Authorization in 2 different databases

Nextcloud version (eg, 12.0.2): 12.0.3
Operating system and version (eg, Ubuntu 17.04): Ubuntu 16.04.3
Apache or nginx version (eg, Apache 2.4.25): Apache/2.4.18
PHP version (eg, 7.1): 7.0

The issue:
In NextCloud I need to implement authorization of users stored in external Postgre-database. The algorithm for hashing passwords in that DB:

Hash = SHA1 (salt + SHA1 (password));

the salt is stored in the same database.

“Native” (MySQL) authorization should remain.

Any ideas/suggestions how it can be done?

You can enable external authentication backends and the native still remains (works like this with imap-authentication). It should be simliar with this:

Problem now it the hashing algorithm, I don’t know if it is compatible with yours. You can certainly add it yourself. Or take this opportunity and update your other service to a more secure password-hashing algorithm.

This. Custom made password hashing “algorithms” without multiple rounds as used in your case are the source of all evil :wink: .

@PancakeConnaisseur, @tflidd Thanks a lot :slight_smile:

One side of the problem is that “other service” is on production for years, and there’re plenty of users registered. Changing the algorithm will cause all of’em to reset their passwords (or am I wrong?). Surely, most “common” users can be calmed, but “bosses” and “big bosses” are hard nuts :smile:

That makes it even more interesting. Perhaps you gather a few articles about leaked passwords in the last years.

You could program something that during a transition period, you automatically generate new hashes at each login with the current password. After that, you switch to the new algorithm and delete the old hashes, some users who weren’t logged in during the transition period have to reset their password. However, it would be also a good idea to ask your users to change their password (especially if they have used it for a long time).

1 Like