Thanks !

This is how is working after the patch:

Thanks for the answer, I agree that is a very big security hole, but it was useful

I don't understand what you mean with _"On LDAP environments is the same but the LDAPUser is forced authentication against the LDAP server.
You can still create a parallel user without LDAP if needed."._
Could you say more about that please ?

Thanks,

Nicolas

Hi

> In fact, that's the actual behaviour

Right, I think that's very dangerous and unwanted - that's since compiere times - so, I guess many people is "used" to such security hole - but from a security point of view it sounds crazy to me - if you have an LDAP configuration, and an LDAP configured user, why would you allow to bypass the LDAP security and allow the probably more-lazy security of AD_User.Password?
And people not aware of such behavior was probably assigning very lazy passwords in AD_User - or probably not even encrypted/hashed.

Because people can be "used" to such security hole - I think the option I just pushed is trying to "respect" that - if somebody needs a user to be validated with AD_User.Password in an LDAP environment, then it can create a user without the LDAPUser field filled - so, we are allowing some kind of exceptions configured by the implementor. I think is also up to the implementor if LDAPUser must be mandatory for certain tenants or not - that can be easily configured in custom window or plugin.

I saw your proposal about LDAP_ALLOW_LOGIN_WITH_AD_USER_PASSWORD, but as you say is not safe, and your proposal to make it an ID list in the end is the same as allowing a parallel user authenticated by AD_User.Password.

> Another scenario that could happen - don't know if your patch allow it or not -
> if you implement iDempiere into a company which uses LDAP, you may not have a user in LDAP.

Yes, is possible, is just leaving empty the LDAPUser field - as said above - I think is a decision on every implementation if that's allowed or not and under which conditions (that is: customization).

> it's easier to use the LDAPUser field to store the login (I prefer to log using 'nmd' (lLDAPUser)
> instead of 'Nicolas Micoud' (AD_User.Name)).

Yes, I'm aware of that "hack" That's still possible in non-LDAP environments - to use the LDAPUser as the login key.
On LDAP environments is the same but the LDAPUser is forced authentication against the LDAP server.
You can still create a parallel user without LDAP if needed.

Regards,

Carlos Ruiz

Hello ,

Haven't tested yet, but just a thought :
"Allowing to login with ad_user password to an LDAP user sounds like a security hole - a big one - are you sure that's the behavior?" (from https://idempiere.atlassian.net/browse/IDEMPIERE-3866)
In fact, that's the actual behaviour

ATM, I can log into the system using my LDAPUsername (Tginm) and password from LDAP or AD_User.
The SysConfig LDAP_ALLOW_LOGIN_WITH_AD_USER_PASSWORD was here to preserve this behaviour (I agree, is not safe, but it has been working for years).
But perhaps, this SysConfig should refers UserIDs.

Another scenario that could happen - don't know if your patch allow it or not - if you implement iDempiere into a company which uses LDAP, you may not have a user in LDAP.
However, it's easier to use the LDAPUser field to store the login (I prefer to log using 'nmd' (lLDAPUser) instead of 'Nicolas Micoud' (AD_User.Name)).

Regards,

Nicolas