Page MenuHomePhabricator

LDAP credential caching
Closed, ResolvedPublic

Asked by benjumanji on Apr 13 2016, 1:24 PM.


If I log into Phabricator via LDAP, and I am removed from the LDAP server, how does that change propagate through to Phabricator? Does it propagate? I am hoping for: you will be logged out, but I am not confident that this is true. I'm not the LDAP admin so I can't easily test this.


Updated 2,308 Days Ago

You will not be logged out. They will be unable to establish new sessions, but existing sessions will continue to function indefinitely.

We can not quickly or easily detect that an LDAP account has become disabled.

We would need to store the user's password and make an LDAP request on every page to make sure the account was still active if we wanted to log them out immediately. This has nontrivial security, performance, and scalability implications, and is impractical or impossible for many other types of accounts. In the general case, it would be incorrect: even if your LDAP account is disabled, you may have other valid authentication methods attached to Phabricator and still be a legitimate user.

To prevent a user from accessing Phabricator, disable their Phabricator account. This will immediately disable all authentication methods associated with their account.

There may be more tools for passive synchronization after T5953, but they will probably be limited, and are unlikely to poll every LDAP account every few seconds.

You will be able to disable users via API after user.edit (T10512 is an adjacent task), which would let you build passive synchronization yourself. You can probably do this with user.disable today until user.edit comes online.

New Answer


This question has been marked as closed, but you can still leave a new answer.