"Incorrect password!" when setting up new user on 4.1.2 / php 5.3.3 / centos 6.4 / Maria DB 5.5.32

system · September 17, 2013, 9:41pm

meddev wrote on Tuesday, September 17, 2013:

I’m hoping someone can point something out before I resort to digging through code.

I’ve got a fresh install of 4.1.2 that has 3 users(admin and two others) setup a few days ago. The user setup worked fine then and I was able to login with the users.

Today I’m logged in as admin and I’m not able to add new users without getting the message “Incorrect Password!” when hitting save. Very little has been done since the other users were setup so I’m a little perplexed as to why it started failing.

Search did not turn up anything that helped.

I’ve restarted the database and web server processes.

I’ve tried both passwords the same and the user password and the admin password(correct method) and neither works.

I manually added a record to the user table and I cannot edit the user password via OpenEMR but can make changes to other items on the user page. When I try to edit the password I get the same message on save.

Can anyone shed any light?

system · September 17, 2013, 10:01pm

blankev wrote on Tuesday, September 17, 2013:

Just today after some time adding another USER I had the same problem.

The first password is the new password for the User, the second password should be your own password or the password of the Administrator (I login as Administrator in my own local version) I don’t know if it has anything to do with this problem, but I did take away the “V” mark at the Globals => Security and password tab. Permit unsalted Passwords…

system · September 18, 2013, 12:06am

yehster wrote on Wednesday, September 18, 2013:

github.com

openemr/openemr/blob/master/library/authentication/password_change.php#L99


    if (($hash_current!=$userInfo[COL_PWD])) {
        $errMsg=xl("Incorrect password!");
        return false;
    }
} else {
    // If this is an administrator changing someone else's password, then check that they have the password right
    if ($GLOBALS['use_active_directory']) {
        $valid = active_directory_validation($_SESSION['authUser'], $currentPwd);
        if (!$valid) {
            $errMsg=xl("Incorrect password!");
            return false;
        } else {
            $newPwd = md5(uniqid());
        }
    } else {
        $adminSQL=" SELECT ".implode(",", array(COL_PWD,COL_SALT))
                  ." FROM ".TBL_USERS_SECURE
                  ." WHERE ".COL_ID."=?";
        $adminInfo=privQuery($adminSQL, array($activeUser));
        $hash_admin = oemr_password_hash($currentPwd, $adminInfo[COL_SALT]);
        if ($hash_admin!=$adminInfo[COL_PWD]) {

This is not something I’ve encountered before, but here is where the password check is happening and the “Incorrect Password!” message is generated to help you with debugging.

system · September 18, 2013, 7:40pm

meddev wrote on Wednesday, September 18, 2013:

Thanks for the responses guys. As soon as I saw the code Kevin I realized my mistake. I had restored a backup of the users table but not users_secure so I had changed the id of admin in users but not in user_secure. It’s all working fine now that I matched them up. Doh!

system · September 18, 2013, 8:37pm

yehster wrote on Wednesday, September 18, 2013:

Glad to hear that you figured it out. Not sure what’s going on with Pimm’s system though. The checkbox to disallow unsalted passwords is only supposed to impact the password check during logon, it’s not supposed to impact user management, so unlikely that’s the issue, but you never know.