[MERGE] users_ldap: support for anonymous binding at company level

Anonymous binding is enabled by having empty names and password
in company LDAP setup. This does NOT permit anonymous binding
for user authentication, which is still forbidden. The anonymous
access will only be used to query the directory for the existence
of the users.
Thanks to Stefan Rijnhart for the idea and implementation!

bzr revid: odo@openerp.com-20110615173006-4wvzpecqx4doyb4l

diff --cc addons/users_ldap/users_ldap.py
index e4fec6a,06daa48..216a8a4
--- 1/addons/users_ldap/users_ldap.py
--- 2/addons/users_ldap/users_ldap.py
+++ b/addons/users_ldap/users_ldap.py
@@@ -37,8 -37,12 +37,12 @@@ class CompanyLDAP(osv.osv)
              ondelete='cascade'),
          'ldap_server': fields.char('LDAP Server address', size=64, required=True),
          'ldap_server_port': fields.integer('LDAP Server port', required=True),
-         'ldap_binddn': fields.char('LDAP binddn', size=64, required=True),
-         'ldap_password': fields.char('LDAP password', size=64, required=True),
 -        'ldap_binddn': fields.char('LDAP binddn', size=64, 
++        'ldap_binddn': fields.char('LDAP binddn', size=64,
+             help=("The user account on the LDAP server that is used to query "
+                   "the directory. Leave empty to connect anonymously.")),
+         'ldap_password': fields.char('LDAP password', size=64,
 -            help=("The password of the user account on the LDAP server that is"
 -                  " used to query the directory.")),
++            help=("The password of the user account on the LDAP server that is "
++                  "used to query the directory.")),
          'ldap_filter': fields.char('LDAP filter', size=64, required=True),
          'ldap_base': fields.char('LDAP base', size=64, required=True),
          'user': fields.many2one('res.users', 'Model User',
@@@ -82,7 -86,8 +86,10 @@@ class users(osv.osv)
              logger.debug(res_company_ldap)
              try:
                  l = ldap.open(res_company_ldap['ldap_server'], res_company_ldap['ldap_server_port'])
-                 if l.simple_bind_s(res_company_ldap['ldap_binddn'], res_company_ldap['ldap_password']):
++                # An empty binddn means anonymous auth, so it should be replaced w/ an empty string
++                # See LDAP RFC 4513, Section 5.1.1
+                 if l.simple_bind_s(res_company_ldap['ldap_binddn'] or '',
+                                    res_company_ldap['ldap_password'] or ''):
                      base = res_company_ldap['ldap_base']
                      scope = ldap.SCOPE_SUBTREE
                      filter = filter_format(res_company_ldap['ldap_filter'], (login,))
@@@ -150,8 -155,8 +157,10 @@@
              for res_company_ldap in user.company_id.ldaps:
                  try:
                      l = ldap.open(res_company_ldap.ldap_server, res_company_ldap.ldap_server_port)
-                     if l.simple_bind_s(res_company_ldap.ldap_binddn,
-                             res_company_ldap.ldap_password):
++                    # An empty binddn means anonymous auth, so it should be replaced w/ an empty string
++                    # See LDAP RFC 4513, Section 5.1.1
+                     if l.simple_bind_s(res_company_ldap.ldap_binddn or '',
+                                        res_company_ldap.ldap_password or ''):
                          base = res_company_ldap.ldap_base
                          scope = ldap.SCOPE_SUBTREE
                          filter = filter_format(res_company_ldap.ldap_filter, (user.login,))