views:

325

answers:

1

I'm trying to authenticate against the user db of my website (CMS based) and it uses a slightly different approach at storing hashed passwords. It uses a randomly generated salt for each user. The salt is stored in the user db along with the hashed passwords. Hence, direct field-mapped authentication (as the External DB plugin does) won't work for me.

To start off, I just mirrored the DB plugin and modified the user_login() procedure to read the hashed password and the salt from the database and then hash the entered password again with the salt and match it up with the password in the database. Here's the code for my user_login() function

function user_login($username, $password) {

    global $CFG;

    $textlib = textlib_get_instance();
    $extusername = $textlib->convert(stripslashes($username), 'utf-8', $this->config->extencoding);
    $extpassword = $textlib->convert(stripslashes($password), 'utf-8', $this->config->extencoding);

    $authdb = $this->db_init();

    // normal case: use external db for passwords

    // Get user data
    $sql = "SELECT 
      * 
      FROM {$this->config->table} 
      WHERE {$this->config->fielduser} = '".$this->ext_addslashes($extusername)."' ";

    $authdb->SetFetchMode(ADODB_FETCH_ASSOC);

    // No DB Connection
    if ( !$rs = $authdb->Execute( $sql ) ) {
        $authdb->Close();
        print_error('auth_dbcantconnect','auth');
        return false;
    }

    // No records returned
    if( $rs->EOF ) {
     $rs->Close();
        $authdb->Close();
        return false;
    }

    // Get password
    $db_password = $rs->fields['user_password'];
    $salt = $rs->fields['user_salt'];

    // Close DB Conn
    $rs->Close();
    $authdb->Close();

    // Return match
    return sha1( $extpassword . $salt ) == $db_password;

}

But when I try to login, username / passwords corresponding to the website (CMS) database are failing. However, the password (for the same user) that was stored in Moodle earlier on (before I tried using this custom plugin) is getting me through.

That means, either my authentication routine is failing or moodle's internal db based auth mechanism is taking precedence over it.

I've enabled ADODB debug mode - but that isn't helping either. When I enable the debug output from Server settings, the error messages are being sent prior to the page headers. Thus the login page won't display at all.

I have all other forms of authentication turned off (except for Manual which can't be turned off) and my own.

Any ideas on how to solve this issue?

Thanks, m^e

+2  A: 

Can you confirm the order that the authentication pluggins are displayed? This will determine the order in which they are used. See..

http://docs.moodle.org/en/Manage%5Fauthentication

Either way, the behaviour you're seeing suggests that your code is returning false and the fall through logic described here...

http://moodle.org/mod/forum/discuss.php?d=102070

... and here...

http://docs.moodle.org/en/Development%3AAuthentication%5Fplugins

... is kicking in.

Have you tried returning "true" always from your plugin to ensure that it's being called. Then, you can start returning "true" based upon other things (hard coded usernames etc). This approach will allow you to get to the point where you are either continuing to fail or seeing more targetted failures. Are you sure, for example, that it's the user_login function and not the subsequent call to update_user_record that is failing?

Finally, are you sure you're generating the salted password in the exact same way that it was created in the first place? This would be, for me, the most likely cause of the problem. Can you take control of the creation of the salted password so that you own both creation of new users and authentication of users - this would ensure that you were in sync with how the salted password and hash were generated.

Martin Peck
Thanks for your reply... I'll go through your suggestions step-by-step and get back to you..
miCRoSCoPiC_eaRthLinG
Hello. I tried returning "true" always and also commented out entire code block for update_user_record(). However, I still keep getting invalid login. As for the order of the auth plugins, it's 1. Manual Accounts, 2. Nologin and 3. my custom plugin. I don't see an option to change the plugin order here... although there is a column titled Up/Down in the table, the column doesn't contain anything. Any suggestions ?
miCRoSCoPiC_eaRthLinG
Forgot to mention: The option "auth" in the table mdl_config is set to my plugin though.
miCRoSCoPiC_eaRthLinG