Where is sugarCRM hashing the password from the login form?

Hello. I am developing an API that pushes Users into the system from another product of my company. All is fine except I can not log in with the new User. This how the user is inserted into the CRM

$user_bean->user_name=$user_name;
$user_bean->first_name=$first_name;
$user_bean->last_name=$last_name;
$user_bean->title=$title;
$user_bean->status=$status;
$user_bean->is_admin=$is_admin;
$user_bean->user_hash=$user_hash;
$user_bean->save();
if (!empty($email))
{
$user_bean->emailAddress->addAddress($email,true);
$user_bean->emailAddress->save($user_bean->id, $user_bean->module_dir);
}

Now, from the external source I receive the password already hashed, I put that value into the user_hash field. In what file (and maybe even what line of code) is sugarCRM hashing the password from the login form. I know the password, I have the hashed version the secondary product generated, I want to compare the hash sugar expects, to see if it matches the one I have. For that I would like to do a print_r or similar.

Parents
  • With the REST API you can create users with parameter settings like:

    $url = $base_url . "/Users";
    $user_parameter = array(
    "user_name" => "user6",
    "user_hash" => 'sillypassword',
    "system_generated_password" => false,
    "pwd_last_changed" => "",
    "authenticate_id" => "",
    "sugar_login" => true,
    "picture" => "",
    "first_name" => "test6",
    "last_name" => "test6",

    The created user user6 has the password 'sillypassword' after the POST call. I just tested that in a 11.2 instance.

    But from a security point of view I would never set a default password or a list of provided passwords.

    Just provide a valid email address for each user and enable the lost password function. So each user can keep his password secret.

    Harald Kuske
    Principal Solution Architect – Professional Services, EMEA
    hkuske@sugarcrm.com
    SugarCRM Deutschland GmbH

Reply
  • With the REST API you can create users with parameter settings like:

    $url = $base_url . "/Users";
    $user_parameter = array(
    "user_name" => "user6",
    "user_hash" => 'sillypassword',
    "system_generated_password" => false,
    "pwd_last_changed" => "",
    "authenticate_id" => "",
    "sugar_login" => true,
    "picture" => "",
    "first_name" => "test6",
    "last_name" => "test6",

    The created user user6 has the password 'sillypassword' after the POST call. I just tested that in a 11.2 instance.

    But from a security point of view I would never set a default password or a list of provided passwords.

    Just provide a valid email address for each user and enable the lost password function. So each user can keep his password secret.

    Harald Kuske
    Principal Solution Architect – Professional Services, EMEA
    hkuske@sugarcrm.com
    SugarCRM Deutschland GmbH

Children
  • Not a workable solution. Basically our identity server does not support SAML (yet) so this is a way to mimic single sign on. The user is created in our main product, called workspace, with a password and all and we want to move it into sugarCRM with the same credentials. This has worked on 77 and 79 sugar version, but we want to use rest instead of SOAP (the original code was using SOAP). Sugar changed the way it hashes from 79 to 10.0.4, so we have to adapt the hashing method on workspace. Hence my question