c2c-oerpscenario team mailing list archive

[Raphaël Valyi - http://www.akretion.com <738721@xxxxxxxxxxxxxxxxxx>]

Guys,

as a comment, I'm thinking the only password that might be allowed to be
clear should be the admin password.
Indeed recovering a cryped admin password sucks, you have to generate an
SHA1 and put in the the database or something like this.
Now, the only way to recover the admin password is to access the database
anyway, so I mean then you can read all ERP info, so having it clear is not
a big deal.
Plus admin password will hardly the one I'm using for my GMail account,
something that might not be true for the average employee.
Finally, if database access can give you the admin password, that still a
lot better if you cannot read the employee's password and should rather
reset them to some default value, using the administration of OpenERP till
people set a personal password.
What do you think about that?
So still no chance OpenERP get encrypted passwords by default in v6.1? Do
you really choose to keep the real entry barrier as high while you are also
spending on the marketing to make new entrant believe it's simpler than in
the meantime? How consistent is that? We see here many integrators voting
for encryption by default, can you all other folk that think otherwise
defend your point here to give some credit to this choice we don't
understand?


On Thu, May 19, 2011 at 3:58 PM, Carlos @ smile.fr <
738721@xxxxxxxxxxxxxxxxxx> wrote:

> +1 Raphael
> with a functionnality to send a new pasword by mail
>
> --
> You received this bug notification because you are a member of OpenERP
> Drivers, which is subscribed to OpenERP Addons.
> https://bugs.launchpad.net/bugs/738721
>
> Title:
>  base_crypt and users_ldap don't work together
>
> Status in OpenERP Modules (addons):
>   Confirmed
>
> Bug description:
>  I installed and configured users_ldap so that all of my users can login
> using their credentials stored in OpenLDAP, which worked fine. Then I
> installed base_crypt (with the intention of all other passwords in the db,
> for non-ldap-users like 'admin') being encrypted. However, this prevents all
> LDAP users from logging in.
>  I suppose that base_crypt tries to authenticate the user and if this
> fails, login fails, without users_ldap trying to authenticate. I think this
> behaviour should be changed towards:
>   1. Check whether user can login using the (possibly encrypted) password
> in the database.
>   2. If not, check whether user can login using the LDAP password.
>   3. If now, refuse access.
>  Right now, the second step seems to be omitted when base_crypt is used.
>

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/738721

Title:
  base_crypt and users_ldap don't work together

Status in OpenERP Modules (addons):
  Confirmed

Bug description:
  I installed and configured users_ldap so that all of my users can login using their credentials stored in OpenLDAP, which worked fine. Then I installed base_crypt (with the intention of all other passwords in the db, for non-ldap-users like 'admin') being encrypted. However, this prevents all LDAP users from logging in.
  I suppose that base_crypt tries to authenticate the user and if this fails, login fails, without users_ldap trying to authenticate. I think this behaviour should be changed towards:
   1. Check whether user can login using the (possibly encrypted) password in the database.
   2. If not, check whether user can login using the LDAP password.
   3. If now, refuse access.
  Right now, the second step seems to be omitted when base_crypt is used.