Hi,

I want to migrate users - including their passwords - from a Plone 3 website
to an other system written in PHP (Drupal). I managed to export users
including their encrypted passwords already by going to Navigation > Members
and clicking on "Import/Export".

Now I'd like to know exactly how the passwords are encrypted, so I know how
to compare the passwords in Drupal. All the passwords are prefixed with
"hmac_sha:" which leaved me to think the following PHP code would have done
the trick:
$encrypted_password = hash_hmac('sha1', $plain_password, '');
But unfortunelately there was no match (I created a few test users in the
existing Plone site to find out).

Some acknowlegdements:
- I have a good knowlegde of PHP, but I know nothing from Python (I have
plans to learn it, though). I also have no experience with Plone.
- I can access the site with full privileges, but I don't have access to the
files (the local filesystem).
- I have access to the "Zope management interface", so I'm probably able to
execute Python scripts if necessary.

*Plone version information:*
Plone 3.1.5.1
CMF 2.1.1
Zope (Zope 2.10.6-final, python 2.4.6, linux2)
Python 2.4.6 (#2, Jan 24 2010, 12:20:41) [GCC 4.3.2]
PIL 1.1.6

Hello,
Zope supports pluggable encryption schemes and this is not one of the
ones that is built in. But a bit of googling suggests that it's probably
from the "Remember" add-on, using this implementation (HMACHash class),
which in turn uses the hmac module from the Python stdlib: http://svn.plone.org/svn/collective/Products.remember/trunk/[..]  
...I would guess that reading the 'hmac_key' value there is the key
piece you're missing, to pass as the 3rd value to hash_hmac().

David

----------        
David Glick
Web Developer
davidglick*******
206.286.1235x32

Groundwire Consulting is here.

http://groundwire.org/about/FAQ-gw-consulting

I don't think Plone has a specific user import/export by default. What URL
path are you finding this through? Is it from the standard Plone interface
or the Zope Management Interface (the one you see when you go to
<yoursite>/manage)?

Hmm. I think you might have Products.remember installed. By default Plone
stores passwords using secure sha, e.g:

    >>> dict(app.Plone.acl_users.source_users._user_passwords)
    {'test': '{SSHA}nMQKxyZc233Bx0MMPOPv4Z0xAyUk4mnggv5h'}

Looking through the remember code it seems that it stores a salt value
(hmac_key) as an annotation on the member object. http://dev.plone.org/browser/collective/Products.remember/tr[..]

This hmac key defaults to str(context) which will be something like '<Member
at test>', though if the member object is renamed it will not be updated.
You need to add this to your hash_hmac call as the third argument.

You might be able to dig out the hmac keys from an XML import/export of the
site (I expect this will be a manual process, it is not a useful format
really.) But otherwise you will need to write some filesystem python code to
access the annotations storage object for wach user.

Laurence

The passwords are hashed, not encrypted. Further, it's a "salted" hash,
which means that hashes may be verified, but not compared. So, don't expect
hashes to match.

Concentrate on whether or not you can *verify* on the target system, not
match. You may discover that this is not as big a problem as you thought.

Thanks for all the responses so far.

@Laurence Rowe

I found the import/export feature in the standard Plone interface. The path
is:
/Members/members_import_export
With the import/export feature I found on the website, I was able to export
member data as a CSV-file.
See further for which add-ons I had found on the website.

@Laurence Rowe

Can you be more specific about what '<Member at test>' can be?
Is this:
- <[member-id] at [website]>, e.g. <test1 at example.com> where "test1" is
the username and "example.com" is the website the member is registered at.
- <[member-id] at [provider]>, e.g. <test1 at gamil.com> where "test1" is
the username and "gmail.com" is the provider the user has it's e-mail
registered at.
- <[member-mail]>, e.g. <test1*******>, the user's mail address.
Or is it something different?

@Steve McMahon

I've no experience with "salted" hashes. Also, when I generate the hashes
with the hash_hmac() PHP function with the sha1-algorithm, the hash is
always the same. I've seen a SSHA-hash differs per time it's generated. But
whether it's a salt or not, then I still need to know how to verify the
passwords.

@David Glick-3, Laurence Rowe
I've looked in the Plone interface for add-ons
(/prefs_install_products_form) and I saw that indeed the remember add-on is
listed, only it is listed in the section "Available for installation". Does
that mean the add-on is currently not enabled or do I need to look further
in the Zope Management Interface?
I have also seen that there's an add-on what looks like it's a add-on for
the remember add-on:
- [site]member 0.5, Installs [site]Member's remember-based Plone member
implementations.
[site] is the name of the website.
At the Plone control panel (/plone_control_panel) there is a link "Remember
Settings" available. When I follow that link I can set the default member
type. This is set to [site]Member where [site] is the name of the website.

The list of Add-ons:
*Installed*
- FCKeditor
- Ploneboard 2.0rc1

*Available for installation*
- Attachment support 3.0.1
- Marshall
- NuPlone 0.9.3
- OpenID Authentication Support unknown
- Workflow Policy Support (CMFPlacefulWorkflow) 1.0
- Working Copy Support (Iterate) unknown
- membrane 1.1 svn/dev
- remember 1.0 (svn/unreleased)
- custom skin add-on
- [site]member 0.5 (Installs [site]Member's remember-based Plone member
implementations.)