adding SSL support to users_ldap

The current users_ldap does not support ldap (which is LDAP over SSL not SASL), so I am marking this as a whishlist.
All contributions are welcome by the way (please see also http://doc.openerp.com/contribute/15_guidelines/contribution_guidelines.html)

We don't plan to improve this, unless someone is ready to contribute ?
If yes, please assign this bug to you.

The comment by Olivier mentions "users_ldap does not support ldap (which is LDAP over SSL not SASL)" I assume what was meant was "does not support ldaps"?

Following on from the "LDAP over SSL" bit .. according to http://www.openldap.org/faq/data/cache/605.html "ldaps:// is deprecated in favor of Start TLS [RFC2830]."

Although not SASL either, I have made some changes to users_ldap to support Start TLS.

https://code.launchpad.net/~ibeardslee/openobject-addons/users_ldap-tls

On 08/10/2011 01:54 AM, Ian Beardslee wrote:
> The comment by Olivier mentions "users_ldap does not support ldap (which
> is LDAP over SSL not SASL)" I assume what was meant was "does not
> support ldaps"?

You're right I mean "ldaps" of course, too bad Launchpad does not
support editing of comments ;-)

> Following on from the "LDAP over SSL" bit .. according to
> http://www.openldap.org/faq/data/cache/605.html "ldaps:// is deprecated
> in favor of Start TLS [RFC2830]."

Yup, STARTTLS is the standard in most text-based protocols nowadays,
such as SMTP, POP or IMAP - much easier as it does not require setting
up separate ports.

> Although not SASL either, I have made some changes to users_ldap to
> support Start TLS.

I guess the original poster really meant SSL, not SASL...
Thanks for the contribution, I will then change the title of this bug
and assign it to you, and we can move on to review your merge proposal! :-)

I've deleted the branch I started with and recreated it with the same name. The changes I've made are now based on the changes and re-factoring going on in .. lp:~openerp-community/openobject-addons/stefan-therp_lp794584

I do not have a non-TLS enabled LDAP server to test with.

After doing a final test on a non-TLS LDAP server and fine-tuning the patch accordingly, Ian's patch has just landed on trunk [1], so SSL support will be part of v6.1.

Thanks a lot for your great work and patience, Ian!

[1] rev 5556 rev-id: <email address hidden>

Thanks Olivier,

Strictly speaking it is STARTTLS support rather than SSL support.

The starttls support was what we were after, and that itch has been
scratched. I might now look at SSL support for those that can't do
STARTTLS. What does Windows AD use to encrypt it's authentication?

On Thu, November 10, 2011 6:40 am, Olivier Dony \(OpenERP\) wrote:
> After doing a final test on a non-TLS LDAP server and fine-tuning the
> patch accordingly, Ian's patch has just landed on trunk [1], so SSL
> support will be part of v6.1.
>
> Thanks a lot for your great work and patience, Ian!
>
> [1] rev 5556 rev-id: <email address hidden>
>
> ** Changed in: openobject-addons
> Status: In Progress => Fix Released
>
> ** Changed in: openobject-addons
> Milestone: None => 6.1
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/389033
>
> Title:
> adding SSL support to users_ldap
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openobject-addons/+bug/389033/+subscriptions
>
>

On 11/09/2011 07:49 PM, Ian Beardslee wrote:
> Strictly speaking it is STARTTLS support rather than SSL support.

True, I think we were clear enough about that in tooltips and
description of the feature, although TLS/SSL/STARTTLS terminology is
usually quite confusing for users.

> The starttls support was what we were after, and that itch has been
> scratched. I might now look at SSL support for those that can't do
> STARTTLS. What does Windows AD use to encrypt it's authentication?

Don't have any experience with AD settings, but from what I can gather
in MS's KB, it seems that LDAPS is supported at least since Win2000, and
STARTTLS seems to have been added as of Win2003.
YMMV, given Microsoft's track record of bad interoperability with open
standards and products.

- http://support.microsoft.com/kb/321051
- http://support.microsoft.com/kb/959873

There is another setup to the LDAP authentication that isn't using the option to use TLS.

In the Administration Dashboard there is an option to "Setup your LDAP Server". Checking this box takes you to a screen that seems to allow you to configure the LDAP connections.

Entering the details into that screen (View#195) I get an error..
=====
Integrity Error

The operation cannot be completed, probably due to the following:
- deletion: you may be trying to delete a record while other records still reference it
- creation/update: a mandatory field is not correctly set

[object with reference: company - company]
=====

In the logs, I get (after substituting internal information) ..
=====
[2011-11-22 20:05:09,437][?] ERROR:db.cursor:bad query: insert into "res_company_ldap" (id,"ldap_tls","sequence","ldap_password","ldap_base","ldap_binddn","ldap_server","create_user","ldap_server_port","user","ldap_filter",create_uid,create_date) values (4,E'False',10,NULL,E'ldapbase',NULL,E'127.0.0.1',E'True',389,NULL,E'ldapfilter',1,now())
Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/openerp/sql_db.py", line 215, in execute
    res = self._obj.execute(query, params)
IntegrityError: null value in column "company" violates not-null constraint
=====

Unless there is an option to choose a company and configure TLS this "Administration Dashboard" >> "Setup your LDAP Server setup should be removed.