[Cubicweb] CubicWeb / Apache / LDAP: how to recover blacklisted accounts?

Sylvain Thénault sylvain.thenault at logilab.fr
Tue May 10 18:00:09 CEST 2016

On 09 mai 15:44, Dimitri Papadopoulos Orfanos wrote:
> Dear all,

Hi Dimitri,
> We use LDAP accounts for our CubicWeb instances.
> New LDAP accounts need quite some time to be propagated, not only to
> CubicWeb (delay depends on the LDAPfeed source
> 'synchronization-interval'), but also to Apache which acts as a trusted
> front-end (perhaps delay depends on the Apache "LDAPOpCacheTTL" directive?).

Do you mean you're not using a ldap source in cubicweb?
> Our experience is that accounts are blacklisted whenever a login is
> attempted:
> * after the LDAP account has been propagated to Apache,
> * before the LDAP account has been propagated to CubicWeb.
> When this happens CubicWeb blacklists the account and we are unable to
> recover the account even after CubicWeb has been synchronized with LDAP.
> We have to delete and re-create the LDAP account from scratch.
> Could you help use here? How are accounts black-listed? How to avoid
> that, or at least recover as soon as CubicWeb is synchronized with LDAP?

I'm fail to see such black-list mecanism. The only thing I may think of is that
when some previously registered ldap user is moved to the system source (ie we
don't want to use LDAP for that user anymore), we keep a record of that to avoid later reimport.

So please give more details about what you mean by "blacklisted" and the
peculiarities you observes that makes you think user is blacklisted by cubicweb.

Sylvain Thénault, LOGILAB, Paris ( - Toulouse (
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org

More information about the Cubicweb mailing list