Open Microscopy Environment

The OME community
https://www.openmicroscopy.org/community/

cannot query LDAP

https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=631

Page 1 of 1

cannot query LDAP

PostPosted: Wed Mar 02, 2011 11:05 am
by bernie
Does anyone know how to enforce membership of a groupofuniquenames to allow a login to omero? What should the omero.ldap look like?

This our most recent attempt:

omero.config.version=4.2.1
omero.db.name=omero
omero.db.pass=********
omero.db.user=omero
omero.ldap.base=ou=group,ou=Unix,ou=USCS,o=University of Sussex
omero.ldap.config=true
omero.ldap.new_user_group=default
omero.ldap.group_filter=(objectclass=groupofuniquenames)
omero.ldap.group_mapping=name=cn
omero.ldap.urls=ldap://ldap0.uscs.sussex.ac.uk:389
omero.ldap.user_filter=(Memberof=DN=CN=omerodev)
omero.ldap.user_mapping=omeName=uid,firstName=givenName,lastName=sn,email=mail
omero.web.application_host=http://omerodev.lifesci.susx.ac.uk:80
omero.web.application_server=fastcgi-tcp

Re: cannot query LDAP

PostPosted: Thu Mar 03, 2011 6:17 pm
by cxallan
Those are RFC 2254 LDAP filters (http://www.faqs.org/rfcs/rfc2254.html), so they must conform to that syntax and are only able to do what those filters can do. You can test the filters via ldapsearch on your OMERO server (assuming you have the OpenLDAP binaries installed). In your case I would expect something like the following to work:

Code: Select all
...
omero.ldap.user_filter=(Memberof=CN=omerodev, ou=group,ou=Unix,ou=USCS,o=University of Sussex)
...

Re: cannot query LDAP

PostPosted: Tue May 03, 2011 9:47 am
by bernie
Follow up:

LDAP counldn't work because the memberOf attribute in OpenLDAP wasn't configured.

The final, and successful configuration, was done in AD (which is the production directory).

Re: cannot query LDAP

PostPosted: Tue May 03, 2011 10:07 am
by jmoore
Bernie,

thanks for getting back to us. We ran into something similar when testing on ApacheDS:

http://git.openmicroscopy.org/?p=ome.git;a=blob;f=components/server/test/ome/services/ldap/testAttrGroup/test.xml;h=550fd2bc80b31dc8c6f3c7a691d861c293582f84;hb=HEAD#l19

We'll look into adding this to our FAQ to save others the confusion.

Best wishes,
~Josh.

Re: cannot query LDAP

PostPosted: Tue May 03, 2011 11:02 am
by bernie
I'm by no means an LDAP expert :) but I also found that omero.ldap.username needed the FQDN (Distinguished Name):

omero.ldap.username=CN=**,OU=**,OU=**,DC=**,DC=**,DC=ac,DC=uk

I'd been using Apache Directory Studio to test queries and this didn't require the FQDN. There might well be good reason for this and I'm sure it's good practice but it caused a lot of head banging!

Always very appreciative of the help I get from this forum.
All times are UTC
Page 1 of 1
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/