diff --git a/README.md b/README.md index 7a45d6c2ff..9feb09e390 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,7 @@ addon | version | maintainers | summary [auth_api_key](auth_api_key/) | 17.0.1.1.1 | | Authenticate http requests from an API key [auth_api_key_group](auth_api_key_group/) | 17.0.1.0.1 | [![simahawk](https://github.com/simahawk.png?size=30px)](https://github.com/simahawk) | Allow grouping API keys together. Grouping per se does nothing. This feature is supposed to be used by other modules to limit access to services or records based on groups of keys. [auth_api_key_server_env](auth_api_key_server_env/) | 17.0.1.0.0 | | Configure api keys via server env. This can be very useful to avoid mixing your keys between your various environments when restoring databases. All you have to do is to add a new section to your configuration file according to the following convention: +[auth_ldaps](auth_ldaps/) | 17.0.1.0.0 | | Allows to use LDAP over SSL authentication [auth_oidc](auth_oidc/) | 17.0.1.1.0 | [![sbidoul](https://github.com/sbidoul.png?size=30px)](https://github.com/sbidoul) | Allow users to login through OpenID Connect Provider [auth_saml](auth_saml/) | 17.0.1.0.0 | [![vincent-hatakeyama](https://github.com/vincent-hatakeyama.png?size=30px)](https://github.com/vincent-hatakeyama) | SAML2 Authentication [auth_session_timeout](auth_session_timeout/) | 17.0.1.0.0 | | This module disable all inactive sessions since a given delay diff --git a/auth_ldaps/README.rst b/auth_ldaps/README.rst new file mode 100644 index 0000000000..d80610156b --- /dev/null +++ b/auth_ldaps/README.rst @@ -0,0 +1,116 @@ +==================== +LDAPS authentication +==================== + +.. + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + !! This file is generated by oca-gen-addon-readme !! + !! changes will be overwritten. !! + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + !! source digest: sha256:7a3f2458afff7e8410aea21382679c63425026d5034e5ff2b34815040f2374ba + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + +.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png + :target: https://odoo-community.org/page/development-status + :alt: Beta +.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png + :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html + :alt: License: AGPL-3 +.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github + :target: https://github.com/OCA/server-auth/tree/17.0/auth_ldaps + :alt: OCA/server-auth +.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png + :target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_ldaps + :alt: Translate me on Weblate +.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png + :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0 + :alt: Try me on Runboat + +|badge1| |badge2| |badge3| |badge4| |badge5| + +This module allows to authenticate using a LDAP over SSL system. + +**Table of contents** + +.. contents:: + :local: + +Installation +============ + +To verify LDAPS server certificate, you need to: + +1. Add the CA certificate of the LDAPS on your server as a trusted + certificate +2. Check the ``Verify certificate`` flag in configuration + +Configuration +============= + +To configure this module, you need to: + +1. Access Settings / General Settings / LDAP Authentication / LDAP + Server +2. Check the ``Use LDAPS`` flag + +Usage +===== + + + +Bug Tracker +=========== + +Bugs are tracked on `GitHub Issues `_. +In case of trouble, please check there if your issue has already been reported. +If you spotted it first, help us to smash it by providing a detailed and welcomed +`feedback `_. + +Do not contact contributors directly about support or help with technical issues. + +Credits +======= + +Authors +------- + +* CorporateHub +* Creu Blanca + +Contributors +------------ + +- Enric Tobella + +- `CorporateHub `__ + + - Alexey Pelykh + +- Bhavesh Odedra + +- `Trobz `__: + + - Hoang Diep + +Other credits +------------- + +The migration of this module from 15.0 to 16.0 was financially supported +by Camptocamp + +Maintainers +----------- + +This module is maintained by the OCA. + +.. image:: https://odoo-community.org/logo.png + :alt: Odoo Community Association + :target: https://odoo-community.org + +OCA, or the Odoo Community