We're Hiring!

Feature request: split ldap.base for user and group lookups

General user discussion about using the OMERO platform to its fullest. Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

There are workflow guides for various OMERO functions on our help site - http://help.openmicroscopy.org

You should find answers to any basic questions about using the clients there.

Feature request: split ldap.base for user and group lookups

Postby rdecoster » Wed Dec 06, 2017 12:50 pm

I'm currently using this omero.ldap.user_filter:

Code: Select all
omero.ldap.user_filter=(memberOf=CN=GBW.GS.ISPAMM.Users,OU=ISPAMM,OU=groups_sec,OU=GBW,OU=kuleuven,DC=luna,DC=kuleuven,DC=be)


Now I'd like to use nested groups within GBW.GS.ISPAMM.Users. With the ldap filter below that would work (tested and using on a nextcloud system)

Code: Select all
(memberOf:1.2.840.113556.1.4.1941:=CN=GBW.GS.ISPAMM.Users,OU=ISPAMM,OU=groups_sec,OU=GBW,OU=kuleuven,DC=luna,DC=kuleuven,DC=be)


However, because our AD is rather big this times out. On the nextcloud we can solve this by defining a more specific search base eg:
Code: Select all
OU=GBW,OU=pers,OU=users,OU=kuleuven,DC=luna,DC=kuleuven,DC=be


I can do this as well in omero by adjusting omero.ldap.base and for the user ldap queries that would work.

However :-), my group ldap searches don't work anymore at that point because they are located somewhere else at the AD structure. So a solution would be to have 2 properties instead of the omero.ldap.base:
- omero.ldap.user_base (for user queries)
- omero.ldap.group_base (for group queries)

or is this already possible somehow?
If not would you consider this in future versions?
Best,
Raf
rdecoster
 
Posts: 21
Joined: Mon Feb 01, 2016 11:55 am

Re: Feature request: split ldap.base for user and group look

Postby jmoore » Thu Dec 07, 2017 5:03 pm

Hi Raf,

rdecoster wrote:I'm currently using this omero.ldap.user_filter:


Can you paste the rest of your omero.ldap.* configuration (ignoring passwords of course)?

However, because our AD is rather big this times out. On the nextcloud we can solve this by defining a more specific search base eg:
Code: Select all
OU=GBW,OU=pers,OU=users,OU=kuleuven,DC=luna,DC=kuleuven,DC=be



The reason I ask for the rest if the config is because it may be possible to add this clause to a :query: setting rather than using memberOf. Does your AD have the inverse properties so that you can find the members of a group on the group itself?

So a solution would be to have 2 properties instead of the omero.ldap.base:
- omero.ldap.user_base (for user queries)
- omero.ldap.group_base (for group queries)

or is this already possible somehow?
If not would you consider this in future versions?


This isn't currently possible. I looked into it briefly and it's not as easy as just having 2 separate bases since the 2 queries share infrastructure. If we can't find a workaround, I'll look into it further.

Cheers,
~Josh.
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: Feature request: split ldap.base for user and group look

Postby rdecoster » Mon Dec 11, 2017 2:45 pm

Hi Josh,

Below my config:
Code: Select all
omero.data.dir=/media/GBW-0004_CMEVIB_OMERO
omero.db.name=omero_database
omero.db.pass=xxx
omero.db.user=xxx
omero.fs.repo.path=%group%/%user%//%year%-%month%/%day%/%time%
omero.jvmcfg.percent=75
omero.jvmcfg.perm_gen=4G
omero.jvmcfg.strategy=percent
omero.ldap.base=DC=luna,DC=kuleuven,DC=be
omero.ldap.config=true
omero.ldap.group_filter=(&(objectClass=group)(cn=GBW.GS.ISPAMM.*)(!(cn=GBW.GS.ISPAMM.Users)))
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=:filtered_dn_attribute:memberOf
omero.ldap.password=xxx
omero.ldap.sync_on_login=true
omero.ldap.urls=ldaps://ICTS-S-DC1.luna.kuleuven.be:3269
omero.ldap.user_filter=(memberOf=CN=GBW.GS.ISPAMM.Users,OU=ISPAMM,OU=groups_sec,OU=GBW,OU=kuleuven,DC=luna,DC=kuleuven,DC=be)
omero.ldap.user_mapping=omeName=sAMAccountName,firstName=givenName,lastName=sn,email=mail
omero.ldap.username=CN=GBW.A.CMEVIB.ISPAMM,OU=services,OU=GBW,OU=kuleuven,DC=luna,DC=kuleuven,DC=be
omero.mail.config=true
omero.mail.from=xxx@kuleuven.be
omero.mail.host=smtp.kuleuven.be
omero.pixeldata.threads=8
omero.security.keyStore=/home/omero/.mystore
omero.security.keyStorePassword=xxx
omero.security.trustStore=/home/omero/test
omero.security.trustStorePassword=xxx
omero.throttling.method_time.error=50000
omero.web.admins=[["Raf De Coster", "xxx@kuleuven.be"]]
omero.web.application_server=wsgi-tcp
omero.web.application_server.port=4080
omero.web.apps=["figure"]
omero.web.page_size=1000
omero.web.server_list=[["localhost", 4064, "omero"]]
omero.web.ui.top_links=[["Data", "webindex", {"title": "Browse Data via Projects, Tags etc"}], ["History", "history", {"title": "History"}], ["Help", "http://help.openmicroscopy.org/", {"target": "new", "title": "Open OMERO user guide in a new tab"}], ["Figure", "figure_index", {"target": "figure", "title": "Open Figure in new tab"}]]


If I understand you correctly about the inverse properties, yes that is possible I think. To make sure I would have to ask the AD admins.

looking forward to your help.
thx!
Raf
rdecoster
 
Posts: 21
Joined: Mon Feb 01, 2016 11:55 am

Re: Feature request: split ldap.base for user and group look

Postby jmoore » Mon Dec 11, 2017 3:33 pm

Hi Raf,

A starting point for the query you need is on https://docs.openmicroscopy.org/omero/5.4.1/sysadmins/server-ldap.html:

Code: Select all
omero.ldap.new_user_group=:query:(member=@{dn})


From there, you would need to add clauses such only groups are added from the subtree you are interested in:

Code: Select all
# perhaps using a '*' query?
:query:(&(member=@{dn})(...restrict to the subgroups you want...))


Any user who has no groups returned will not be considered for inclusion in OMERO. For testing this, use the single higher-level base with a tool like ldapsearch and see if you can reduce the groups down to something that doesn't timeout.

Let us know how it goes!
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany


Return to User Discussion

Who is online

Users browsing this forum: Google [Bot] and 1 guest

cron