openerp-community team mailing list archive

Thread
Date

Re: lp:~openerp-community/openobject-addons/stefan-therp_lp794450 into lp:openobject-addons

To: mp+63831@xxxxxxxxxxxxxxxxxx
From: "Olivier Dony \(OpenERP\)" <odo@xxxxxxxxxxx>
Date: Fri, 10 Jun 2011 21:46:29 -0000
In-reply-to: <4DF28524.9010004@therp.nl>
Reply-to: mp+63831@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

On 06/10/2011 10:57 PM, Stefan Rijnhart (Therp) wrote:
> LDAPv3 allows for unauthorized access when no bind is performed [1]. 
> Although [2] describes how compatibility with other versions of the 
> protocol can be improved by anonymous binding, the only candidate LDAP 
> version 2 was retired in 2003. Following rfc4513, I leave the code to 
> query the LDAP server in the implied unauthorized state without 
> performing the bind.

Thanks for the details, it definitely looks like the default binding is
indeed anonymous, and calling explicitly bind() is not required.
And if this works with OpenLDAP, we've got all the confirmation we need.
I guess the python-ldap doc is simply inaccurate.

> With regards to Unauthenticated Authentication, this is provided for 
> trace purposes only and is considered something which client application 
> developers should protect themselves against using, as it is too easy to 
> mistake such a bind featuring the actual user name for a succesful 
> authentication [3]

Indeed we've been bitten by this in OpenERP before, and have an explicit
check for blank passwords now on the user authentication. So you're
right, unauthenticated mode is irrelevant.

> Of course, there is SASL as an honourable authentication mechanism
> but it is somewhat out of scope for this particular effort.

I certainly agree.

> I will therefore not display a selection of options, but leave the
> checkbox.

One more thing occurs to me: since anonymous authentication basically
means empty name and password, why not simplify the code and the patch
by just removing the "required" flag on these fields? With clear
tooltips on the fields, indicating that they should be left empty for
anonymous binding, it should be pretty intuitive, don't you think?
This also removes the need for an explicit boolean field that is a bit
orthogonal with the binddn/password fields. And before calling bind()
you can test ldap_binddn instead of the flag...

Thoughts?

-- 
https://code.launchpad.net/~openerp-community/openobject-addons/stefan-therp_lp794450/+merge/63831
Your team OpenERP Community is subscribed to branch lp:~openerp-community/openobject-addons/stefan-therp_lp794450.

Follow ups

Re: lp:~openerp-community/openobject-addons/stefan-therp_lp794450 into lp:openobject-addons
From: Stefan Rijnhart (Therp), 2011-06-11

References

Re: lp:~openerp-community/openobject-addons/stefan-therp_lp794450 into lp:openobject-addons
From: Stefan Rijnhart (Therp), 2011-06-10