[Cubicweb] LDAP + Apache integration

Dimitri Papadopoulos Orfanos dimitri.papadopoulos at cea.fr
Wed Nov 4 14:16:03 CET 2015


Dear all,

I have a few questions about LDAP + Apache integration.

Our context is as follows:

* Authentication is handled by Apache. Cubicweb instances are deployed
behind Apache and depend on "cubicweb-trustedauth" so they trust the
"x-remote-user" field added to HTTP headers by Apache.

* Accounts live in LDAP.

* Apache and Cubicweb rely on LDAP for accounts. Cubicweb accesses LDAP
using an "ldapfeed" source.

* Our users create their account using a self-service application
outside of Cubicweb. Of course accounts are actually not added to LDAP
until an administrator reviews, adds proper access rights, and validates
the account. Users can authenticate against and get past Apache as soon
as their account request is validated by an admin. Unfortunately, at
this point and *before* Cubicweb syncs with LDAP, the Cubiweb
application will not recognize the "x-remote-user" sent by Apache.


Here are the questions:

* Our experience is that Cubicweb freezes for about 10 seconds while it
syncs with the "ldapfeed" source. This is not acceptable in a production
environment. As a workaround we have increased the synchronization
frequency from 1 minute to 30 minutes. Is the freeze expected? Do you
have a suggestion on what to try/modify? We have ~100 accounts in the
LDAP, this is really far from a large LDAP database!

* After creating the account in LDAP and *before* Cubicweb syncs with
the relevant "ldapfeed" source, users are of course not recognized and
are typically greeted by a an "unknown user" banner. This is a real
problem if the delay is 30 mins, still a problem (though less acute)
when the delay is 1 min. Do you have suggestions on how to gracefully
handle this?

* When Cubicweb eventually syncs with the "ldapfeed" source, *after* a
failed attempt at accessing the application before the sync, the
relevant new account remains forever de-activated. We have to manually
delete it and let it be re-creatd again:
  rset = rql("DELETE CWUser U WHERE U login 'user_login'")
  session.commit()
Is this expected? Shouldn't the account be activated after the LDAP
sync? Should I open a ticket in the forge?

Best,
-- 
Dimitri Papadopoulos
CEA/Saclay
I2BM, NeuroSpin
F-91191 Gif-sur-Yvette cedex, France



More information about the Cubicweb mailing list