Member Avatar for digital-ether
digital-ether 399 Nearly a Posting Virtuoso

Please excuse the length of this post:

I'm trying to integrate OpenFire (XMPP Server) with a Joomla (CMS) user database.
Openfire allows authentication against an external database by editing its configuration.

In the configuration you have to supply the query that will retrieve the password from the external database, given the username.

eg:

SELECT password FROM jos_users WHERE username=?

The password supplied by the client will be plain text. The comparison with the query result can be plain text or MD5/SHA-1 hash.

quoting the docs:

# jdbcAuthProvider.passwordSQL -- the SQL String to select a user's password. The SQL statement should contain a single "?" character, which will be dynamically replaced with a username when being executed.
# jdbcAuthProvider.passwordType -- the type of the password. Valid values are "plain" (the password is stored as plain text), "md5" (the password is stored as a hex-encoded MD5 hash) and "sha1" (the password is stored as a hex-encoded SHA-1 hash). If this value is not set, the password type is assumed to be plain.

The problem is that Joomla saves passwords as the MD5 hash of the plaintext password and a random seed. The seed is then appended to the end of the resulting hash in the password column.

eg:

If the user password is "test". Then Joomla will generate a random seed, 'xyz' and generate the hash:

hash = md5( concat('test', 'xyz') )

It will then save the password field as:

concat('hash', ':xyz');

So when a user authenticates, they send in a plain text password.

'test'. The password for that user is retrieved from the db, and split into the hash and seed.
The plain text pass is then again concatenated with the seed, MD5 hashed and compared with the existing hash in the DB.

Now for the question:

At the moment, I have integration set to plain-text and the SQL Query to:

SELECT password FROM jos_users WHERE username=?

But this means the whole password column must be supplied into the IM client to log into an account. What I want is to configure a query that will return just the MD5 hash of the password, or at least work within the restrictions given for the query, to allow using the actual password in the IM client.

My understanding is it isn't possible since MD5 cannot be reversed within a MySQL query, but I'd just like to pose the question in case there is a work around...

  • 1 Contributor
  • 0 Replies
  • 91 Views
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.