[Cubicweb] CubicWeb / Apache / LDAP: how to recover blacklisted accounts?

Dimitri Papadopoulos Orfanos dimitri.papadopoulos at cea.fr
Thu May 12 11:00:37 CEST 2016


Le 12/05/2016 09:04, Sylvain Thénault a écrit :
> When such case arises, do you see a CWUser on the cubicweb-side for the given
> login? From which source does it come from (eg ldap or system)?

I seem to recall a user is indeed created (probably system side since
the LDAP account has not been synchronized yet).

I will have to double-check that.

> I've digged a bit in the trustedauth code and I don't see any caching mecanism.
> It seems that is has to be implemented by a TrustedAuthenticationPolicy. Do you
> know if you have such a policy and where is it implemented?
> 
> Also, if you have an ldap source, you not simply drop the trustedauth layer and
> let authentication be done by the ldap source? (probably for some kind of SSO).

Indeed:
* There are other services such as SFTP on the server. We prefer they
use the same identifiers.
* Apache authentication is standard and well-known by sysadmins.
Directly exposing CubicWeb adds a new attack vector.

best,
-- 
Dimitri Papadopoulos
CEA/Saclay
DRF, I2BM, NeuroSpin
F-91191 Gif-sur-Yvette cedex, France



More information about the Cubicweb mailing list