Support » Plugin: wpDirAuth » Custom authentication

  • Resolved ober0330

    (@ober0330)


    We are using this to authenticate to a custom system right now that uses sha1 for password encryption. We’re about to change that encryption to something a lot more crazy. Can you tell me if I would need to modify this plugin or some other part of wordpress to support a completely custom algorithm?

    https://wordpress.org/plugins/wpdirauth/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Paul Gilzow

    (@gilzow)

    By “custom system” I assume you’re referring to your LDAP instance? If so, it shouldn’t matter to the plugin.

    How the plugin works (roughly)

    1. Connects to your LDAP instance
    2. Searches for the user’s DN based on the user name provided
    3. If it gets a match, attempts to bind to your LDAP instance using the DN and the password provided by the user
    4. If the bind is successful, the user is authenticated

    Now, if the custom system is doing something unusual outside the normal LDAP spec, I can’t speculate on that without knowing more.

    Thanks for the quick reply. No, by custom system, I am referring to a custom java web application with an Oracle DB.

    Maybe you can clarify something for me then. I assume that somewhere in the line of things, it is taking the user’s password and encrypting it for comparison. But I searched through the code in the plugin and I didn’t really see any encryption methods. Yet our sys admin said she had to add ‘SHA’ to the password string to get it to encrypt and compare properly.

    But based on what you’re telling me, something is doing that before it ever gets to your plugin. Is that correct? Is LDAP or maybe even WordPress encrypting the user entered password for comparison through LDAP?

    Plugin Author Paul Gilzow

    (@gilzow)

    Maybe you can clarify something for me then. I assume that somewhere in the line of things, it is taking the user’s password and encrypting it for comparison…. But based on what you’re telling me, something is doing that before it ever gets to your plugin. Is that correct? Is LDAP or maybe even WordPress encrypting the user entered password for comparison through LDAP?

    No, the script doesn’t touch the password except to hand it over to the LDAP instance (straight passthrough). Any hashing of the password happens on the LDAP instance during the LDAP binding stage. The plugin stores a random password for the user internally in wordpress since the password stored internally will never be used for the user.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Custom authentication’ is closed to new replies.