Item5705: freshly created user is denied access because LdapContrib old cache file

When TWiki user authorization is based on the LDAP groups and LdapContrib is configured to cache the LDAP groups for some time and in the meanwhile new user is created to the LDAP directory, this new user is denied access to TWiki pages, because LdapContrib cache file doesn't contain information about the new user groups membership.

Workaround is to remove the twiki/working/work_areas/LdapContrib/cache.db file and then try to access the wiki page again. LdapContrib creates new cache.db file from fresh LDAP directory information and the users is then allowed access.

Nicer and more correct solution would be to query LDAP directory for updates in case the current cache file doesn't contain information about the user, but the authentication has succeeded, therefore the user must be valid user.

-- TWiki:Main.AivoJurgenson - 16 Jun 2008

Right. What is your $TWiki::cfg{LoginManager} setting?

If you are using the TWiki::LoginManager::TemplateLogin manager, LdapContrib does check if this user is known or not and will refresh this particular record if needed. If you are using TWiki::LoginManager::ApacheLogin, try TWiki::LoginManager::LdapApacheLogin instead. This class adds exactly the check you described to the original ApacheLogin class. Did this work out for you?

-- TWiki:Main.MichaelDaum - 17 Jun 2008

Oh, thanks for this tip, I wasn't aware of this LdapApacheLogin manager. We'll try it out and will update this item.

-- TWiki:Main.AivoJurgenson - 18 Jun 2008