c2c-oerpscenario team mailing list archive

["Tobias G. Pfeiffer" <tgpfeiffer@xxxxxx>]

Hi folks,

while this is not the point of the actual bug report, I'm pretty much surprised that some people are actually arguing *for* having cleartext passwords (in particular the admin one's) in the database. I assumed that there is no discussion about this being an absolute no-go for *any* application.
If a website stores its users' passwords in cleartext, that's a reason for me not to register there. What Linux distribution do you know that stores cleartext credentials of the system users in /etc/passwd or /etc/shadow? Where would you expect to be able to get your forgotten password back from the admin by a phone call?

In short: Do *never ever* store any cleartext passwords in the database.
This might make base_crypt superfluous and base_ldap should work just as
before.

Tobias

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/738721

Title:
  base_crypt and users_ldap don't work together

Status in OpenERP Modules (addons):
  Confirmed

Bug description:
  I installed and configured users_ldap so that all of my users can login using their credentials stored in OpenLDAP, which worked fine. Then I installed base_crypt (with the intention of all other passwords in the db, for non-ldap-users like 'admin') being encrypted. However, this prevents all LDAP users from logging in.
  I suppose that base_crypt tries to authenticate the user and if this fails, login fails, without users_ldap trying to authenticate. I think this behaviour should be changed towards:
   1. Check whether user can login using the (possibly encrypted) password in the database.
   2. If not, check whether user can login using the LDAP password.
   3. If now, refuse access.
  Right now, the second step seems to be omitted when base_crypt is used.