diff --git a/addons/users_ldap/__openerp__.py b/addons/users_ldap/__openerp__.py
index dca43a474c5..47b3a809ad5 100644
--- a/addons/users_ldap/__openerp__.py
+++ b/addons/users_ldap/__openerp__.py
@@ -49,6 +49,12 @@ anonymous authentication for users, it is only for the master
LDAP account that is used to verify if a user exists before
attempting to authenticate it.
+Securing the connection with STARTTLS is available for LDAP
+servers support STARTTLS. The default is to require STARTTLS.
+Configuration of the LDAP connection (certificates etc) should
+be done through ``/etc/ldap/ldap.conf`` (or distribution
+specific location).
+
Security Considerations
+++++++++++++++++++++++
Users' LDAP passwords are never stored in the OpenERP database,
@@ -77,6 +83,9 @@ OpenERP database (which means no access), the first step
always fails and the LDAP server is queried to do the
authentication.
+Enabling STARTTLS ensures that the authentication query to the
+LDAP server is encrypted.
+
User Template
+++++++++++++
In the LDAP configuration on the Company form, it is possible to
diff --git a/addons/users_ldap/users_ldap.py b/addons/users_ldap/users_ldap.py
index 584dae3da1a..79bf7cb0b85 100644
--- a/addons/users_ldap/users_ldap.py
+++ b/addons/users_ldap/users_ldap.py
@@ -50,7 +50,8 @@ class CompanyLDAP(osv.osv):
args = []
cr.execute("""
SELECT id, company, ldap_server, ldap_server_port, ldap_binddn,
- ldap_password, ldap_filter, ldap_base, "user", create_user
+ ldap_password, ldap_filter, ldap_base, "user", create_user,
+ ldap_tls
FROM res_company_ldap
WHERE ldap_server != '' """ + id_clause + """ ORDER BY sequence
""", args)
@@ -94,6 +95,8 @@ class CompanyLDAP(osv.osv):
if results and len(results) == 1:
dn = results[0][0]
conn = self.connect(conf)
+ if conf['ldap_tls']:
+ conn.start_tls_s()
conn.simple_bind_s(dn, password)
conn.unbind()
entry = results[0]
@@ -131,6 +134,8 @@ class CompanyLDAP(osv.osv):
logger = logging.getLogger('orm.ldap')
try:
conn = self.connect(conf)
+ if conf['ldap_tls']:
+ conn.start_tls_s()
conn.simple_bind_s(conf['ldap_binddn'] or '',
conf['ldap_password'] or '')
results = conn.search_st(conf['ldap_base'], ldap.SCOPE_SUBTREE,
@@ -211,12 +216,15 @@ class CompanyLDAP(osv.osv):
help="Model used for user creation"),
'create_user': fields.boolean('Create user',
help="Create the user if not in database"),
+ 'ldap_tls': fields.boolean('Use TLS',
+ help="Use STARTTLS to connect to the LDAP server"),
}
_defaults = {
'ldap_server': '127.0.0.1',
'ldap_server_port': 389,
'sequence': 10,
'create_user': True,
+ 'ldap_tls': True,
}
CompanyLDAP()
diff --git a/addons/users_ldap/users_ldap_view.xml b/addons/users_ldap/users_ldap_view.xml
index b055ef2938d..7980459a452 100644
--- a/addons/users_ldap/users_ldap_view.xml
+++ b/addons/users_ldap/users_ldap_view.xml
@@ -20,12 +20,14 @@
+
+