Association, is a nonprofit organization whose +mission is to support the collaborative development of Odoo features and +promote its widespread use. + +This module is part of the `OCA/server-auth `_ project on GitHub. + +You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute. diff --git a/auth_ldaps/__init__.py b/auth_ldaps/__init__.py new file mode 100644 index 0000000000..4b76c7b2d5 --- /dev/null +++ b/auth_ldaps/__init__.py @@ -0,0 +1,3 @@ +# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html). + +from . import models diff --git a/auth_ldaps/__manifest__.py b/auth_ldaps/__manifest__.py new file mode 100644 index 0000000000..9e3298fb6e --- /dev/null +++ b/auth_ldaps/__manifest__.py @@ -0,0 +1,19 @@ +# Copyright (C) 2017 Creu Blanca +# Copyright (C) 2018 Brainbean Apps +# Copyright 2020 CorporateHub (https://corporatehub.eu) +# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html). + +{ + "name": "LDAPS authentication", + "version": "17.0.1.0.0", + "category": "Tools", + "website": "https://github.com/OCA/server-auth", + "author": "CorporateHub, " "Creu Blanca, " "Odoo Community Association (OCA)", + "license": "AGPL-3", + "installable": True, + "application": False, + "summary": "Allows to use LDAP over SSL authentication", + "depends": ["auth_ldap"], + "data": ["views/res_company_ldap_views.xml"], + "external_dependencies": {"python": ["python-ldap"]}, +} diff --git a/auth_ldaps/i18n/auth_ldaps.pot b/auth_ldaps/i18n/auth_ldaps.pot new file mode 100644 index 0000000000..330ea9ecbc --- /dev/null +++ b/auth_ldaps/i18n/auth_ldaps.pot @@ -0,0 +1,29 @@ +# Translation of Odoo Server. +# This file contains the translation of the following modules: +# * auth_ldaps +# +msgid "" +msgstr "" +"Project-Id-Version: Odoo Server 17.0\n" +"Report-Msgid-Bugs-To: \n" +"Last-Translator: \n" +"Language-Team: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: \n" +"Plural-Forms: \n" + +#. module: auth_ldaps +#: model:ir.model,name:auth_ldaps.model_res_company_ldap +msgid "Company LDAP configuration" +msgstr "" + +#. module: auth_ldaps +#: model:ir.model.fields,field_description:auth_ldaps.field_res_company_ldap__skip_cert_validation +msgid "Skip certificate validation" +msgstr "" + +#. module: auth_ldaps +#: model:ir.model.fields,field_description:auth_ldaps.field_res_company_ldap__is_ssl +msgid "Use LDAPS" +msgstr "" diff --git a/auth_ldaps/i18n/it.po b/auth_ldaps/i18n/it.po new file mode 100644 index 0000000000..774c030afd --- /dev/null +++ b/auth_ldaps/i18n/it.po @@ -0,0 +1,41 @@ +# Translation of Odoo Server. +# This file contains the translation of the following modules: +# * auth_ldaps +# +msgid "" +msgstr "" +"Project-Id-Version: Odoo Server 14.0\n" +"Report-Msgid-Bugs-To: \n" +"PO-Revision-Date: 2021-03-02 19:45+0000\n" +"Last-Translator: Sergio Zanchetta \n" +"Language-Team: none\n" +"Language: it\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: \n" +"Plural-Forms: nplurals=2; plural=n != 1;\n" +"X-Generator: Weblate 4.3.2\n" + +#. module: auth_ldaps +#: model:ir.model,name:auth_ldaps.model_res_company_ldap +msgid "Company LDAP configuration" +msgstr "Configurazione LDAP azienda" + +#. module: auth_ldaps +#: model:ir.model.fields,field_description:auth_ldaps.field_res_company_ldap__skip_cert_validation +msgid "Skip certificate validation" +msgstr "Saltare verifica del certificato" + +#. module: auth_ldaps +#: model:ir.model.fields,field_description:auth_ldaps.field_res_company_ldap__is_ssl +msgid "Use LDAPS" +msgstr "Utilizzare LDAPS" + +#~ msgid "Display Name" +#~ msgstr "Nome visualizzato" + +#~ msgid "ID" +#~ msgstr "ID" + +#~ msgid "Last Modified on" +#~ msgstr "Ultima modifica il" diff --git a/auth_ldaps/models/__init__.py b/auth_ldaps/models/__init__.py new file mode 100644 index 0000000000..499b15f328 --- /dev/null +++ b/auth_ldaps/models/__init__.py @@ -0,0 +1,3 @@ +# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html). + +from . import res_company_ldap diff --git a/auth_ldaps/models/res_company_ldap.py b/auth_ldaps/models/res_company_ldap.py new file mode 100644 index 0000000000..b4a3775638 --- /dev/null +++ b/auth_ldaps/models/res_company_ldap.py @@ -0,0 +1,57 @@ +# Copyright (C) Creu Blanca +# Copyright (C) 2018 Brainbean Apps +# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl.html). + + +import