c2c-oerpscenario team mailing list archive

Thread
Date

Re: [Bug 738721] Re: base_crypt and users_ldap don't work together

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: "David Mitchell \(www.novapointgroup.com\)" <david@xxxxxxxxxxxxxxxxxx>
Date: Thu, 19 May 2011 11:56:00 -0000
Reply-to: Bug 738721 <738721@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

+1 for Raphael as well

We also believe the system login should support multifactor
authentication (e.g. OTP One time passwords) see the C2C work done
with the YubiKey in v5. Especially since database login information is
readily available in config files by default - although this file is
typically hardened prior to deployment.

It should be under the philosophy of TNO (Trust No One). E.g. the
YUBIHSM hardware key or OTP.

In a related topic as well - all bank accounts except the last 4
digits of an account should also be encrypted and masked too - alas
but that is another topic.

Maybe a nice section in the doc on "recommendations to "secure" your
environment" might be appreciated by the general OpenERP public.

David Mitchell
President
NovaPoint Group LLC

On Thu, May 19, 2011 at 3:05 AM, Simone Orsi - Domsense
<738721@xxxxxxxxxxxxxxxxxx> wrote:
> Raphael +1
>
> My opinion is: encrypted password should be the default, clear password
> should be an option.
>
> --
> You received this bug notification because you are a member of OpenERP
> Drivers, which is subscribed to OpenERP Addons.
> https://bugs.launchpad.net/bugs/738721
>
> Title:
>  base_crypt and users_ldap don't work together
>
> Status in OpenERP Modules (addons):
>  Confirmed
>
> Bug description:
>  I installed and configured users_ldap so that all of my users can login using their credentials stored in OpenLDAP, which worked fine. Then I installed base_crypt (with the intention of all other passwords in the db, for non-ldap-users like 'admin') being encrypted. However, this prevents all LDAP users from logging in.
>  I suppose that base_crypt tries to authenticate the user and if this fails, login fails, without users_ldap trying to authenticate. I think this behaviour should be changed towards:
>   1. Check whether user can login using the (possibly encrypted) password in the database.
>   2. If not, check whether user can login using the LDAP password.
>   3. If now, refuse access.
>  Right now, the second step seems to be omitted when base_crypt is used.
>

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/738721

Title:
  base_crypt and users_ldap don't work together

Status in OpenERP Modules (addons):
  Confirmed

Bug description:
  I installed and configured users_ldap so that all of my users can login using their credentials stored in OpenLDAP, which worked fine. Then I installed base_crypt (with the intention of all other passwords in the db, for non-ldap-users like 'admin') being encrypted. However, this prevents all LDAP users from logging in.
  I suppose that base_crypt tries to authenticate the user and if this fails, login fails, without users_ldap trying to authenticate. I think this behaviour should be changed towards:
   1. Check whether user can login using the (possibly encrypted) password in the database.
   2. If not, check whether user can login using the LDAP password.
   3. If now, refuse access.
  Right now, the second step seems to be omitted when base_crypt is used.

References

[Bug 738721] [NEW] base_crypt and users_ldap don't work together
From: Tobias G. Pfeiffer, 2011-03-20
[Bug 738721] Re: base_crypt and users_ldap don't work together
From: Simone Orsi - Domsense, 2011-05-19