Open Microscopy Environment

Hi there!

We have LDAP authentication up and running, with new LDAP users being placed on the default group. The problem we have is that the AD structure we have access to via LDAP does not contain the information we need to assign people to the groups we'd like to have on OMERO. It would be easy, however, to have advance knowledge of which usernames would need to be assigned to each group even before those users logged in for the very first time.

Is there a way to do this group assignment automatically from something like a lookup table upon their first LDAP login? Of course, the alternative would be relying on group owners/PIs to add their students to the correct group, which is probably fine but not ideal.

ratamero wrote:Hi there!

Good morning!

Is there a way to do this group assignment automatically from something like a lookup table upon their first LDAP login?

Options I can think of from hardest to easiest:

• Run your own LDAP which overlays on top of the AD
• Write your own (LDAP) password plugin which encodes this information
• Pre-create users with the groups before they login, perhaps via a cron

Let us know if you'd like to hear more about any of those.
Cheers,
~Josh.

Pre-creating users sounds feasible enough, and it didn't occur to me at all. So if I'm doing this via cron, I'd need to:

1) Create all relevant groups
2) Create all relevant users within the correct groups
(Optionally) 3) add users to a public-data group
4) use bin/omero ldap setdn so they can log in via LDAP

Is that correct? If so, I still have a couple of questions:

1) if I was to keep a list of users and respective groups (that could be amended over time), would trying to create an existing user/group just "fail nicely" or would I need to keep control over which users/groups have been created already?
2) when creating a group, which would be the simplest way to know which ID was assigned to it?

Thanks again!

ratamero wrote:Pre-creating users sounds feasible enough, and it didn't occur to me at all. So if I'm doing this via cron, I'd need to:

1) Create all relevant groups
2) Create all relevant users within the correct groups
(Optionally) 3) add users to a public-data group
4) use bin/omero ldap setdn so they can log in via LDAP

Is that correct?

Nearly.

1) Create all relevant groups
2) Create all relevant users using bin/omero ldap create
3) Place users in relevant groups (incl public-data)

If so, I still have a couple of questions:

1) if I was to keep a list of users and respective groups (that could be amended over time), would trying to create an existing user/group just "fail nicely" or would I need to keep control over which users/groups have been created already?

`bin/omero group add` has an --ignore-existing flag:

Code: Select all

  --ignore-existing                     Do not fail if user already exists


I'm less sure that the other commands are going to behave as you want.

2) when creating a group, which would be the simplest way to know which ID was assigned to it?

Hmm... looks like the `bin/omero group` commands are not well-behaved so stdout cannot be (easily) captured.

If you reach the point where scripting in bash is becoming too difficult, I would suggest it all be done in Python directly. Regardless, I've captured various TODOs in https://trello.com/c/79gX6yRu/58-rfe-bin-omero-group-creation.

All the best,
~Josh

Ignoring existing stuff is less of a problem exactly where it can be done - we won't have new groups very often, and it's no big deal creating those manually when that happens. Now that I think about it, even new users will probably only appear a few times per year, and I would need to be informed by their PI before they log into OMERO in any case. Maybe the time I would save is not worth the scripting time. In any case, thanks again! I'm glad it raise a few TODOs

https://xkcd.com/1205/ wins again. Hope you enjoy OMERO!

~Josh.

I'm already enjoying it - I hope everyone else in the department enjoys it as much as I do