Passwords are encrypted when a user uses the password field located within their account page. This encryption is basically a string translation that is successful in converting the user's password to a protected string when storing, but never decrypts when pulling back out of the database. This has been tested and verified on the current release of the module. I was able to successfully fix the error for the time being by commenting out the encryption/decryption portions of the code and merely storing and returning the password in the clear as is. I plan to spend a little more time trying to figure out why the decryption aspect is not working as intended. I will update the bug with any more details.

Comments

EgonO’s picture

EgonO CreditAttribution: EgonO commented

is this the reason for this error message:

"Wrong combination Username / Password. Please re-login to the site for synchronization" ???

darren.ferguson’s picture

darren.ferguson CreditAttribution: darren.ferguson commented

Most likely a wrong username or password, for every update to that table there is an encrypt for the password.

For every time the password is needed there is a decrypt. Unless you have other alterations to the module this should not be failing at all

brandon.dixon’s picture

brandon.dixon CreditAttribution: brandon.dixon commented

I had no alterations, but I will check agaisnt the most recent revision. It took me a week to figure out that it was in fact the code and not my environment. Passwords were properly encrypted, but never descrypted like they should have been. I could see this by using Firebug and watching the password that was being submitted. In all cases of failure I saw that the password being sent to the server was not the user's password, but instead the "encrypted" version. I will check the latest release as soon as I can.

Torenn’s picture

Torenn CreditAttribution: Torenn commented

Are you guys getting this issue resolved any soon, I think I'm affected as well as result XWChat can't connect because of this error: Wrong combination Username / Password (While the xmpp rooster works finely). Please re-login to the site for synchronization. Practically this makes the whole module useless, would be nice to have just even a workaround for the time being... Thanks.

darren.ferguson’s picture

darren.ferguson CreditAttribution: darren.ferguson commented

This code is written with ldap in mind and works without issue.

For the non ldap portion i would suggest you show the password field on the user edit form and then enter the password in there.

That will then save the password and it will be utilized correctly.

also make sure the save password on login is not checked.

Torenn’s picture

Torenn CreditAttribution: Torenn commented

Ok i tested a bit more in "LDAP" environment using the same drupal login password everything works... yet if I try to save a different password and not use the drupal login one, the error returns.

brandon.dixon’s picture

brandon.dixon CreditAttribution: brandon.dixon commented

Toren - If you want a work around then shoot me an email - brandon.s.dixon@gmail.com. Feel free to hit me up via Google Talk as well. I am running an LDAP environment and noticed the issue. The best way to troubleshoot the problem and see if its related to passwords not being decrypted is to use firebug and watch the authentication take place. You should see your username and password passed in the clear (depending on your configuration).

fizk’s picture

fizk CreditAttribution: fizk commented

For me, the problem is that the value of $account->xmpp_user->password is not encrypted.

I'm trying to figure out why, but that's causing me problems.

fizk’s picture

fizk CreditAttribution: fizk commented

Here's the fix:


function xmpp_user_update($edit, $account, $category = NULL) {
...
...

elseif (isset($edit['xmpp_user']['password']) && !is_null($edit['xmpp_user']['password']) && drupal_strlen($edit['xmpp_user']['password'])) {
$password = xmpp_user_encrypt_password($edit['xmpp_user']['password']);
db_query("UPDATE {xmpp_user} SET jid = '%s', resource = '%s', password = '%s' WHERE uid = %d", $edit['xmpp_user']['jid'], $resource, $password, $account->uid);
$edit['xmpp_user']['password'] = $password; // <----------- store the encrypted password
}

......
......

darren.ferguson’s picture

darren.ferguson CreditAttribution: darren.ferguson commented

Can you put the fix into a cvs diff patch based off the current branch then i will be able to look at it and determine if it wont break the functionality which currently works on all 100+ sites it is deployed on our end.

polesworth’s picture

polesworth CreditAttribution: polesworth commented

Not quite sure if this is the same issue I'm seeing; I cannot get xmpp client to successfully auth against my ejabberd server.

I tried the method in comment #7 to check whether the password was being sent encrypted or not, but as far as I can tell, it's using digests which change on each connection attempt so no mileage there.

Also tried wiresharking the conversation which just confirmed the firebug findings.

If anyone has any suggestions as to how I might debug this further appreciated.

Darren, are you still waiting for a patch so that you can validate the fix?

Thanks.

brandon.dixon’s picture

brandon.dixon CreditAttribution: brandon.dixon commented

Are you using SASL?

I would try removing anything that is not 100% needed as far as authentication goes (server configurations) and seeing if you are running into the same issue I had. Firebug allowed me to see the request get made and showed the password (or encrypted one) in plain view. The encryption used is not a digest (at least not in openfire) and is rather just a 1 to 1 replacement on letters. Unless you have further configured ejabberd or the module, I don't see how you would be getting a digest unless you were using SASL.

polesworth’s picture

polesworth CreditAttribution: polesworth commented

Hi Brandon,

Yeah, I tried with and without SASL. With it on, screen width auth strings were being passed around, with it off, a smaller digest was being passed, possibly md5sum length, I didn't count exactly.

aaron’s picture

aaron CreditAttribution: aaron commented

The module is currently unusable. We are not using an LDAP environment. I am able to log in fine with GAIM, but not with the browser, with the aforementioned error: "Wrong combination Username / Password. Please re-login to the site for synchronization". I've tried the fix in #9 to no avail. Looking in firebug, I see several calls, none of which seems to send a password of any kind for authentication. (I see two calls to query xmlns="jabber:iq:auth", the second of which does have:

<username>admin</username><resource>admin</resource><digest>488167baf272b1e0ab6ee8d479bc0d554cede0b7</digest>

Is the digest the encrypted password? It does not match either the plain text password nor the encrypted password stored in xmpp_user. Help!

fizk’s picture

fizk CreditAttribution: fizk commented

Aaron,

The module is usable for me. I've applied many patches over time (mine and others), most of which are in the issue queue. Hopefully Darren will apply the patches (or already has in CVS?).

I've noticed that most of the bugs I ran into were related to non-LDAP setups, simply because Darren's environment uses LDAP. If someone could test the module from the ground up in a non-LDAP setup, as well as for each module update, that would be awesome.

aaron’s picture

aaron CreditAttribution: aaron commented

I've created the DXMPP module (nearly complete but already working on our servers), which exposes a themeable XMPP chat client to Drupal. This suited our needs, and was faster than trying to fix the non-LDAP configuration problems I was running to with XMPP Framework. Perhaps I can add support for the XMPP Framework module to that module in the future for authentication.

ZyanKLee’s picture

ZyanKLee CreditAttribution: ZyanKLee commented

have the same problem. how could I help you with the debugging thing ?