logging + +import ldap + +from odoo import fields, models +from odoo.tools.misc import str2bool + +_logger = logging.getLogger(__name__) + + +class CompanyLDAP(models.Model): + _inherit = "res.company.ldap" + + is_ssl = fields.Boolean(string="Use LDAPS", default=False) + skip_cert_validation = fields.Boolean( + string="Skip certificate validation", default=False + ) + + def _get_ldap_dicts(self): + res = super()._get_ldap_dicts() + for rec in res: + ldap = self.sudo().browse(rec["id"]) + rec["is_ssl"] = ldap.is_ssl or False + rec["skip_cert_validation"] = ldap.skip_cert_validation or False + return res + + def _connect(self, conf): + if conf["is_ssl"]: + uri = "ldaps://%s:%d" % (conf["ldap_server"], conf["ldap_server_port"]) + connection = ldap.initialize(uri) + ldap_chase_ref_disabled = ( + self.env["ir.config_parameter"] + .sudo() + .get_param("auth_ldap.disable_chase_ref") + ) + if str2bool(ldap_chase_ref_disabled): + connection.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF) + if conf["skip_cert_validation"]: + connection.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW) + # this creates a new tls context, which is required to apply + # the options, but it also clears the default options defined + # in the openldap's configuration file, such as the TLS_CACERT + # option, which specifies the file containing the trusted + # certificates. this causes certificate verification to fail, + # even if it would succeed with the default options. this is + # why this is only called if we want to skip certificate + # verification. + connection.set_option(ldap.OPT_X_TLS_NEWCTX, 0) + if conf["ldap_tls"]: + connection.start_tls_s() + return connection + return super()._connect(conf) diff --git a/auth_ldaps/pyproject.toml b/auth_ldaps/pyproject.toml new file mode 100644 index 0000000000..4231d0cccb --- /dev/null +++ b/auth_ldaps/pyproject.toml @@ -0,0 +1,3 @@ +[build-system] +requires = ["whool"] +build-backend = "whool.buildapi" diff --git a/auth_ldaps/readme/CONFIGURE.md b/auth_ldaps/readme/CONFIGURE.md new file mode 100644 index 0000000000..6439d923e7 --- /dev/null +++ b/auth_ldaps/readme/CONFIGURE.md @@ -0,0 +1,5 @@ +To configure this module, you need to: + +1. Access Settings / General Settings / LDAP Authentication / LDAP + Server +2. Check the `Use LDAPS` flag diff --git a/auth_ldaps/readme/CONTRIBUTORS.md b/auth_ldaps/readme/CONTRIBUTORS.md new file mode 100644 index 0000000000..c1d5aadbfe --- /dev/null +++ b/auth_ldaps/readme/CONTRIBUTORS.md @@ -0,0 +1,11 @@ +- Enric Tobella \<\> + +- [CorporateHub](https://corporatehub.eu/) + + - Alexey Pelykh \<\> + +- Bhavesh Odedra \<\> + +- [Trobz](https://trobz.com): + + > - Hoang Diep \<\> diff --git a/auth_ldaps/readme/CREDITS.md b/auth_ldaps/readme/CREDITS.md new file mode 100644 index 0000000000..291e14c81e --- /dev/null +++ b/auth_ldaps/readme/CREDITS.md @@ -0,0 +1,2 @@ +The migration of this module from 15.0 to 16.0 was financially supported +by Camptocamp diff --git a/auth_ldaps/readme/DESCRIPTION.md b/auth_ldaps/readme/DESCRIPTION.md new file mode 100644 index 0000000000..defed2d590 --- /dev/null +++ b/auth_ldaps/readme/DESCRIPTION.md @@ -0,0 +1 @@ +This module allows to authenticate using a LDAP over SSL system. diff --git a/auth_ldaps/readme/INSTALL.md b/auth_ldaps/readme/INSTALL.md new file mode 100644 index 0000000000..711643999e --- /dev/null +++ b/auth_ldaps/readme/INSTALL.md @@ -0,0 +1,5 @@ +To verify LDAPS server certificate, you need to: + +1. Add the CA certificate of the LDAPS on your server as a trusted + certificate +2. Check the `Verify certificate` flag in configuration diff --git a/auth_ldaps/readme/USAGE.md b/auth_ldaps/readme/USAGE.md new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/auth_ldaps/readme/USAGE.md @@ -0,0 +1 @@ + diff --git a/auth_ldaps/static/description/icon.png b/auth_ldaps/static/description/icon.png new file mode 100644 index 0000000000..3a0328b516 Binary files /dev/null and b/auth_ldaps/static/description/icon.png differ diff --git a/auth_ldaps/static/description/index.html b/auth_ldaps/static/description/index.html new file mode 100644 index 0000000000..779706a076 --- /dev/null +++ b/auth_ldaps/static/description/index.html @@ -0,0 +1,469 @@ + + + + + +LDAPS authentication + + + +
+

