c2c-oerpscenario team mailing list archive

[Raphaël Valyi - http://www.akretion.com <738721@xxxxxxxxxxxxxxxxxx>]

On Wed, May 18, 2011 at 10:25 PM, Olivier Dony (OpenERP) <
738721@xxxxxxxxxxxxxxxxxx> wrote:

> On 05/19/2011 01:52 AM, Raphaël Valyi - http://www.akretion.com wrote:
> > Well, what is that such a big trouble? Yes you cannot recover the
> password
> > but it's trivial for the administrator to generate a new valid password
> and
> > send it to the user.
>
> I'm not saying it's big trouble, just that it's a feature, and a choice
> people might want. You can reverse the question and ask what is the big
> issue with installing base_crypt? (no, you don't need it for LDAP)
>

So basically all other software around decide to encrypt passwords once
again, OpenERP is the only one that got it about security by taking the
default choice of letting them clear?
I'm here just trying to help you make OpenERP a valid business model. Of
course it's not a problem for me Akretion, after 3 years fighting over
OpenERP, to install yet an other module.

Now isn't your new business model now based upon an expectation of having 2M
users within 2 years?
I'm sorry, but for my experience, 2M users is incompatible with such a level
of anarchy with the default settings.
For a 2M user base, you need that your average integrator doesn't need to be
a phD multi-lingual, over working open source guru anymore. You need
straightforward installation processes.
IMHO it's time for OpenERP to take a Rails like approach: doing things
correctly by default and only let people screw it all if they really want
too. Not the reverse.
I think this is the only approach that lower the entry barrier enough to
make OpenERP scale like other popular open source tools.
So I'm just asking here to consider the possibility to make password
encrypted by default in 6.1.


>
> > Look, in our daily consultant work, it's just too frequent one give ERP
> or
> > database admin right to some third party consultant. Today that guy can
> > always rip all the passwords of all companies employees and this
> potentially
> > happening everywhere in the world where OpenERP is deployed.
>
> Exactly. You're illustrating the second point in previous comment. You
> say encrypted password make you more confident giving full access to
> third-party people. That's fallacious reasoning: why aren't you worried
> about the rest of the database? You should be.
>

Wait a minute: were did I suggest that because of password encryption I
would suddenly suggest giving more access rights?
I'm sorry, but your point is fallacious, it's just like saying:
hey don't lock your home door because if you lock it you'll suddenly forget
about other security aspect and people will still you more.

Of course we are all concerned about a database or ERP admin accessing all
ERP data.
Now there is a big difference between knowing the company secret and
probably knowing a few mail/social network/bank/whatever account of some of
the company employees.
The point is that because OpenERP doesn't have a decentralized
authentication. Password are likely to be what people use for other
accounts, so ripping them is just TOO BAD to be acceptable, specially when
the alternative costs nearly 0 to implement.


> Unix passwords are encrypted by default. Do you go and give root access
> to everyone because it's safe: they can't steal passwords? I don't.
>

Again, were please did I suggested given more access all the sudden?
Like it or not, companies that get OpenERP integrated give their integrator
production database credentials, this is just a fact.
No 90% of the companies aren't large companies that will take tons of
security measures to avoid that. The OpenERP average company is poor and
relatively IT unlearnt SMB that will just give the database credential to
their integrator of the day.
As for he other security measures, this is exactly the reasons why we bother
you about things such as WSGI compliances (including for the XML/RPC layer)
or not outsourcing to pure code beginners that build SQL injection holes all
over the place and other such things. So yes we consider it seriously.


> Remember, I'm not saying encrypted passwords are bad.


Well sorry, but saying you don't want those encrypted passwords by default "We
don't currently plan to make passwords encrypted by default.""
is not too far from saying just that.

I'm just saying
> people should start considering them as _one reasonable option_ among a
> large number of security measures to take, and not as the unique or
> ultimate magic answer to all security considerations.
>

None of us said it was magic, we just said:
security => password encryption

and now you are accusing of having said:
password encryption => security

I'm sorry, but this is exactly what happened here.
Let's be more clear: "all things being equal", password encryption brings a
lot more security and should be the default.
Defending the reverse choice sounds really absurd to us.


>
> Anyway, that's just my opinion, anyone is free to think otherwise.


Well password encryption by default has been one of the most wanted features
http://feedback.openerp.com/forums/77459-general-improvements/suggestions/1575453-encrypt-password-by-default?ref=title

<http://feedback.openerp.com/forums/77459-general-improvements/suggestions/1575453-encrypt-password-by-default?ref=title>I
really wish there could be some vote or something like that about such
features.
Indeed, you take options for a business model, and we partner are now
backing that business on the battle ground, that's why I think we need to
have a word about what choices we think are coherent to a successful
business model and what is not and will cause is extra work to fund dubious
choices.


So no offense, but I'm sorry, but there are moment I don't understand you
guys.

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/738721

Title:
  base_crypt and users_ldap don't work together

Status in OpenERP Modules (addons):
  Confirmed

Bug description:
  I installed and configured users_ldap so that all of my users can login using their credentials stored in OpenLDAP, which worked fine. Then I installed base_crypt (with the intention of all other passwords in the db, for non-ldap-users like 'admin') being encrypted. However, this prevents all LDAP users from logging in.
  I suppose that base_crypt tries to authenticate the user and if this fails, login fails, without users_ldap trying to authenticate. I think this behaviour should be changed towards:
   1. Check whether user can login using the (possibly encrypted) password in the database.
   2. If not, check whether user can login using the LDAP password.
   3. If now, refuse access.
  Right now, the second step seems to be omitted when base_crypt is used.