[p2pu-dev] quick question: how many of you have used LDAP before? (opinions about how to migrate users from the drupal site to lernanta)

Paul Osman paul at mozillafoundation.org
Tue Feb 8 18:44:57 UTC 2011 

So we recently migrated ~12000 users from Drupal to Django for 
Drumbeat.org. A few things to note:

1) Drupal 6.x stores passwords as unsalted MD5 hashes. This is fairly 
insecure (susceptible to being compromised by attackers using rainbow 
tables) and has been dropped by most modern authn systems. Luckily, 
Django used to do this too, and now the default authentication backend 
in Django handles unsalted MD5 hashes just fine. Basically, when Django 
encounters a user with an unsalted MD5 hashed password, it authenticates 
them and then upgrades them automatically to whatever hashing algorithm 
you choose to use going forward (SHA512 in our case). This means you can 
migrate Drupal users with a straight-up SQL script, which is what we 
ended up doing.

2) LDAP could be used, but introduces another piece of software to the 
architecture of the site, which could become cumbersome.

3) OpenID could be used as well, but for a variety of reasons, forcing 
all of your users to use OpenIDs (even if you set up an identity 
provider) could be difficult.

I'd recommend doing the same thing we did... total migration took about 
30 minutes for ~12k users with a ~30 line python script that executed 
raw sql against the Drupal database and used Django models to write data.

-Paul

On 02/08/2011 01:33 PM, zuzel.vp wrote:
> Adding a third option:
>
> 1) Moving existing Drupal user accounts into LDAP. If the users are in
> LDAP it will be possible to authenticate using
> http://packages.python.org/django-auth-ldap/ for Lernanta and
> http://drupal.org/project/ldap_integration for the drupal site.
>
> 2) Use a custom django authentication backend in Lernanta (to
> authenticate against the drupal site database) during the first steps
> of the migration, and then move all the users from one database to the
> other when we stop to use the drupal site.
>
> 3) Use Drupal as an OpenID Server. Drupal sites themselves can act as
> OpenID servers, using the openid_server module, but only drupal 4.7
> has support for this right now (needs to be ported to 5 and 6).
>
> Thanks,
>      Zuzel
>
> On Tue, Feb 8, 2011 at 1:11 PM, Jessica Ledbetter
> <jessica at jessicaledbetter.com>  wrote:
>> On Tue, Feb 8, 2011 at 1:09 PM, John Britton<public at johndbritton.com>  wrote:
>>> I'd really like to see us using
>>> OpenID.
>>
>> +1
>> _______________________________________________
>> p2pu-dev mailing list
>> p2pu-dev at lists.p2pu.org
>> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>>
> _______________________________________________
> p2pu-dev mailing list
> p2pu-dev at lists.p2pu.org
> http://lists.p2pu.org/mailman/listinfo/p2pu-dev

More information about the p2pu-dev mailing list