Feature #31314
closed
saltedpasswords: Usage without rsaauth
Added by Bernhard Eckl about 13 years ago.
Updated about 13 years ago.
Description
It would be great, if the hashing and salting from sysext saltedpasswords could be used without sysext rsaauth and in mode $TYPO3_CONF_VARS['FE']['loginSecurityLevel'] = 'normal';. If you use LDAP authentication (namely eu_ldap) and additionaly local fe user accounts, the passwords for the local fe users should also get hashed and salted. But when using eu_ldap, the setting loginSecurityLevel = rsa is not possible (ext eu_ldap sets it to normal).
Are you sure eu_ldap stores the real password into the password column? I use another LDAP extension and as the check is always done with the LDAP server, there is no need to store the password in TYPO3, as such a random password is generated and stored in TYPO3.
As such, no need for saltedpasswords to be used without RSA for this user scenario.
- Status changed from New to Closed
Closed, not a core problem:
Background:
The fact that login with 'loginSecurityLevel = rsa' fails with eu_ldap is a bug in this extension and should be fixed.
eu_ldap should do something like the snipped below to receive the plaintext password from a rsaauth password (copied from my own ldap authentication extension 'enet_ldapauth', that can probably found in forge in some days or so):
$password = $this->login['uident'];
// Decrypt password if using rsaauth
if ($this->pObj->security_level === 'rsa' && t3lib_extMgm::isLoaded('rsaauth')) {
if (t3lib_div::int_from_ver(TYPO3_version) <= '4005999') {
require_once(t3lib_extMgm::extPath('rsaauth') . 'sv1/backends/class.tx_rsaauth_backendfactory.php');
require_once(t3lib_extMgm::extPath('rsaauth') . 'sv1/storage/class.tx_rsaauth_storagefactory.php');
}
$backend = tx_rsaauth_backendfactory::getBackend();
$storage = tx_rsaauth_storagefactory::getStorage();
$key = $storage->get();
if ($key != NULL && substr($password, 0, 4) == 'rsa:') {
$password = $backend->decrypt($key, substr($password, 4));
}
}
@Xavier: Yes, but I also want to authorize local accounts.
@Christian: Thank you for your explanation! So I’ll check a feature request there. Would it make sense to allow more than one security levels? Like loginSecurityLevel = rsa, normal
@Bernhard: No, only one 'loginSecurityLevel' is possible! They can only be different for BE and FE. Furthermore I'd say not supporting rsa in eu_ldap is more a major bug rather than a feature ;)
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by