diff -r c09feae04094 -r 268b6349baf3 sobjects/ldapparser.py
--- a/sobjects/ldapparser.py	Fri Aug 03 13:29:37 2012 +0200
+++ b/sobjects/ldapparser.py	Fri Sep 07 14:01:59 2012 +0200
@@ -20,6 +20,7 @@
 unlike ldapuser source, this source is copy based and will import ldap content
 (beside passwords for authentication) into the system source.
 """
+from __future__ import with_statement
 
 from logilab.common.decorators import cached
 from logilab.common.shellutils import generate_password
@@ -71,7 +72,9 @@
         session.commit(free_cnxset=False)
 
     def update_if_necessary(self, entity, attrs):
-        entity.complete(tuple(attrs))
+        # disable read security to allow password selection
+        with entity._cw.security_enabled(read=False):
+            entity.complete(tuple(attrs))
         if entity.__regid__ == 'CWUser':
             wf = entity.cw_adapt_to('IWorkflowable')
             if wf.state == 'deactivated':