From 949fa9cdd89de760d9501f856f6fdbb7c7397327 Mon Sep 17 00:00:00 2001 From: Ian Beardslee Date: Thu, 11 Aug 2011 12:14:29 +1200 Subject: [PATCH] Adding STARTTLS support to users_ldap lp bug: https://launchpad.net/bugs/389033 fixed bzr revid: ian@catalyst.net.nz-20110811001429-j62yn9uz1g2o9j9c --- addons/users_ldap/__openerp__.py | 9 +++++++++ addons/users_ldap/users_ldap.py | 10 +++++++++- addons/users_ldap/users_ldap_view.xml | 2 ++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/addons/users_ldap/__openerp__.py b/addons/users_ldap/__openerp__.py index dca43a474c5..47b3a809ad5 100644 --- a/addons/users_ldap/__openerp__.py +++ b/addons/users_ldap/__openerp__.py @@ -49,6 +49,12 @@ anonymous authentication for users, it is only for the master LDAP account that is used to verify if a user exists before attempting to authenticate it. +Securing the connection with STARTTLS is available for LDAP +servers support STARTTLS. The default is to require STARTTLS. +Configuration of the LDAP connection (certificates etc) should +be done through ``/etc/ldap/ldap.conf`` (or distribution +specific location). + Security Considerations +++++++++++++++++++++++ Users' LDAP passwords are never stored in the OpenERP database, @@ -77,6 +83,9 @@ OpenERP database (which means no access), the first step always fails and the LDAP server is queried to do the authentication. +Enabling STARTTLS ensures that the authentication query to the +LDAP server is encrypted. + User Template +++++++++++++ In the LDAP configuration on the Company form, it is possible to diff --git a/addons/users_ldap/users_ldap.py b/addons/users_ldap/users_ldap.py index 584dae3da1a..79bf7cb0b85 100644 --- a/addons/users_ldap/users_ldap.py +++ b/addons/users_ldap/users_ldap.py @@ -50,7 +50,8 @@ class CompanyLDAP(osv.osv): args = [] cr.execute(""" SELECT id, company, ldap_server, ldap_server_port, ldap_binddn, - ldap_password, ldap_filter, ldap_base, "user", create_user + ldap_password, ldap_filter, ldap_base, "user", create_user, + ldap_tls FROM res_company_ldap WHERE ldap_server != '' """ + id_clause + """ ORDER BY sequence """, args) @@ -94,6 +95,8 @@ class CompanyLDAP(osv.osv): if results and len(results) == 1: dn = results[0][0] conn = self.connect(conf) + if conf['ldap_tls']: + conn.start_tls_s() conn.simple_bind_s(dn, password) conn.unbind() entry = results[0] @@ -131,6 +134,8 @@ class CompanyLDAP(osv.osv): logger = logging.getLogger('orm.ldap') try: conn = self.connect(conf) + if conf['ldap_tls']: + conn.start_tls_s() conn.simple_bind_s(conf['ldap_binddn'] or '', conf['ldap_password'] or '') results = conn.search_st(conf['ldap_base'], ldap.SCOPE_SUBTREE, @@ -211,12 +216,15 @@ class CompanyLDAP(osv.osv): help="Model used for user creation"), 'create_user': fields.boolean('Create user', help="Create the user if not in database"), + 'ldap_tls': fields.boolean('Use TLS', + help="Use STARTTLS to connect to the LDAP server"), } _defaults = { 'ldap_server': '127.0.0.1', 'ldap_server_port': 389, 'sequence': 10, 'create_user': True, + 'ldap_tls': True, } CompanyLDAP() diff --git a/addons/users_ldap/users_ldap_view.xml b/addons/users_ldap/users_ldap_view.xml index b055ef2938d..7980459a452 100644 --- a/addons/users_ldap/users_ldap_view.xml +++ b/addons/users_ldap/users_ldap_view.xml @@ -20,12 +20,14 @@ + +