User Passwords Being Saved?

  • Andy Morton

    (@amorton)


    11 months ago

    We are testing out AuthLDAP to user on our campus WordPress instance but are finding that it’s storing a password hash in the user_pass field in the database even though we have the box un-checked in the settings screen. Any idea why this is happening or what is actually being stored?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author heiglandreas

    (@heiglandreas)

    11 months ago

    Hey Andy.

    Thanks for getting in touch.

    The thing is that WordPress requires to have a password. Even though the authLdap plugin makes that obsolete. SO I decided – a long time back – to provide WordPress with an empty password when the user wants to not store the password in WordPress.

    You can check the relevant code at https://github.com/heiglandreas/authLdap/blob/cb6373d57ddc37a9073355290820c3a2bec15f5b/src/LoggedInUserToWpUser.php#L177-L183

    There we set the password that will be provided to WordPress when creating or updating a user either to the just verified password or to an empty string.

    WordPress then hashes that empty string. As it is not possible to log into WordPress with an empty string that should prohibit any possibility of someone logging in should the LDAP-server not be available.

    Does that answer your question?

    Regards

    Andreas

    Thread Starter Andy Morton

    (@amorton)

    11 months ago

    Thank you, Andreas! Yes that resolves the issue. Very much appreciated! – Andy

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘User Passwords Being Saved?’ is closed to new replies.