Re: [Openerp-community] [Merge] lp:~openerp-community/openobject-addons/stefan-therp_lp794450 into lp:openobject-addons
On 10-06-11 23:46, Olivier Dony (OpenERP) wrote: One more thing occurs to me: since anonymous authentication basically means empty name and password, why not simplify the code and the patch by just removing the required flag on these fields? With clear tooltips on the fields, indicating that they should be left empty for anonymous binding, it should be pretty intuitive, don't you think? This also removes the need for an explicit boolean field that is a bit orthogonal with the binddn/password fields. And before calling bind() you can test ldap_binddn instead of the flag... Thoughts? Good suggestion, thanks. I have updated the code accordingly. Usability-wise, it seems common to many applications to imply an anonymous connection when the bind DN and password are left unconfigured. Ironically in the light of our previous discussion, an anonymous bind is now performed as I resorted to simply replacing a None value for the bind DN and password with the empty string. You can now even have a harmless unauthenticated authentication if your ldap server allows it by only filling in the bind DN ;-) Cheers, Stefan. -- Therp - Maatwerk in open ontwikkeling Stefan Rijnhart - Ontwerp en implementatie mail: ste...@therp.nl tel: +31 (0) 614478606 web: http://therp.nl https://code.launchpad.net/~openerp-community/openobject-addons/stefan-therp_lp794450/+merge/63831 Your team OpenERP Community is subscribed to branch lp:~openerp-community/openobject-addons/stefan-therp_lp794450. ___ Mailing list: https://launchpad.net/~openerp-community Post to : openerp-community@lists.launchpad.net Unsubscribe : https://launchpad.net/~openerp-community More help : https://help.launchpad.net/ListHelp
Re: [Openerp-community] [Merge] lp:~openerp-community/openobject-addons/stefan-therp_lp794450 into lp:openobject-addons
Review: Approve Excellent! Simple, minimalist, obvious: that's how I like patches served :-) -- https://code.launchpad.net/~openerp-community/openobject-addons/stefan-therp_lp794450/+merge/63831 Your team OpenERP Community is subscribed to branch lp:~openerp-community/openobject-addons/stefan-therp_lp794450. ___ Mailing list: https://launchpad.net/~openerp-community Post to : openerp-community@lists.launchpad.net Unsubscribe : https://launchpad.net/~openerp-community More help : https://help.launchpad.net/ListHelp
Re: [Openerp-community] [Merge] lp:~openerp-community/openobject-addons/stefan-therp_lp794450 into lp:openobject-addons
Review: Needs Information Hello Stefan, Thanks for the nice merge proposal! Your changes make me wonder about a few things, listed below (disclaimer: I haven't tested this, and haven't read the full LDAP RFCs): - It was my understanding that LDAP defines a lot of authentication mechanism (anonymous, user/pass, and even unauthenticated authentication [1]), and as a result prior authentication is always required before any operation can be done in an LDAP session. Your patch seems to remove the initial bind() operation in case anonymous is enabled, while I would have expected you would need to really perform an anonymous bind operation to conform to the protocol? (e.g. bind(who='', cred='') as described in [2]). - The python-ldap documentation also seems to imply that some variation of bind() needs to be called before any operation can be done[3]. Based on this, it looks like the search() performed to verify the user's existence would fail with some LDAP servers, only because no bind() has been done before. - Since LDAP also has other authentication modes, wouldn't it be better to instead display a selection of options, at least with the simple mechanisms: Name/Password, Anonymous, Unauthenticated, implement them accordingly (passing empty who/cred to bind()) and set the appropriate required fields for each (as you did for anonymous). - Out of curiosity, what LDAP server are you using, and with what kind of specific settings? Default settings? Thanks! [1] http://tools.ietf.org/html/rfc4513#section-5.1 [2] http://tools.ietf.org/html/rfc4513#section-5.1.1 [3] http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.simple_bind_s -- https://code.launchpad.net/~openerp-community/openobject-addons/stefan-therp_lp794450/+merge/63831 Your team OpenERP Community is subscribed to branch lp:~openerp-community/openobject-addons/stefan-therp_lp794450. ___ Mailing list: https://launchpad.net/~openerp-community Post to : openerp-community@lists.launchpad.net Unsubscribe : https://launchpad.net/~openerp-community More help : https://help.launchpad.net/ListHelp
Re: [Openerp-community] [Merge] lp:~openerp-community/openobject-addons/stefan-therp_lp794450 into lp:openobject-addons
On 06/10/2011 10:57 PM, Stefan Rijnhart (Therp) wrote: LDAPv3 allows for unauthorized access when no bind is performed [1]. Although [2] describes how compatibility with other versions of the protocol can be improved by anonymous binding, the only candidate LDAP version 2 was retired in 2003. Following rfc4513, I leave the code to query the LDAP server in the implied unauthorized state without performing the bind. Thanks for the details, it definitely looks like the default binding is indeed anonymous, and calling explicitly bind() is not required. And if this works with OpenLDAP, we've got all the confirmation we need. I guess the python-ldap doc is simply inaccurate. With regards to Unauthenticated Authentication, this is provided for trace purposes only and is considered something which client application developers should protect themselves against using, as it is too easy to mistake such a bind featuring the actual user name for a succesful authentication [3] Indeed we've been bitten by this in OpenERP before, and have an explicit check for blank passwords now on the user authentication. So you're right, unauthenticated mode is irrelevant. Of course, there is SASL as an honourable authentication mechanism but it is somewhat out of scope for this particular effort. I certainly agree. I will therefore not display a selection of options, but leave the checkbox. One more thing occurs to me: since anonymous authentication basically means empty name and password, why not simplify the code and the patch by just removing the required flag on these fields? With clear tooltips on the fields, indicating that they should be left empty for anonymous binding, it should be pretty intuitive, don't you think? This also removes the need for an explicit boolean field that is a bit orthogonal with the binddn/password fields. And before calling bind() you can test ldap_binddn instead of the flag... Thoughts? -- https://code.launchpad.net/~openerp-community/openobject-addons/stefan-therp_lp794450/+merge/63831 Your team OpenERP Community is subscribed to branch lp:~openerp-community/openobject-addons/stefan-therp_lp794450. ___ Mailing list: https://launchpad.net/~openerp-community Post to : openerp-community@lists.launchpad.net Unsubscribe : https://launchpad.net/~openerp-community More help : https://help.launchpad.net/ListHelp