[Cubicweb] LDAP + Apache integration
julien.cristau at logilab.fr
Thu Nov 5 10:02:17 CET 2015
On Wed, Nov 4, 2015 at 14:16:03 +0100, Dimitri Papadopoulos Orfanos wrote:
> Dear all,
> I have a few questions about LDAP + Apache integration.
> Our context is as follows:
> * Authentication is handled by Apache. Cubicweb instances are deployed
> behind Apache and depend on "cubicweb-trustedauth" so they trust the
> "x-remote-user" field added to HTTP headers by Apache.
> * Accounts live in LDAP.
> * Apache and Cubicweb rely on LDAP for accounts. Cubicweb accesses LDAP
> using an "ldapfeed" source.
> * Our users create their account using a self-service application
> outside of Cubicweb. Of course accounts are actually not added to LDAP
> until an administrator reviews, adds proper access rights, and validates
> the account. Users can authenticate against and get past Apache as soon
> as their account request is validated by an admin. Unfortunately, at
> this point and *before* Cubicweb syncs with LDAP, the Cubiweb
> application will not recognize the "x-remote-user" sent by Apache.
> Here are the questions:
> * Our experience is that Cubicweb freezes for about 10 seconds while it
> syncs with the "ldapfeed" source. This is not acceptable in a production
> environment. As a workaround we have increased the synchronization
> frequency from 1 minute to 30 minutes. Is the freeze expected? Do you
> have a suggestion on what to try/modify? We have ~100 accounts in the
> LDAP, this is really far from a large LDAP database!
I'm not sure why source sync would cause an UI freeze, it doesn't really
make sense to me. What I would suggest however is to set the source
config's synchronize option to false, and run "cubicweb-ctl source-sync
<instance> <name of the ldap source>" from cron or equivalent. That way
the source sync happens in a separate process from the web interface,
and won't affect its responsiveness.
> * After creating the account in LDAP and *before* Cubicweb syncs with
> the relevant "ldapfeed" source, users are of course not recognized and
> are typically greeted by a an "unknown user" banner. This is a real
> problem if the delay is 30 mins, still a problem (though less acute)
> when the delay is 1 min. Do you have suggestions on how to gracefully
> handle this?
The above should let you reduce the delay, at least. Maybe there's also
a way for you to trigger a source-sync run when your administrators
validate an account?
> * When Cubicweb eventually syncs with the "ldapfeed" source, *after* a
> failed attempt at accessing the application before the sync, the
> relevant new account remains forever de-activated. We have to manually
> delete it and let it be re-creatd again:
> rset = rql("DELETE CWUser U WHERE U login 'user_login'")
> Is this expected? Shouldn't the account be activated after the LDAP
> sync? Should I open a ticket in the forge?
That sounds like a bug, possibly specific to your application, I haven't
seen anything like that, so it would need some investigation.
Julien Cristau <julien.cristau at logilab.fr>
Informatique scientifique & gestion de connaissances
More information about the Cubicweb