[MERGE] users_ldap: support for STARTTLS added, courtesy of Ian Beardslee

bzr revid: odo@openerp.com-20111109150536-ll84q6qskmes0nqb
2011-11-09 16:05:36 +01:00 · 2011-11-09 16:05:36 +01:00 · 08ee7f63cf
parent 358818cdd3 6598062577
commit 08ee7f63cf
3 changed files with 22 additions and 2 deletions
--- a/addons/users_ldap/openerp.py
+++ b/addons/users_ldap/openerp.py
@ -50,6 +50,13 @@ anonymous authentication for users, it is only for the master
 LDAP account that is used to verify if a user exists before
 attempting to authenticate it.

+Securing the connection with STARTTLS is available for LDAP
+servers supporting it, by enabling the TLS option in the LDAP
+configuration.
+
+For further options configuring the LDAP settings, refer to the
+ldap.conf manpage :manpage:`ldap.conf(5)`.
+
 Security Considerations
 +++++++++++++++++++++++
 Users' LDAP passwords are never stored in the OpenERP database,
@ -78,6 +85,9 @@ OpenERP database (which means no access), the first step
 always fails and the LDAP server is queried to do the
 authentication.

+Enabling STARTTLS ensures that the authentication query to the
+LDAP server is encrypted.
+
 User Template
 +++++++++++++
 In the LDAP configuration on the Company form, it is possible to
--- a/addons/users_ldap/users_ldap.py
+++ b/addons/users_ldap/users_ldap.py
@ -52,7 +52,8 @@ class CompanyLDAP(osv.osv):
            args = []
        cr.execute("""
            SELECT id, company, ldap_server, ldap_server_port, ldap_binddn,
-                   ldap_password, ldap_filter, ldap_base, "user", create_user
+                   ldap_password, ldap_filter, ldap_base, "user", create_user,
+                   ldap_tls
            FROM res_company_ldap
            WHERE ldap_server != '' """ + id_clause + """ ORDER BY sequence
        """, args)
@ -69,7 +70,11 @@ class CompanyLDAP(osv.osv):

        uri = 'ldap://%s:%d' % (conf['ldap_server'],
                                conf['ldap_server_port'])
-        return ldap.initialize(uri)
+
+        connection = ldap.initialize(uri)
+        if conf['ldap_tls']:
+            connection.start_tls_s()
+        return connection

    def authenticate(self, conf, login, password):
        """
@ -213,6 +218,10 @@ class CompanyLDAP(osv.osv):
            help="Model used for user creation"),
        'create_user': fields.boolean('Create user',
            help="Create the user if not in database"),
+        'ldap_tls': fields.boolean('Use TLS',
+            help="Request secure TLS/SSL encryption when connecting to the LDAP server. "
+                 "This option requires a server with STARTTLS enabled, "
+                 "otherwise all authentication attempts will fail."),
    }
    _defaults = {
        'ldap_server': '127.0.0.1',
--- a/addons/users_ldap/users_ldap_view.xml
+++ b/addons/users_ldap/users_ldap_view.xml
@ -20,6 +20,7 @@
                            <field name="user"/>
                            <newline/>
                            <field name="sequence"/>
+                            <field name="ldap_tls"/>
                        </form>
                        <tree string="LDAP Configuration">
                            <field name="sequence"/>