[Cubicweb] Python module for Apache : how to use cubicweb.dbapi
Dimitri Papadopoulos Orfanos
dimitri.papadopoulos at cea.fr
Mon Sep 23 16:16:56 CEST 2013
Thank you, the following pseudocode works for me:
# password as provided by user through Apache
cleartext = 'mypassword'
# password as read from PostgreSQL
cryptedpasswd = '\\x0123456789...'
cryptedpasswd = cryptedpasswd[2:]
cryptedpasswd = cryptedpasswd.decode("hex")
# compare encrypted passwords
if crypt.crypt(cleartext, cryptedpasswd) == cryptedpasswd:
Le 13/09/2013 16:47, Julien Cristau a écrit :
> On Fri, Sep 13, 2013 at 16:11:14 +0200, Dimitri Papadopoulos Orfanos wrote:
>> I'm attemting to write an Apache authentication module that would
>> use the CWusers of a CubicWeb instance.
>> We had already discussed the following solution:
>> * bypass CubicWeb,
>> * directly connect to the PostgreSQL database associated to the
>> CubicWeb instance,
>> * read the "cw_login" and "cw_upassword" columns of the "cw_cwuser"
>> PostgreSQL table,
>> * understand the encoding of the "cw_upassword" column (SHA1?),
>> * compare the password to the contents of the "cw_upassword" column.
>> Note that essential information such as the encoding of the
>> "cw_upassword" column is missing.
> Nowadays cw_upassword is in crypt(3) format. So at least on Unix, you
> could dump cw_login:cw_upassword in a htpasswd file, if your
> apache/apr-util has
> Before that fix IIRC you need to drop the last character from the
> cw_upassword for apache to accept it.
More information about the Cubicweb