LDAPS authentication

+ + +

Beta License: AGPL-3 OCA/server-auth Translate me on Weblate Try me on Runboat

+

This module allows to authenticate using a LDAP over SSL system.

+

Table of contents

+ +
+

Installation

+

To verify LDAPS server certificate, you need to:

+
    +
  1. Add the CA certificate of the LDAPS on your server as a trusted +certificate
    2. +
  2. Check the Verify certificate flag in configuration
    3. +
+
+
+

Configuration

+

To configure this module, you need to:

+
    +
  1. Access Settings / General Settings / LDAP Authentication / LDAP +Server
    2. +
  2. Check the Use LDAPS flag
    3. +
+
+
+

Usage

+
+
+

Bug Tracker

+

Bugs are tracked on GitHub Issues. +In case of trouble, please check there if your issue has already been reported. +If you spotted it first, help us to smash it by providing a detailed and welcomed +feedback.

+

Do not contact contributors directly about support or help with technical issues.

+
+
+

Credits

+
+

Authors

+
    +
  • CorporateHub
    • +
  • Creu Blanca
    • +
+
+
+

Contributors

+ +
+
+

Other credits

+

The migration of this module from 15.0 to 16.0 was financially supported +by Camptocamp

+
+
+

Maintainers

+

This module is maintained by the OCA.

+ +Odoo Community Association + +

OCA, or the Odoo Community Association, is a nonprofit organization whose +mission is to support the collaborative development of Odoo features and +promote its widespread use.

+

This module is part of the OCA/server-auth project on GitHub.

+

You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

+
+
+
+ + diff --git a/auth_ldaps/views/res_company_ldap_views.xml b/auth_ldaps/views/res_company_ldap_views.xml new file mode 100644 index 0000000000..641f352b4b --- /dev/null +++ b/auth_ldaps/views/res_company_ldap_views.xml @@ -0,0 +1,19 @@ + + + + + res.company.ldap.form + res.company.ldap + + + + + + + + + diff --git a/requirements.txt b/requirements.txt index 302ba0e988..72eb0562e8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,3 +3,4 @@ email_validator lxml pysaml2 python-jose +python-ldap diff --git a/setup/_metapackage/pyproject.toml b/setup/_metapackage/pyproject.toml index 295291ca4a..38e7a651f8 100644 --- a/setup/_metapackage/pyproject.toml +++ b/setup/_metapackage/pyproject.toml @@ -1,12 +1,13 @@ [project] name = "odoo-addons-oca-server-auth" -version = "17.0.20241031.0" +version = "17.0.20241229.0" dependencies = [ "odoo-addon-auth_admin_passkey>=17.0dev,<17.1dev", "odoo-addon-auth_admin_passkey_totp_mail_enforce>=17.0dev,<17.1dev", "odoo-addon-auth_api_key>=17.0dev,<17.1dev", "odoo-addon-auth_api_key_group>=17.0dev,<17.1dev", "odoo-addon-auth_api_key_server_env>=17.0dev,<17.1dev", + "odoo-addon-auth_ldaps>=17.0dev,<17.1dev", "odoo-addon-auth_oidc>=17.0dev,<17.1dev", "odoo-addon-auth_saml>=17.0dev,<17.1dev", "odoo-addon-auth_session_timeout>=17.0dev,<17.1dev",