[Cubicweb] Apache + CubicWeb + LDAP

David Douard david.douard at logilab.fr
Mon Jan 27 10:15:46 CET 2014


On 26/01/2014 16:10, Dimitri Papadopoulos Orfanos wrote:
> Hi,

Hi

> Thank you for clarifying ldapfeed.
> 
> Le 24/01/2014 15:56, Aurélien Campéas a écrit :
>>> [...]
>>> An LDAP directory used by both SFTP and Apache+CubicWeb looks like the
>>> obvious solution. Should I be looking elsewhere or is this the unique
>>> and true way to achieve our goal?
>>>
>>
>> It's a standard way, but probably not the only possible one.
>> [...]
> 
> Which other ways could you suggest?
> 
> Most solutions I can think of seem to require new code:
> * Get SFTP to use CubicWeb passwords by writing a PAM module.
> * Get CubicWeb to use getpwnam() by writing a new CubicWeb source.
> 
>> [...]
>> The ldapfeed source performs itself the authentication against the LDAP
>> server, hence I'm not sure I understand the purpose of trustedauth here.
>> [...]
> 
> Indeed both Apache and CubicWeb can authenticate against LDAP. However an Apache front-end provides standardized logs among other services (including authentication).

It should work. We have a setup here at Logilab using a ldapfeed source to define users etc., with trustedauth to provide SSO (using kerberos), so we do not store passwords in the LDAP database.
  
> 
> By the way, the documentation states that auth-mode supports:
> * simple,
> * cram_md5,
> * digest_md5,
> * gssapi.
> I'm not very familiar with the details of authentication. Does this mean that the recommended {SSHA} password scheme is not supported?

Unfortunaltely there is no support for SSHA authentication toward the LDAP server now, since we use the ldap.sasl module to authenticate to the LDAP server, so we only provide auth modes available in this module.


> 
> It looks like Apache doesn't support {SSHA} either - or at least requires additional modules for that:
>     https://github.com/DrGkill/htpasswd-ssha
> 
> Any clue on what password LDAP storage scheme fits best SFTP + CubicWeb + Apache?
> 
> Regards,


-- 

David DOUARD		 LOGILAB
Directeur du département Outils & Systèmes

+33 1 45 32 03 12	 david.douard at logilab.fr
+33 1 83 64 25 26	 http://www.logilab.fr/id/david.douard

Formations - http://www.logilab.fr/formations
Développements - http://www.logilab.fr/services
Gestion de connaissances - http://www.cubicweb.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: david_douard.vcf
Type: text/x-vcard
Size: 302 bytes
Desc: not available
URL: <http://lists.cubicweb.org/pipermail/cubicweb/attachments/20140127/aead8eea/attachment-0182.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cubicweb.org/pipermail/cubicweb/attachments/20140127/aead8eea/attachment-0180.sig>


More information about the Cubicweb mailing list