Hi Olivier, Excellent.
But hmmm I do disagree, at least on a philosophical level rather than a practical level. Security should be opt-out rather than opt-in. Part of the process of people doing the upgrade should be testing that people can login to the system. Not connecting because of the TLS setting should be picked up in that process. At that point they can change the setting. People asking why there is no encryption on the authentication is probably a good thing for a system that holds the sort of data that an ERP system would do. Having to change the setting from being enabled highlights a 'broken' LDAP server .. yes there could be debate whether un-encrytped authentication is broken or not :) >From our point of view, and why I scratched the itch of getting the TLS support was that I couldn't connect to our LDAP server when testing OpenERP. Our LDAP is locked down, and would ONLY allow connections via SSL or TLS. For us, it is just a single tick box to 'fix'. One of our next steps is to deal with the encryption of the database connection. However, as much as I disagree, yes on a practical level it does make some sense. Thanks for the help. Cheers, Ian On Thu, November 10, 2011 4:30 am, Olivier Dony \(OpenERP\) wrote: > Ian, Stefan, > > I've just merged this branch in trunk, so it will be included in v6.1. > > After re-testing with a TLS-disabled LDAP server, I changed the default > for the TLS flag to be off, and updated the module description and > tooltips accordingly, for two main reasons: > - When TLS is enabled but not supported by the LDAP server, all login > attempts silently fail, with the diagnostics for the failure only visible > in the server logs. This is fine, because end-users shouldn't be exposed > to the technical reasons for their failed login, but will be a source of > issues for users with non-TLS LDAP servers. It will for example prevent > login for all existing LDAP users after an upgrade to 6.1 if they don't > have TLS available (as it will be enabled automatically). > - Most of the time the LDAP server is located within a restricted part of > a company's network, so communication between OpenERP and the LDAP occurs > on a relatively safe segment, mitigating the risk of not using TLS even > when it is available. > > Based on the above, I think having TLS as opt-in is better than opt-out, > at least for 6.1. I hope you agree, or at least understand my point of > view... > > Thanks again for your great work! > -- > https://code.launchpad.net/~ibeardslee/openobject-addons/users_ldap-tls/+merge/71837 > Your team OpenERP Community is subscribed to branch > lp:~openerp-community/openobject-addons/stefan-therp_lp794584. > > _______________________________________________ > Mailing list: https://launchpad.net/~openerp-community > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openerp-community > More help : https://help.launchpad.net/ListHelp > > -- https://code.launchpad.net/~ibeardslee/openobject-addons/users_ldap-tls/+merge/71837 Your team OpenERP Community is subscribed to branch lp:~openerp-community/openobject-addons/stefan-therp_lp794584. _______________________________________________ Mailing list: https://launchpad.net/~openerp-community Post to : [email protected] Unsubscribe : https://launchpad.net/~openerp-community More help : https://help.launchpad.net/ListHelp
