Skip to content

Merge Develop to main branch #993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jsjiang merged 2 commits into from
Feb 19, 2026
Merged

Merge Develop to main branch #993

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
764a749
remove LdapSha1PasswordHasher
jsjiang Feb 12, 2026
3bf0c8c
Merge pull request #992 from CDLUC3/987_remove_LdapSha1PasswordHasher
jsjiang Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 0 additions & 12 deletions ezidapp/models/user.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,18 +157,6 @@ def authenticate(self, password):

logger.debug('Auth successful')

# Upgrade older LDAP password hashes.
if self.password.split("$")[0] == "ldap_sha1":
import ezidapp.admin

try:
with django.db.transaction.atomic():
self.setPassword(password)
self.save()
ezidapp.admin.scheduleUserChangePostCommitActions(self)
except Exception:
pass

return True

# See below.
Expand Down
39 changes: 0 additions & 39 deletions impl/userauth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,42 +164,3 @@ def authenticateRequest(request, storeSessionCookie=False):
else:
return None


class LdapSha1PasswordHasher(django.contrib.auth.hashers.SHA1PasswordHasher):
"""Password hasher for legacy LDAP-encoded passwords

File this
under So Close, Yet So Far. LDAP uses salted SHA-1 hashing, and
Django supports exactly that scheme. With some syntactic
shuffling it would be possible for Django to work with
LDAP-encoded passwords directly, except: LDAP uses binary salts,
whereas Django requires salts to be text. Ergo, this custom
hasher.
"""
algorithm = "ldap_sha1"

def encode(self, password, salt):
assert password is not None
assert len(salt) == 16
binarySalt = "".join(chr(int(salt[i : i + 2], 16)) for i in range(0, 16, 2))
hash = hashlib.sha1(
django.utils.encoding.force_bytes(password) + binarySalt
).hexdigest()
return f"{self.algorithm}${salt}${hash}"

# TODO: Commented out for now, but as far as I can tell, this is unused.
# def convertLegacyRepresentation(self, legacy):
# # Converts a legacy LDAP-encoded password to Django syntax. In
# # LDAP encoding, a 20-byte binary SHA-1 hash and an 8-byte binary
# # salt are concatenated, Base64-encoded, and prepended with
# # "{SSHA}".
# assert legacy.startswith("{SSHA}")
# d = base64.b64decode(legacy[6:])
# assert len(d) == 28
# hash = d[:20]
# salt = d[20:]
#
# def hexify(s):
# return "".join(f"{ord(c):02x}" for c in s)
#
# return f"{self.algorithm}${hexify(salt)}${hexify(hash)}"
1 change: 0 additions & 1 deletion settings/settings.py.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -568,7 +568,6 @@ MIDDLEWARE = (

PASSWORD_HASHERS = [
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'impl.userauth.LdapSha1PasswordHasher',
]

TEMPLATES = [
Expand Down
1 change: 0 additions & 1 deletion settings/tests.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -554,7 +554,6 @@

PASSWORD_HASHERS = [
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'impl.userauth.LdapSha1PasswordHasher',
]

TEMPLATES = [
Expand Down