On 06/10/2011 10:57 PM, Stefan Rijnhart (Therp) wrote: > LDAPv3 allows for unauthorized access when no bind is performed [1]. > Although [2] describes how compatibility with other versions of the > protocol can be improved by anonymous binding, the only candidate LDAP > version 2 was retired in 2003. Following rfc4513, I leave the code to > query the LDAP server in the implied unauthorized state without > performing the bind.
Thanks for the details, it definitely looks like the default binding is indeed anonymous, and calling explicitly bind() is not required. And if this works with OpenLDAP, we've got all the confirmation we need. I guess the python-ldap doc is simply inaccurate. > With regards to Unauthenticated Authentication, this is provided for > trace purposes only and is considered something which client application > developers should protect themselves against using, as it is too easy to > mistake such a bind featuring the actual user name for a succesful > authentication [3] Indeed we've been bitten by this in OpenERP before, and have an explicit check for blank passwords now on the user authentication. So you're right, unauthenticated mode is irrelevant. > Of course, there is SASL as an honourable authentication mechanism > but it is somewhat out of scope for this particular effort. I certainly agree. > I will therefore not display a selection of options, but leave the > checkbox. One more thing occurs to me: since anonymous authentication basically means empty name and password, why not simplify the code and the patch by just removing the "required" flag on these fields? With clear tooltips on the fields, indicating that they should be left empty for anonymous binding, it should be pretty intuitive, don't you think? This also removes the need for an explicit boolean field that is a bit orthogonal with the binddn/password fields. And before calling bind() you can test ldap_binddn instead of the flag... Thoughts? -- https://code.launchpad.net/~openerp-community/openobject-addons/stefan-therp_lp794450/+merge/63831 Your team OpenERP Community is subscribed to branch lp:~openerp-community/openobject-addons/stefan-therp_lp794450. _______________________________________________ Mailing list: https://launchpad.net/~openerp-community Post to : openerp-community@lists.launchpad.net Unsubscribe : https://launchpad.net/~openerp-community More help : https://help.launchpad.net/ListHelp