We're Hiring!

Open Microscopy Environment

The OME community

Skip to content

cannot query LDAP

Having a problem deploying OMERO? Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

The OMERO.server installation documentation begins here and you can find OMERO.web deployment documentation here.
Post a reply

cannot query LDAP

Postby bernie » Wed Mar 02, 2011 11:05 am

Does anyone know how to enforce membership of a groupofuniquenames to allow a login to omero? What should the omero.ldap look like?

This our most recent attempt:

omero.config.version=4.2.1
omero.db.name=omero
omero.db.pass=********
omero.db.user=omero
omero.ldap.base=ou=group,ou=Unix,ou=USCS,o=University of Sussex
omero.ldap.config=true
omero.ldap.new_user_group=default
omero.ldap.group_filter=(objectclass=groupofuniquenames)
omero.ldap.group_mapping=name=cn
omero.ldap.urls=ldap://ldap0.uscs.sussex.ac.uk:389
omero.ldap.user_filter=(Memberof=DN=CN=omerodev)
omero.ldap.user_mapping=omeName=uid,firstName=givenName,lastName=sn,email=mail
omero.web.application_host=http://omerodev.lifesci.susx.ac.uk:80
omero.web.application_server=fastcgi-tcp
bernie
 
Posts: 50
Joined: Mon Aug 17, 2009 12:03 pm
Top

Re: cannot query LDAP

Postby cxallan » Thu Mar 03, 2011 6:17 pm

Those are RFC 2254 LDAP filters (http://www.faqs.org/rfcs/rfc2254.html), so they must conform to that syntax and are only able to do what those filters can do. You can test the filters via ldapsearch on your OMERO server (assuming you have the OpenLDAP binaries installed). In your case I would expect something like the following to work:

Code: Select all
...
omero.ldap.user_filter=(Memberof=CN=omerodev, ou=group,ou=Unix,ou=USCS,o=University of Sussex)
...
cxallan
Site Admin
 
Posts: 509
Joined: Fri May 01, 2009 8:07 am
Top

Re: cannot query LDAP

Postby bernie » Tue May 03, 2011 9:47 am

Follow up:

LDAP counldn't work because the memberOf attribute in OpenLDAP wasn't configured.

The final, and successful configuration, was done in AD (which is the production directory).
bernie
 
Posts: 50
Joined: Mon Aug 17, 2009 12:03 pm
Top

Re: cannot query LDAP

Postby jmoore » Tue May 03, 2011 10:07 am

Bernie,

thanks for getting back to us. We ran into something similar when testing on ApacheDS:

http://git.openmicroscopy.org/?p=ome.git;a=blob;f=components/server/test/ome/services/ldap/testAttrGroup/test.xml;h=550fd2bc80b31dc8c6f3c7a691d861c293582f84;hb=HEAD#l19

We'll look into adding this to our FAQ to save others the confusion.

Best wishes,
~Josh.
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany
Top

Re: cannot query LDAP

Postby bernie » Tue May 03, 2011 11:02 am

I'm by no means an LDAP expert :) but I also found that omero.ldap.username needed the FQDN (Distinguished Name):

omero.ldap.username=CN=**,OU=**,OU=**,DC=**,DC=**,DC=ac,DC=uk

I'd been using Apache Directory Studio to test queries and this didn't require the FQDN. There might well be good reason for this and I'm sure it's good practice but it caused a lot of head banging!

Always very appreciative of the help I get from this forum.
bernie
 
Posts: 50
Joined: Mon Aug 17, 2009 12:03 pm
Top
Post a reply

Return to Installation and Deployment

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group