[Cubicweb] CubicWeb / Apache / LDAP: how to recover blacklisted accounts?

Dimitri Papadopoulos Orfanos dimitri.papadopoulos at cea.fr
Thu May 12 08:45:09 CEST 2016


Hi,

Le 10/05/2016 à 18:00, Sylvain Thénault a écrit :
> On 09 mai 15:44, Dimitri Papadopoulos Orfanos wrote:
>> [...]
>> New LDAP accounts need quite some time to be propagated, not only to
>> CubicWeb (delay depends on the LDAPfeed source
>> 'synchronization-interval'), but also to Apache which acts as a trusted
>> front-end (perhaps delay depends on the Apache "LDAPOpCacheTTL" directive?).
> 
> Do you mean you're not using a ldap source in cubicweb?

We do use an LDAP source in CubicWeb. It's configured like this:
	synchronize=yes
	synchronization-interval=30min
	max-lock-lifetime=1h
	delete-entities=no
	logs-lifetime=10d
	http-timeout=1min
	auth-mode=simple
	#auth-realm=
	data-cnx-dn=...
	data-cnx-password=...
	user-base-dn=u'ou=People,dc=...
	user-scope=ONELEVEL
	user-classes=top,posixAccount
	user-filter=
	user-login-attr=uid
	user-default-group=users
	user-attrs-map=userPassword:upassword,mail:email,uid:login
	group-scope=ONELEVEL
	group-classes=top,posixGroup
	group-filter=
	group-attrs-map=memberUid:member,cn:name

However authentication is handled by Apache, not CubicWeb. Apaches
relies on the same LDAP database. CubicWeb trusts Apache. Therefore
CubicWeb uses LDAP to retrieve account attributes and for authorization
only.

It may happen that Apache has already synchronized to LDAP but CubicWeb
hasn't. In that case Apache lets the new user through but CubicWeb
doesn't know what to do with the trusted login. It is our impression
that such logins that cannot be recognized by CubicWeb are somehow
"blacklisted". Indeed even after CubicWeb has synchronized with LDAP,
the account cannot be used: Apache still lets the specific login through
of course, but CubicWeb keeps saying the account is not valid. I'm
afraid I cannot remember the exact error message. I could perhaps spend
an hour digging into this issue, collecting error messages and logs.

> [...]
> I'm fail to see such black-list mecanism. The only thing I may think of is that
> when some previously registered ldap user is moved to the system source (ie we
> don't want to use LDAP for that user anymore), we keep a record of that to avoid later reimport.

Rather the trusted login transmitted by Apache is somehow logged in the
system source. Because CubicWeb has not fetched the relevant account
from LDAP yet, the trusted login is not recognized by CubicWeb and
CubicWeb somehow logs this somewhere. When eventuelly CubicWeb
synchronizes with LDAP, either the specific account is not synchronized
or the login remains flagged as invalid.

> So please give more details about what you mean by "blacklisted" and the
> peculiarities you observes that makes you think user is blacklisted by cubicweb.

Best,
-- 
Dimitri Papadopoulos
CEA/Saclay
I2BM, NeuroSpin
91191 Gif-sur-Yvette cedex, France



More information about the Cubicweb mailing list