the short term.

Average of ratings: Useful (2)
In reply to Leon Stringer

Re: Ldap -> External DB failthrough

by CG G -

Outstanding!


I've made the modifications and tested them. Everything is working as intended. 


We are running a legacy external DB that is heavily used for a number of other internal custom applications. Once we upgrade that to a newer version of MySQL and transition all the other applications in the process, we can then switch over to using SHA-1 and I will not need the modified code any longer. 


Thank you so much for the help. Your help is exactly what makes this community so great. 

Average of ratings: -