Feature #31314
closed
saltedpasswords: Usage without rsaauth
0%
Description
It would be great, if the hashing and salting from sysext saltedpasswords could be used without sysext rsaauth and in mode $TYPO3_CONF_VARS['FE']['loginSecurityLevel'] = 'normal';. If you use LDAP authentication (namely eu_ldap) and additionaly local fe user accounts, the passwords for the local fe users should also get hashed and salted. But when using eu_ldap, the setting loginSecurityLevel = rsa is not possible (ext eu_ldap sets it to normal).
Updated by Xavier Perseguers about 13 years ago
Are you sure eu_ldap stores the real password into the password column? I use another LDAP extension and as the check is always done with the LDAP server, there is no need to store the password in TYPO3, as such a random password is generated and stored in TYPO3.
As such, no need for saltedpasswords to be used without RSA for this user scenario.
Updated by Christian Kuhn about 13 years ago
- Status changed from New to Closed
Closed, not a core problem:
Background:
The fact that login with 'loginSecurityLevel = rsa' fails with eu_ldap is a bug in this extension and should be fixed.
eu_ldap should do something like the snipped below to receive the plaintext password from a rsaauth password (copied from my own ldap authentication extension 'enet_ldapauth', that can probably found in forge in some days or so):
$password = $this->login['uident'];
// Decrypt password if using rsaauth
if ($this->pObj->security_level === 'rsa' && t3lib_extMgm::isLoaded('rsaauth')) {
if (t3lib_div::int_from_ver(TYPO3_version) <= '4005999') {
require_once(t3lib_extMgm::extPath('rsaauth') . 'sv1/backends/class.tx_rsaauth_backendfactory.php');
require_once(t3lib_extMgm::extPath('rsaauth') . 'sv1/storage/class.tx_rsaauth_storagefactory.php');
}
$backend = tx_rsaauth_backendfactory::getBackend();
$storage = tx_rsaauth_storagefactory::getStorage();
$key = $storage->get();
if ($key != NULL && substr($password, 0, 4) == 'rsa:') {
$password = $backend->decrypt($key, substr($password, 4));
}
}
Updated by Bernhard Eckl about 13 years ago
@Xavier: Yes, but I also want to authorize local accounts.
@Christian: Thank you for your explanation! So I’ll check a feature request there. Would it make sense to allow more than one security levels? Like loginSecurityLevel = rsa, normal
Updated by Christian Kuhn about 13 years ago
@Bernhard: No, only one 'loginSecurityLevel' is possible! They can only be different for BE and FE. Furthermore I'd say not supporting rsa in eu_ldap is more a major bug rather than a feature ;)