External Management of MySQL User Table Defined in Resolver

drowningfish · September 21, 2018, 4:07pm

We created a single MySQL table containing all our users. Authentication process works perfectly fine providing the users are directly managed from inside Privacyidea’s console.

However, we need the application service the end-users are trying to access to manage those users in that MySQL table. We can successfully update every field in the table, outside the confines of PrivacyIdea, but we’ve run into an issue with not being able to set, or reset, a password that works.

Is it because we’re not correctly salting the password in a way the resolver expects?

cornelinux · September 23, 2018, 9:43am

You need to be aware to use the correct hashing algorithm.

github.com

privacyidea/privacyidea/blob/master/privacyidea/lib/resolvers/SQLIdResolver.py#L567


    Given a dictionary of attributes, return a dictionary
    mapping columns to values.
    If the attributes contain a password, hash the password according to the
    configured password hash type.


    :param attributes: attributes dictionary
    :return: dictionary with column name as keys
    """
    attributes = attributes.copy()
    if "password" in attributes:
        attributes["password"] = hash_password(attributes["password"],
                                               self.password_hash_type)
    columns = {}
    for fieldname in attributes:
        if fieldname in self.map:
            columns[self.map[fieldname]] = attributes[fieldname]
    return columns


def delete_user(self, uid):
    """
    Delete a user from the SQL database.

drowningfish · September 23, 2018, 5:03pm

Thanks for the response. We changed the hash algorithm for a new resolver to Drupal and we’re now able to edit the password field. We just couldn’t seem to get the SSHA256 hash algorithm to work, I guess.

Anyhow, I think we’re good for now. Thanks again