nullified
04-05-2012, 04:19 PM
Hello everyone,
I'm currently looking at setting up a vBulletin for a large userbase (30k people) based on the users in a proprietary management solution. I, essentially, have three issues:
(1) Nightly Synchronization
(2) Passwords
(3) Rights Management
I do have PHP experience and have written a few things for vBulletin, but truth be told, I haven't touched the code for years (mostly, I hacked vB 2 and early vB 3) so please bear with me.
(1) Synchronization
I don't think this would be too much of an issue to program: we already push user:password:email:auxilliarydata lists to our servers over an encrypted connection and feed them into our various applications. It shouldn't be too difficult to check that list against the vBulletin user list and add those people who are new/whose password changed. We can gurantee integrity of a number of fields and while there are a couple of edge cases, they are managable.
However: is it a bother to block changing the password and email address inside of vBulletin?
(2) Passwords
This is the big issue I see: we don't store passwords in vB's fashion.
We currently store passwords as md5 and sha256.
After having a cursory glance at function verify_authentication I'm actually somewhat hopeful that not all is as difficult as I had feared because if I read vBulletin's code correctly, it actually catches passwords that are "merely" md5 hashs instead of salted hashes -- if that is the case, would it be possible to simply write the md5 hashs with every synchronization and rely on that fallback to make it smooth for the users (it's not nice, but our overall ecosystem is secure enough that I don't really see the harm)
(3) Rights Management
This, too, shouldn't actually be too difficult: on synchronization, we check whether a user still exists on the list and, if he doesn't, we delete him. Right?
As said, I'm aware this does require some coding and I can put that time in, but I just want to get a little bit of feedback from people who have touched the code in the last couple of years to see wether there's an easier way or to get some pointers to get this done more quickly (i. e. am I reading verify_authentication correctly)
Regards,
null
I'm currently looking at setting up a vBulletin for a large userbase (30k people) based on the users in a proprietary management solution. I, essentially, have three issues:
(1) Nightly Synchronization
(2) Passwords
(3) Rights Management
I do have PHP experience and have written a few things for vBulletin, but truth be told, I haven't touched the code for years (mostly, I hacked vB 2 and early vB 3) so please bear with me.
(1) Synchronization
I don't think this would be too much of an issue to program: we already push user:password:email:auxilliarydata lists to our servers over an encrypted connection and feed them into our various applications. It shouldn't be too difficult to check that list against the vBulletin user list and add those people who are new/whose password changed. We can gurantee integrity of a number of fields and while there are a couple of edge cases, they are managable.
However: is it a bother to block changing the password and email address inside of vBulletin?
(2) Passwords
This is the big issue I see: we don't store passwords in vB's fashion.
We currently store passwords as md5 and sha256.
After having a cursory glance at function verify_authentication I'm actually somewhat hopeful that not all is as difficult as I had feared because if I read vBulletin's code correctly, it actually catches passwords that are "merely" md5 hashs instead of salted hashes -- if that is the case, would it be possible to simply write the md5 hashs with every synchronization and rely on that fallback to make it smooth for the users (it's not nice, but our overall ecosystem is secure enough that I don't really see the harm)
(3) Rights Management
This, too, shouldn't actually be too difficult: on synchronization, we check whether a user still exists on the list and, if he doesn't, we delete him. Right?
As said, I'm aware this does require some coding and I can put that time in, but I just want to get a little bit of feedback from people who have touched the code in the last couple of years to see wether there's an easier way or to get some pointers to get this done more quickly (i. e. am I reading verify_authentication correctly)
Regards,
null