← Back to team overview

openerp-community team mailing list archive

Re: lp:~ibeardslee/openobject-addons/users_ldap-tls into lp:openobject-addons

 

Hi Olivier,

Excellent.

But hmmm I do disagree, at least on a philosophical level rather than a
practical level.  Security should be opt-out rather than opt-in.

Part of the process of people doing the upgrade should be testing that
people can login to the system.  Not connecting because of the TLS setting
should be picked up in that process.  At that point they can change the
setting.

People asking why there is no encryption on the authentication is probably
a good thing for a system that holds the sort of data that an ERP system
would do.  Having to change the setting from being enabled highlights a
'broken' LDAP server .. yes there could be debate whether un-encrytped
authentication is broken or not :)

>From our point of view, and why I scratched the itch of getting the TLS
support was that I couldn't connect to our LDAP server when testing
OpenERP.  Our LDAP is locked down, and would ONLY allow connections via
SSL or TLS.  For us, it is just a single tick box to 'fix'.

One of our next steps is to deal with the encryption of the database
connection.

However, as much as I disagree, yes on a practical level it does make some
sense.

Thanks for the help.

Cheers,
Ian


On Thu, November 10, 2011 4:30 am, Olivier Dony \(OpenERP\) wrote:
> Ian, Stefan,
>
> I've just merged this branch in trunk, so it will be included in v6.1.
>
> After re-testing with a TLS-disabled LDAP server, I changed the default
> for the TLS flag to be off, and updated the module description and
> tooltips accordingly, for two main reasons:
>  - When TLS is enabled but not supported by the LDAP server, all login
> attempts silently fail, with the diagnostics for the failure only visible
> in the server logs. This is fine, because end-users shouldn't be exposed
> to the technical reasons for their failed login, but will be a source of
> issues for users with non-TLS LDAP servers. It will for example prevent
> login for all existing LDAP users after an upgrade to 6.1 if they don't
> have TLS available (as it will be enabled automatically).
>  - Most of the time the LDAP server is located within a restricted part of
> a company's network, so communication between OpenERP and the LDAP occurs
> on a relatively safe segment, mitigating the risk of not using TLS even
> when it is available.
>
> Based on the above, I think having TLS as opt-in is better than opt-out,
> at least for 6.1. I hope you agree, or at least understand my point of
> view...
>
> Thanks again for your great work!
> --
> https://code.launchpad.net/~ibeardslee/openobject-addons/users_ldap-tls/+merge/71837
> Your team OpenERP Community is subscribed to branch
> lp:~openerp-community/openobject-addons/stefan-therp_lp794584.
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openerp-community
> Post to     : openerp-community@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openerp-community
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
https://code.launchpad.net/~ibeardslee/openobject-addons/users_ldap-tls/+merge/71837
Your team OpenERP Community is subscribed to branch lp:~openerp-community/openobject-addons/stefan-therp_lp794584.


References