openerp-community team mailing list archive
-
openerp-community team
-
Mailing list archive
-
Message #00486
[Merge] lp:~ibeardslee/openobject-addons/users_ldap-tls into lp:~openerp-community/openobject-addons/stefan-therp_lp794584
Ian Beardslee has proposed merging lp:~ibeardslee/openobject-addons/users_ldap-tls into lp:~openerp-community/openobject-addons/stefan-therp_lp794584.
Requested reviews:
OpenERP Community (openerp-community)
For more details, see:
https://code.launchpad.net/~ibeardslee/openobject-addons/users_ldap-tls/+merge/71131
Changes to users_ldap to allow connections to a server requiring STARTTLS.
Change in ..
* users_ldap/users_ldap_view.xml to allow the views in the interface.
* users_ldap/users_ldap.py to create the new database field (ldap_tls), collect that field in the query and to get the application to connect with STARTTLS if the value is true.
* users_ldap/__openerp__.py to describe the Configuration and Security Considerations.
This has NOT been tested against a non-STARTTLS LDAP server.
--
https://code.launchpad.net/~ibeardslee/openobject-addons/users_ldap-tls/+merge/71131
Your team OpenERP Community is requested to review the proposed merge of lp:~ibeardslee/openobject-addons/users_ldap-tls into lp:~openerp-community/openobject-addons/stefan-therp_lp794584.
=== modified file 'users_ldap/__openerp__.py'
--- users_ldap/__openerp__.py 2011-06-15 17:36:15 +0000
+++ users_ldap/__openerp__.py 2011-08-11 00:48:35 +0000
@@ -49,6 +49,12 @@
LDAP account that is used to verify if a user exists before
attempting to authenticate it.
+Securing the connection with STARTTLS is available for LDAP
+servers support STARTTLS. The default is to require STARTTLS.
+Configuration of the LDAP connection (certificates etc) should
+be done through ``/etc/ldap/ldap.conf`` (or distribution
+specific location).
+
Security Considerations
+++++++++++++++++++++++
Users' LDAP passwords are never stored in the OpenERP database,
@@ -77,6 +83,9 @@
always fails and the LDAP server is queried to do the
authentication.
+Enabling STARTTLS ensures that the authentication query to the
+LDAP server is encrypted.
+
User Template
+++++++++++++
In the LDAP configuration on the Company form, it is possible to
=== modified file 'users_ldap/users_ldap.py'
--- users_ldap/users_ldap.py 2011-07-27 22:03:38 +0000
+++ users_ldap/users_ldap.py 2011-08-11 00:48:35 +0000
@@ -50,7 +50,8 @@
args = []
cr.execute("""
SELECT id, company, ldap_server, ldap_server_port, ldap_binddn,
- ldap_password, ldap_filter, ldap_base, "user", create_user
+ ldap_password, ldap_filter, ldap_base, "user", create_user,
+ ldap_tls
FROM res_company_ldap
WHERE ldap_server != '' """ + id_clause + """ ORDER BY sequence
""", args)
@@ -94,6 +95,8 @@
if results and len(results) == 1:
dn = results[0][0]
conn = self.connect(conf)
+ if conf['ldap_tls']:
+ conn.start_tls_s()
conn.simple_bind_s(dn, password)
conn.unbind()
entry = results[0]
@@ -131,6 +134,8 @@
logger = logging.getLogger('orm.ldap')
try:
conn = self.connect(conf)
+ if conf['ldap_tls']:
+ conn.start_tls_s()
conn.simple_bind_s(conf['ldap_binddn'] or '',
conf['ldap_password'] or '')
results = conn.search_st(conf['ldap_base'], ldap.SCOPE_SUBTREE,
@@ -211,12 +216,15 @@
help="Model used for user creation"),
'create_user': fields.boolean('Create user',
help="Create the user if not in database"),
+ 'ldap_tls': fields.boolean('Use TLS',
+ help="Use STARTTLS to connect to the LDAP server"),
}
_defaults = {
'ldap_server': '127.0.0.1',
'ldap_server_port': 389,
'sequence': 10,
'create_user': True,
+ 'ldap_tls': True,
}
CompanyLDAP()
=== modified file 'users_ldap/users_ldap_view.xml'
--- users_ldap/users_ldap_view.xml 2011-06-22 10:21:18 +0000
+++ users_ldap/users_ldap_view.xml 2011-08-11 00:48:35 +0000
@@ -20,12 +20,14 @@
<field name="user"/>
<newline/>
<field name="sequence"/>
+ <field name="ldap_tls"/>
</form>
<tree string="LDAP Configuration">
<field name="sequence"/>
<field name="ldap_server"/>
<field name="ldap_server_port"/>
<field name="ldap_base"/>
+ <field name="ldap_tls"/>
</tree>
</field>
</xpath>
Follow ups
