[sork] passwd and md5 in CVS HEAD

Mike Cochrane mike at graftonhall.co.nz
Sun Dec 15 19:19:23 PST 2002 

There are a couple of ways to look at this one. Either ldap is the odd one of
the current situation is the odd one.

I took it that ldap was the unusual one and have just committed a changed to the
ldap driver. The current md5 method is correct for the sql driver and matches
the horde sql authentication driver and a couple of other sql based
authenications I use here.

I would appreciate it if you could test this, I don't have a ldap directory to
test it one.

- Mike :-)

> ----- Message from amith@xalan.com ---------
> 
> A little while ago when Passwd got modified to support different backends,
> the
> md5 encryption scheme got changed to use use PHP's internal MD5 function.
> However, this seems to break password changing on OpenLDAP servers.  If i
> change it back to the scheme that I originally had submitted everything works
> fine.  So for example in the current Driver.php this code exists:
> 
> case "md5":
>                 $newPassword = md5($newPassword);
> 
> However when the password gets changed, I am unable to log in at all using
> the
> new password.  When I change that line to:
> 
> $newPassword = "{MD5}" . base64_encode(mHash(MHASH_MD5, $newPa
> ssword));
> 
> i can change the password, log out, and then log back in fine.  In addition I
> used the ldappasswd utility to change the password after it gets messed up
> with
> md5().  When I use ldappasswd, the password that is generated matches the one
> that mhash generates, but not PHP's md5 function.  I looked at the PHP docs
> and
> I am really not sure what the difference is between the two.  I've also tried
> base64 encoding the results from md5() and prepending the {MD5} string but
> that
> hasn't fixed anything.  I'm proposing that the md5 encryption scheme should
> be
> changed back to the original mhash method unless someone who uses md5 has is
> working correctly with HEAD.
> 
> Index: Driver.php
> ===================================================================
> RCS file: /repository/passwd/lib/Driver.php,v
> retrieving revision 1.7
> diff -u -r1.7 Driver.php
> --- Driver.php  5 Dec 2002 23:10:27 -0000       1.7
> +++ Driver.php  15 Dec 2002 04:44:48 -0000
> @@ -153,7 +153,7 @@
>                  $newPassword = "{crypt}" . crypt($newPassword);
>                  break;
>              case "md5":
> -                $newPassword = md5($newPassword);
> +                $newPassword = "{MD5}" . base64_encode(mHash(MHASH_MD5,
> $newPas
> sword));
>                  break;
>              case "ssha":
>                  $salt =
> mhash_keygen_s2k(MHASH_SHA1,$newPassword,substr(pack("h
> *",md5(mt_rand())),0,8),4);
> --
> Sork mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: sork-unsubscribe@lists.horde.org
> 
> 
> 
> ----- End message from amith@xalan.com -----

More information about the sork mailing list