Odoo Addons (MOVED TO GITHUB)

users_ldap: LDAP connection not flexible enough (e.g., SSL)

Bug #1020553 reported by Georges Racinet on 2012-07-03

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	Odoo Addons (MOVED TO GITHUB)	Confirmed	Wishlist	OpenERP R&D Addons Team 1

Bug Description

Only LDAP connections with TLS options are supported.
This makes it impossible to bind on a server that accepts SSL connections only.
users_ldap currently stores in res.company.ldap a host/port pair, which in turn forces it to generate the UIR from code (see the code extract below)

The best way to specify a connection would instead be to specify the URI. Otherwise we'll have to re-implement all the variations unthought of one by one, creating useless bloated code, bugs reports etc.
Some basic validation of the URI syntax would of course be welcomed.

Besides, having just one field is easier to update if there are many such lines (I have 3 different on the same server, for different user templates).

Code extract:
    def connect(self, conf):
        """
        Connect to an LDAP server specified by an ldap
        configuration dictionary.

        :param dict conf: LDAP configuration
        :return: an LDAP object
        """

uri = 'ldap://%s:%d' % (conf['ldap_server'],
conf['ldap_server_port'])

        connection = ldap.initialize(uri)
        if conf['ldap_tls']:
            connection.start_tls_s()
        return connection

(seen on 6.1-1, 6.1 current HEAD and trunk)

I can of course contribute the direct URI implementation, if there is positive feedback about it, but I'm in immediate need of this, and a bit reluctant to maintain a fork for such a simple change if not convinced it has a chance to be merged one day. I'll solve my immediate problem with a custom addon for now.

See original description

Georges Racinet (gracinet) on 2012-07-03

description:

updated

Revision history for this message

xrg (xrg) wrote on 2012-07-03: Re: [Bug 1020553] [NEW] users_ldap: LDAP connection not flexible enough (e.g., SSL)

On Tuesday 03 July 2012, you wrote:
> Public bug reported:
>
> Only LDAP connections with TLS options are supported.

According to the Wikipedia, anything but TLS is now deprecated:

http://en.wikipedia.org/wiki/Ldap#Protocol_overview

Quote:
> The use of LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was
> never standardized in any formal specification. This usage has been
> deprecated along with LDAPv2, which was officially retired in 2003.

Revision history for this message

Georges Racinet (gracinet) wrote on 2012-07-03:

Being deprecated does not mean that there are not servers around requiring it.

Splitting a connection URI into parts is an unecessary complication.
It's a bit like requiring to specify an HTTP server with host and port fields, not implementing the https case, building an URL internally to the lib that takes care of the connection. Even if HTTPS gets some day deprecated in the same way, would you do that ?

So, agreed, LDAPS is not 100% standard, but it's widespread, because server-side, it's a practical way to be sure nobody will ever attempt to bind on an unencrypted channel.
Why block it with useless code that will need to be maintained if more options appear in the future ?

In the immediate need I have, I'm actually the one administrating the ldap server, and that's OpenLDAP 2.4.23. If you know how to enforce once that only TLS is allowed on the public interface and clear-text connections are allowed on the loopback, with enough confidence that encryption is really enforced, I'm interested.

Cheers,

Amit Parik (amit-parik) on 2012-07-24

Changed in openobject-addons:
assignee:	nobody → OpenERP R&D Addons Team 1 (openerp-dev-addons1)
importance:	Undecided → Wishlist
status:	New → Confirmed

Revision history for this message

Stefan Rijnhart (Opener) (stefan-opener) wrote on 2012-08-02:

George,

came across this thread by accident. Without commenting on whether or not the configuration should take an LDAP URI, in order to solve your immediate problem you can have a look at this post:

http://old.nabble.com/Re%3A-Starttls-and-SSL-p30733776.html

It uses the 'ssf' directive in ACLs to force encryption for certain queries over certain interfaces. See http://www.openldap.org/doc/admin23/security.html for an overview of the possible settings of this directive.

Cheers,
Stefan.

Revision history for this message

Georges Racinet (gracinet) wrote on 2012-08-06:

Thanks Stefan,

thanks for the pointers, the use of ssf is interesting, indeed, but it behaves exactly as I feared after a quick read of the doc at the time I filed the bug. Quoting that post:

Warning, this does not prevent clients to send a password unencrypted,
it just make it useless.

Revision history for this message

Kevin Deldycke (kevin-deldycke-deactivatedaccount) wrote on 2012-11-27:

My comment may be off-topic, but I had a similar issue regarding SSL LDAP and managed to make it work with a convoluted patch. See this ticket for more information: https://bugs.launchpad.net/openobject-addons/+bug/1083529

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1083529

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.