c2c-oerpscenario team mailing list archive

Thread
Date

[Bug 738721] Re: base_crypt and users_ldap don't work together

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: "Cristian Salamea \(Gnuthink\)" <ovnicraft@xxxxxxxxx>
Date: Thu, 19 May 2011 22:45:34 -0000
Reply-to: Bug 738721 <738721@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hello, first off all, this bug is confirmed, now i want to ask to OpenERP SA,
how is consider the password management in your roadmap? (please be explicit here)

To make my comment i need highlight,

Keypoints:
- Community point of view about need password encrypted by default in system and necessary in 6.1 as default
- Links and info (around the world) about password management, i think this don't need discuss
- OpenERP SA position about plaintext password in system is not a problem just a choice by users and keep their point in easy recovery password.

My comment goes in this way:

OpenERP need takes more professional techniques to work in some areas
(security now) this system is an ERP, in another hand nobody support
your position about keep as plaintext the password so we need understand
what implies this:

Create a Password management and this must includes:
* Encrpyted storage
* Recovery passwords
* blacklist passwords
* password sync
* lifetime password
* schedule password changes

Please consider all info about community i am completely agree @Rvalyi
and all people in this tread, maybe your point is good but our
suggestion is better/clear/best practice/a real security solution.

Regards,

--
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/738721

Title:
base_crypt and users_ldap don't work together

Status in OpenERP Modules (addons):
Confirmed

Bug description:
I installed and configured users_ldap so that all of my users can login using their credentials stored in OpenLDAP, which worked fine. Then I installed base_crypt (with the intention of all other passwords in the db, for non-ldap-users like 'admin') being encrypted. However, this prevents all LDAP users from logging in.
I suppose that base_crypt tries to authenticate the user and if this fails, login fails, without users_ldap trying to authenticate. I think this behaviour should be changed towards:
1. Check whether user can login using the (possibly encrypted) password in the database.
2. If not, check whether user can login using the LDAP password.
3. If now, refuse access.
Right now, the second step seems to be omitted when base_crypt is used.

Follow ups

Re: [Bug 738721] Re: base_crypt and users_ldap don't work together
From: Graeme Gellatly, 2011-05-20

References

[Bug 738721] [NEW] base_crypt and users_ldap don't work together
From: Tobias G. Pfeiffer, 2011-03-20