[Cubicweb] Apache + CubicWeb + LDAP

Aurélien Campéas aurelien.campeas at logilab.fr
Fri Jan 24 15:56:03 CET 2014


On 24/01/2014 15:36, Dimitri Papadopoulos Orfanos wrote:
> Dear list,

Hi Dimitri,

> 
> We would like to share the same login/password pair between SFTP and
> CubicWeb.
> 
> Additionally, we would like CubicWeb authentication to be handled by an
> Apache front-end.
> 
> An LDAP directory used by both SFTP and Apache+CubicWeb looks like the
> obvious solution. Should I be looking elsewhere or is this the unique
> and true way to achieve our goal?
> 

It's a standard way, but probably not the only possible one.

> 
> 
> I also have a few questions about integrating CubicWeb with Apache and
> LDAP:
> 
> I've read "LDAP integration" and I understand we must use the new
> _ldapfeed_ source:
>     http://docs.cubicweb.org/admin/ldap.html
> 
> I think it would be easier to define groups in LDAP rather than in
> CubicWeb, because it would allow to share groups between SFTP and
> CubicWeb, and for the sake of consistency. I've found an open ticket "Ad
> support for CWGroup definitions in ldapfeed":
>     http://www.cubicweb.org/ticket/2528116
> Any clue which version of CubicWeb this patch could be included in?

It is in CubicWeb since 3.17 as indicated on the page you refer to.
I'm not sure however it has been vastly already used, so you may
discover gotchas. But we surely will want to hear about them and fix
any serious problem asap.

> 
> I expect the accounts in LDAP to follow the standard LDAP schema for
> Linux accounts. I can't decide from the documentation whether CubicWeb
> will be able to understand this schema or not. I think "Configurations
> options of an LDAPfeed source" describes how to set ldapfeed parameters
> to achieve whatever mapping we need. Am I correct?

Yes.

> 
> Finally I plan as usual to use cubicweb-trustedauth, to get CubicWeb to
> trust the Apache front-end for authentication.

The ldapfeed source performs itself the authentication against the LDAP
server, hence I'm not sure I understand the purpose of trustedauth here.

Regards,
Aurélien.




More information about the Cubicweb mailing list