[Cubicweb] CubicWeb / Apache / LDAP: how to recover blacklisted accounts?

Sylvain Thénault sylvain.thenault at logilab.fr
Thu May 12 09:04:44 CEST 2016

On 12 mai 08:45, Dimitri Papadopoulos Orfanos wrote:
> Hi,
> Le 10/05/2016 à 18:00, Sylvain Thénault a écrit :
> > On 09 mai 15:44, Dimitri Papadopoulos Orfanos wrote:
> >> [...]
> >> New LDAP accounts need quite some time to be propagated, not only to
> >> CubicWeb (delay depends on the LDAPfeed source
> >> 'synchronization-interval'), but also to Apache which acts as a trusted
> >> front-end (perhaps delay depends on the Apache "LDAPOpCacheTTL" directive?).
> > 
> > Do you mean you're not using a ldap source in cubicweb?
> We do use an LDAP source in CubicWeb. It's configured like this:
> 	synchronize=yes
> 	synchronization-interval=30min
> 	max-lock-lifetime=1h
> 	delete-entities=no
> 	logs-lifetime=10d
> 	http-timeout=1min
> 	auth-mode=simple
> 	#auth-realm=
> 	data-cnx-dn=...
> 	data-cnx-password=...
> 	user-base-dn=u'ou=People,dc=...
> 	user-scope=ONELEVEL
> 	user-classes=top,posixAccount
> 	user-filter=
> 	user-login-attr=uid
> 	user-default-group=users
> 	user-attrs-map=userPassword:upassword,mail:email,uid:login
> 	group-scope=ONELEVEL
> 	group-classes=top,posixGroup
> 	group-filter=
> 	group-attrs-map=memberUid:member,cn:name
> However authentication is handled by Apache, not CubicWeb. Apaches
> relies on the same LDAP database. CubicWeb trusts Apache. Therefore
> CubicWeb uses LDAP to retrieve account attributes and for authorization
> only.

ok. I'm not very aware of this trust layer between apache and cw unfortunatly.
> It may happen that Apache has already synchronized to LDAP but CubicWeb
> hasn't. In that case Apache lets the new user through but CubicWeb
> doesn't know what to do with the trusted login. It is our impression
> that such logins that cannot be recognized by CubicWeb are somehow
> "blacklisted". Indeed even after CubicWeb has synchronized with LDAP,
> the account cannot be used: Apache still lets the specific login through
> of course, but CubicWeb keeps saying the account is not valid. I'm
> afraid I cannot remember the exact error message. I could perhaps spend
> an hour digging into this issue, collecting error messages and logs.
> > [...]
> > I'm fail to see such black-list mecanism. The only thing I may think of is that
> > when some previously registered ldap user is moved to the system source (ie we
> > don't want to use LDAP for that user anymore), we keep a record of that to avoid later reimport.
> Rather the trusted login transmitted by Apache is somehow logged in the
> system source. Because CubicWeb has not fetched the relevant account
> from LDAP yet, the trusted login is not recognized by CubicWeb and
> CubicWeb somehow logs this somewhere. When eventuelly CubicWeb
> synchronizes with LDAP, either the specific account is not synchronized
> or the login remains flagged as invalid.

When such case arises, do you see a CWUser on the cubicweb-side for the given
login? From which source does it come from (eg ldap or system)?

I've digged a bit in the trustedauth code and I don't see any caching mecanism.
It seems that is has to be implemented by a TrustedAuthenticationPolicy. Do you
know if you have such a policy and where is it implemented?

Also, if you have an ldap source, you not simply drop the trustedauth layer and
let authentication be done by the ldap source? (probably for some kind of SSO).

Sylvain Thénault, LOGILAB, Paris ( - Toulouse (
Formations Python, Debian, Méth. Agiles: http://www.logilab.fr/formations
Développement logiciel sur mesure:       http://www.logilab.fr/services
CubicWeb, the semantic web framework:    http://www.cubicweb.org

More information about the Cubicweb mailing list