c2c-oerpscenario team mailing list archive
-
c2c-oerpscenario team
-
Mailing list archive
-
Message #24625
[Bug 738721] Re: base_crypt and users_ldap don't work together
Hello all.
@oliver: IMHO rvalyi is right, but i only want to add some formal
document of "BEst Practices".
Here the policies of the university of tenesee:
http://security.tennessee.edu/pdfs/PBP.pdf
In page 4 Section: "PROTECTION OF PASSWORDS" item 6:
"Passwords must not be stored in any location where unauthorized
individuals might discover or obtain them."
If we store in any case uncrypted the password we are by default braking
the principle.
I have some experience selling OpenERP idea to medium business where
this policy that OpenERP has by default give a bad impresion.
Let me show you an user case:
IT manager Is an Strong Confidence Person, he has 3 Technicians that
have access to server in one or another way, he need to be sure that
they can not see without supervision some important information, he
mantain PSql password with him, root server password with him, but for a
development enviroment he share a copy of database blocked with some
data, He needs that his programmers work with an eviroment than closest
as possible with real enviroment, he will share res_user data, Don't you
think is better if he is not worried about change passwords in db???
As this case we can have a lot, You imagine an enviroment of 300-3000
Users, with internal or external IT people, I think is real that the
REAL USED password NEVER can be managed by IT guys, even if they have
access to Postgres, because you are compromising several, several
sensible information......
Even the simplest reference _WIKIPEDIA_
"http://en.wikipedia.org/wiki/Password_policy":
It says:
"never write down a password"
"never telling a password to anyone, including people who claim to be from customer service or security"
In this 2 case at least your IT guys will have access to password itself
and not one -ALL- passwords..... we are broking this rules.
Another reference "US Department of energy":
http://security.fnal.gov/UserGuide/password.htm
It says:
"Don't leave passwords where others can find them;"
With uncrypted passwords at least ALL your IT guys can find it!
"Store passwords securely;"
In plain text this is unsecure.
And for best practices of market:
---Almost none serious system propose by default the more unsecure
option of deploy them application.---
BTW.
If the boss want receive support from an IT person, it can ask for
"Change " the password, NEVER share his password, if an IT guy want to
broke system changing password almost "INMEDIATLY" supervisor will look
that it change because his sesion will be broken inmediatly....
My 0.02Bs-.
Thanks
--
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/738721
Title:
base_crypt and users_ldap don't work together
Status in OpenERP Modules (addons):
Confirmed
Bug description:
I installed and configured users_ldap so that all of my users can login using their credentials stored in OpenLDAP, which worked fine. Then I installed base_crypt (with the intention of all other passwords in the db, for non-ldap-users like 'admin') being encrypted. However, this prevents all LDAP users from logging in.
I suppose that base_crypt tries to authenticate the user and if this fails, login fails, without users_ldap trying to authenticate. I think this behaviour should be changed towards:
1. Check whether user can login using the (possibly encrypted) password in the database.
2. If not, check whether user can login using the LDAP password.
3. If now, refuse access.
Right now, the second step seems to be omitted when base_crypt is used.
References