diff --git a/addons/users_ldap/__openerp__.py b/addons/users_ldap/__openerp__.py
index fad6f7fbe7e..adab3ff892c 100644
--- a/addons/users_ldap/__openerp__.py
+++ b/addons/users_ldap/__openerp__.py
@@ -50,6 +50,13 @@ anonymous authentication for users, it is only for the master
LDAP account that is used to verify if a user exists before
attempting to authenticate it.
+Securing the connection with STARTTLS is available for LDAP
+servers supporting it, by enabling the TLS option in the LDAP
+configuration.
+
+For further options configuring the LDAP settings, refer to the
+ldap.conf manpage :manpage:`ldap.conf(5)`.
+
Security Considerations
+++++++++++++++++++++++
Users' LDAP passwords are never stored in the OpenERP database,
@@ -78,6 +85,9 @@ OpenERP database (which means no access), the first step
always fails and the LDAP server is queried to do the
authentication.
+Enabling STARTTLS ensures that the authentication query to the
+LDAP server is encrypted.
+
User Template
+++++++++++++
In the LDAP configuration on the Company form, it is possible to
diff --git a/addons/users_ldap/users_ldap.py b/addons/users_ldap/users_ldap.py
index 5d77985d250..1ad1b2df104 100644
--- a/addons/users_ldap/users_ldap.py
+++ b/addons/users_ldap/users_ldap.py
@@ -52,7 +52,8 @@ class CompanyLDAP(osv.osv):
args = []
cr.execute("""
SELECT id, company, ldap_server, ldap_server_port, ldap_binddn,
- ldap_password, ldap_filter, ldap_base, "user", create_user
+ ldap_password, ldap_filter, ldap_base, "user", create_user,
+ ldap_tls
FROM res_company_ldap
WHERE ldap_server != '' """ + id_clause + """ ORDER BY sequence
""", args)
@@ -69,7 +70,11 @@ class CompanyLDAP(osv.osv):
uri = 'ldap://%s:%d' % (conf['ldap_server'],
conf['ldap_server_port'])
- return ldap.initialize(uri)
+
+ connection = ldap.initialize(uri)
+ if conf['ldap_tls']:
+ connection.start_tls_s()
+ return connection
def authenticate(self, conf, login, password):
"""
@@ -213,6 +218,10 @@ class CompanyLDAP(osv.osv):
help="Model used for user creation"),
'create_user': fields.boolean('Create user',
help="Create the user if not in database"),
+ 'ldap_tls': fields.boolean('Use TLS',
+ help="Request secure TLS/SSL encryption when connecting to the LDAP server. "
+ "This option requires a server with STARTTLS enabled, "
+ "otherwise all authentication attempts will fail."),
}
_defaults = {
'ldap_server': '127.0.0.1',
diff --git a/addons/users_ldap/users_ldap_view.xml b/addons/users_ldap/users_ldap_view.xml
index b055ef2938d..caece7efe8f 100644
--- a/addons/users_ldap/users_ldap_view.xml
+++ b/addons/users_ldap/users_ldap_view.xml
@@ -20,6 +20,7 @@
+