[MERGE] users_ldap: support for anonymous binding at company level

Anonymous binding is enabled by having empty names and password in company LDAP setup. This does NOT permit anonymous binding for user authentication, which is still forbidden. The anonymous access will only be used to query the directory for the existence of the users. Thanks to Stefan Rijnhart for the idea and implementation! bzr revid: odo@openerp.com-20110615173006-4wvzpecqx4doyb4l
2011-06-15 19:30:06 +02:00 · 2011-06-15 19:30:06 +02:00 · 85ad1beebc
parent abb606aa7c 1960be5281
commit 85ad1beebc
1 changed files with 15 additions and 6 deletions
--- a/addons/users_ldap/users_ldap.py
+++ b/addons/users_ldap/users_ldap.py
@ -37,8 +37,12 @@ class CompanyLDAP(osv.osv):
            ondelete='cascade'),
        'ldap_server': fields.char('LDAP Server address', size=64, required=True),
        'ldap_server_port': fields.integer('LDAP Server port', required=True),
-        'ldap_binddn': fields.char('LDAP binddn', size=64, required=True),
-        'ldap_password': fields.char('LDAP password', size=64, required=True),
+        'ldap_binddn': fields.char('LDAP binddn', size=64,
+            help=("The user account on the LDAP server that is used to query "
+                  "the directory. Leave empty to connect anonymously.")),
+        'ldap_password': fields.char('LDAP password', size=64,
+            help=("The password of the user account on the LDAP server that is "
+                  "used to query the directory.")),
        'ldap_filter': fields.char('LDAP filter', size=64, required=True),
        'ldap_base': fields.char('LDAP base', size=64, required=True),
        'user': fields.many2one('res.users', 'Model User',
@ -77,12 +81,15 @@ class users(osv.osv):
            SELECT id, company, ldap_server, ldap_server_port, ldap_binddn, ldap_password,
                   ldap_filter, ldap_base, "user", create_user
            FROM res_company_ldap
-            WHERE ldap_server != '' and ldap_binddn != '' ORDER BY sequence""")
+            WHERE ldap_server != '' ORDER BY sequence""")
        for res_company_ldap in cr.dictfetchall():
            logger.debug(res_company_ldap)
            try:
                l = ldap.open(res_company_ldap['ldap_server'], res_company_ldap['ldap_server_port'])
-                if l.simple_bind_s(res_company_ldap['ldap_binddn'], res_company_ldap['ldap_password']):
+                # An empty binddn means anonymous auth, so it should be replaced w/ an empty string
+                # See LDAP RFC 4513, Section 5.1.1
+                if l.simple_bind_s(res_company_ldap['ldap_binddn'] or '',
+                                   res_company_ldap['ldap_password'] or ''):
                    base = res_company_ldap['ldap_base']
                    scope = ldap.SCOPE_SUBTREE
                    filter = filter_format(res_company_ldap['ldap_filter'], (login,))
@ -150,8 +157,10 @@ class users(osv.osv):
            for res_company_ldap in user.company_id.ldaps:
                try:
                    l = ldap.open(res_company_ldap.ldap_server, res_company_ldap.ldap_server_port)
-                    if l.simple_bind_s(res_company_ldap.ldap_binddn,
-                            res_company_ldap.ldap_password):
+                    # An empty binddn means anonymous auth, so it should be replaced w/ an empty string
+                    # See LDAP RFC 4513, Section 5.1.1
+                    if l.simple_bind_s(res_company_ldap.ldap_binddn or '',
+                                       res_company_ldap.ldap_password or ''):
                        base = res_company_ldap.ldap_base
                        scope = ldap.SCOPE_SUBTREE
                        filter = filter_format(res_company_ldap.ldap_filter, (user.login,))