[Cubicweb] Python module for Apache : how to use cubicweb.dbapi

Dimitri Papadopoulos Orfanos dimitri.papadopoulos at cea.fr
Mon Sep 23 16:16:56 CEST 2013


Thank you, the following pseudocode works for me:


import crypt

# password as provided by user through Apache
cleartext = 'mypassword'

# password as read from PostgreSQL
cryptedpasswd = '\\x0123456789...'
cryptedpasswd = cryptedpasswd[2:]
cryptedpasswd = cryptedpasswd.decode("hex")

# compare encrypted passwords
if crypt.crypt(cleartext, cryptedpasswd) == cryptedpasswd:
     print 'OK'
else:
     print 'ERROR'

Le 13/09/2013 16:47, Julien Cristau a écrit :
> On Fri, Sep 13, 2013 at 16:11:14 +0200, Dimitri Papadopoulos Orfanos wrote:
>
>> Hi,
>>
>> I'm attemting to write an Apache authentication module that would
>> use the CWusers of a CubicWeb instance.
>>
>>
>> We had already discussed the following solution:
>> * bypass CubicWeb,
>> * directly connect to the PostgreSQL database associated to the
>> CubicWeb instance,
>> * read the "cw_login" and "cw_upassword" columns of the "cw_cwuser"
>> PostgreSQL table,
>> * understand the encoding of the "cw_upassword" column (SHA1?),
>> * compare the password to the contents of the "cw_upassword" column.
>>
>> Note that essential information such as the encoding of the
>> "cw_upassword" column is missing.
>>
> Nowadays cw_upassword is in crypt(3) format.  So at least on Unix, you
> could dump cw_login:cw_upassword in a htpasswd file, if your
> apache/apr-util has
> http://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_passwd.c?r1=1358480&r2=1361811
> Before that fix IIRC you need to drop the last character from the
> cw_upassword for apache to accept it.
>
> Julien

-- 
Dimitri Papadopoulos



More information about the Cubicweb mailing list