[Cubicweb] CubicWeb / Apache / LDAP: how to recover blacklisted accounts?
Dimitri Papadopoulos Orfanos
dimitri.papadopoulos at cea.fr
Thu May 12 08:45:09 CEST 2016
Le 10/05/2016 à 18:00, Sylvain Thénault a écrit :
> On 09 mai 15:44, Dimitri Papadopoulos Orfanos wrote:
>> New LDAP accounts need quite some time to be propagated, not only to
>> CubicWeb (delay depends on the LDAPfeed source
>> 'synchronization-interval'), but also to Apache which acts as a trusted
>> front-end (perhaps delay depends on the Apache "LDAPOpCacheTTL" directive?).
> Do you mean you're not using a ldap source in cubicweb?
We do use an LDAP source in CubicWeb. It's configured like this:
However authentication is handled by Apache, not CubicWeb. Apaches
relies on the same LDAP database. CubicWeb trusts Apache. Therefore
CubicWeb uses LDAP to retrieve account attributes and for authorization
It may happen that Apache has already synchronized to LDAP but CubicWeb
hasn't. In that case Apache lets the new user through but CubicWeb
doesn't know what to do with the trusted login. It is our impression
that such logins that cannot be recognized by CubicWeb are somehow
"blacklisted". Indeed even after CubicWeb has synchronized with LDAP,
the account cannot be used: Apache still lets the specific login through
of course, but CubicWeb keeps saying the account is not valid. I'm
afraid I cannot remember the exact error message. I could perhaps spend
an hour digging into this issue, collecting error messages and logs.
> I'm fail to see such black-list mecanism. The only thing I may think of is that
> when some previously registered ldap user is moved to the system source (ie we
> don't want to use LDAP for that user anymore), we keep a record of that to avoid later reimport.
Rather the trusted login transmitted by Apache is somehow logged in the
system source. Because CubicWeb has not fetched the relevant account
from LDAP yet, the trusted login is not recognized by CubicWeb and
CubicWeb somehow logs this somewhere. When eventuelly CubicWeb
synchronizes with LDAP, either the specific account is not synchronized
or the login remains flagged as invalid.
> So please give more details about what you mean by "blacklisted" and the
> peculiarities you observes that makes you think user is blacklisted by cubicweb.
91191 Gif-sur-Yvette cedex, France
More information about the Cubicweb