c2c-oerpscenario team mailing list archive

[Raphaël Valyi - http://www.akretion.com <738721@xxxxxxxxxxxxxxxxxx>]

Hello Olivier,

you said that one justification for not encrypting passwords by default is:
"As for the reason for cleartext passwords: once you switch to encrypted
passwords you can't recover user passwords anymore . So enabling it is a
choice, because there's no going back. We don't currently plan to make
passwords encrypted by default."

Well, what is that such a big trouble? Yes you cannot recover the password
but it's trivial for the administrator to generate a new valid password and
send it to the user.
So if you really forgot what your password was, why is that such a big
trouble to use a fresh new one you can choose?

I'm sorry, but unless I missed something I don't understand the
justification behind that.
I strongly believe encrypting should be done by default.

Look, in our daily consultant work, it's just too frequent one give ERP or
database admin right to some third party consultant. Today that guy can
always rip all the passwords of all companies employees and this potentially
happening everywhere in the world where OpenERP is deployed.
And since there is no third party auth like OpenID so people are just forced
to use yet an other password so the chance the use one they already use is
huge. So If you rip like 30 password per company and then test randomly on
their GMail, Facebook or bank accounts, I'm sure their will be some positive
match form time to time.
So unless I missed some other reason, I just cannot understand that decision
either.

Do I miss something?


On Wed, May 18, 2011 at 8:12 PM, Olivier Dony (OpenERP) <
738721@xxxxxxxxxxxxxxxxxx> wrote:

> @Russell: sorry, you may have been mislead by the bug title, but
> users_ldap does not store the LDAP passwords in the database at all,
> authentication is always performed against the LDAP server directly. The
> only reason you might want to install base_crypt in addition to
> users_ldap is to have non-LDAP users (with encrypted passwords) in
> addition to the LDAP users.
>
> As for the reason for cleartext passwords: once you switch to encrypted
> passwords you can't recover user passwords anymore . So enabling it is a
> choice, because there's no going back. We don't currently plan to make
> passwords encrypted by default.
>
> Also, people often don't realize that even if encrypted passwords do
> decrease the chance of having the cleartext passwords stolen (provided
> several requirements are met in the encryption scheme!), they don' t
> replace real measures for ensuring the security of a database! Passwords
> are just regular data, so if they are compromised (even encrypted), it
> means the whole database was, and that means a lot more to worry about
> than just asking users to pick new passwords.
>
> BTW, we're indeed going to make base_crypt and users_ldap work together,
> but it requires a change in the design of OpenERP authentication, to
> implement a pluggable authentication system. We're also planning to
> provide new encryption schemes in base_crypt, such as SHA-based HMAC.
>
> --
> You received this bug notification because you are a member of OpenERP
> Drivers, which is subscribed to OpenERP Addons.
> https://bugs.launchpad.net/bugs/738721
>
> Title:
>  base_crypt and users_ldap don't work together
>
> Status in OpenERP Modules (addons):
>   Confirmed
>
> Bug description:
>  I installed and configured users_ldap so that all of my users can login
> using their credentials stored in OpenLDAP, which worked fine. Then I
> installed base_crypt (with the intention of all other passwords in the db,
> for non-ldap-users like 'admin') being encrypted. However, this prevents all
> LDAP users from logging in.
>  I suppose that base_crypt tries to authenticate the user and if this
> fails, login fails, without users_ldap trying to authenticate. I think this
> behaviour should be changed towards:
>   1. Check whether user can login using the (possibly encrypted) password
> in the database.
>   2. If not, check whether user can login using the LDAP password.
>   3. If now, refuse access.
>  Right now, the second step seems to be omitted when base_crypt is used.
>

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/738721

Title:
  base_crypt and users_ldap don't work together

Status in OpenERP Modules (addons):
  Confirmed

Bug description:
  I installed and configured users_ldap so that all of my users can login using their credentials stored in OpenLDAP, which worked fine. Then I installed base_crypt (with the intention of all other passwords in the db, for non-ldap-users like 'admin') being encrypted. However, this prevents all LDAP users from logging in.
  I suppose that base_crypt tries to authenticate the user and if this fails, login fails, without users_ldap trying to authenticate. I think this behaviour should be changed towards:
   1. Check whether user can login using the (possibly encrypted) password in the database.
   2. If not, check whether user can login using the LDAP password.
   3. If now, refuse access.
  Right now, the second step seems to be omitted when base_crypt is used.