Open Microscopy Environment

[lloyd.owens]

I am running Omero 4.4 with an application called Columbus version 2.4.
LDAP is configured as shown below from the omero config get command

omero.data.dir=/u99/repository
omero.db.name=omero4_4
omero.db.pass=columbus
omero.db.patch=0
omero.db.poolsize=50
omero.db.user=columbus
omero.db.version=OMERO4.4
omero.ldap.base=dc=enterprise,dc=amgen,dc=com
omero.ldap.config=true
omero.ldap.new_user_group=ColumbusARG
omero.ldap.password=
omero.ldap.sync_on_login=true
omero.ldap.urls=ldap://ldap.amgen.com:389
omero.ldap.username=
omero.security.default_permissions=rwr---
omero.upgrades.url=http://0.0.0.0/

The same config is in the /usr/local/PerkinElmerCTG/Columbus2.4/etc/omero.properties file.

A group has been created in Omero called ColumbusARG as shown from the command

bin/omero group list

id | name | perms | # of owners | # of members
----+-------------+--------+-------------+--------------
0 | system | rw---- | 1 | 0
1 | user | rwr-r- | 0 | 4
2 | guest | rw---- | 0 | 1
3 | ARG | rwr--- | 1 | 2
53 | ColumbusARG | rwr--- | 0 | 0


The ColumbusARG group (containing 3 members) is also created on the Enterprise LDAP ( LDAPv3) server.

The Problem: The login fails when any of the 3 members try to login/authenticate to Omero. The error log
/usr/local/PerkinElmerCTG/Columbus2.4/var/log/Blitz-0.log show the failed login but does not mention anything to do with LDAP.

When I query the Enterprise LDAP server for the members of the group I get the following output indicating that the group is setup and contain the 3 members.

#ldapsearch -LLL -h ldap.amgen.com -p 389 -x -b dc=enterprise,dc=amgen,dc=com '(cn=ColumbusARG)'

dn: cn=ColumbusARG, ou=Gerb, ou=Applications, ou=Groups, dc=Enterprise,dc=amgen,dc=com
uniqueMember: uniqueidentifier=118744,ou=people,dc=enterprise,dc=amgen,dc=com
uniqueMember: uniqueidentifier=17037,ou=people,dc=enterprise,dc=amgen,dc=com
uniqueMember: uniqueidentifier=6593,ou=people,dc=enterprise,dc=amgen,dc=com
owner: uniqueidentifier=118744,ou=people,dc=enterprise,dc=amgen,dc=com
objectClass: groupofuniquenames
objectClass: top
cn: ColumbusARG

[cxallan]

It is unfortunately rather difficult for us to be of much help with a Columbus install of OMERO. You might have some luck contacting PerkinElmer directly. I assume you have gotten this far by following the OMERO LDAP page?

http://www.openmicroscopy.org/site/supp ... -ldap.html

The configuration itself looks fine. Are you attempting an anonymous bind to your LDAP server?

[lloyd.owens]

Thanks cxallan for your reply.
The LDAP support page was of great help. I would not have gotten this far without it.
Our LDAP server allows any user to run an LDAP querry. So yes, I am trying to run an anonymous bind to my LDAP server. I thouhgt this method would be a simple authentication test before configuring the
omero.ldap.password=
omero.ldap.username=

[lloyd.owens]

Whatg command can I run to confirm that the LDAP Plug-in is installed?

[cxallan]

It's included with the base install so there's no way to check extensively without messing around with a lot of internal configuration files. One theory I had was that your objectClass was different. The default objectClass is "person" if you perform your ldapsearch with (objectClass=person) do you still get results?

[lloyd.owens]

ldapsearch with (objectClass=person) gives lots of users in the company. It shows my dn as:-
dn: uniqueidentifier=118745,ou=People,dc=Enterprise,dc=amgen,dc=com

[jmoore]

There have been some recent issues trying to get OMERO to work with Active Directory that may be related (See http://lists.openmicroscopy.org.uk/pipermail/ome-users/2013-November/004034.html on the mailing lists)

Could you show an example ldapsearch query for the users, as opposed to the group? What interests me is the "cn" value that appears since that is what is used as the user login. See "user_mapping" for more information.

Cheers,
~Josh

[lloyd.owens]

Here is the relevant output from the following search
ldapsearch -LLL -h ldap.amgen.com -p 389 -x -b dc=enterprise,dc=amgen,dc=com '(cn=Owens, Lloyd)'

dn: uniqueidentifier=118744,ou=People,dc=Enterprise,dc=amgen,dc=com
memberOf: cn=teamsus1_users,ou=teamsus1,ou=EDM Teams,ou=EDM,ou=Groups,dc=Enterprise,dc=amgen,dc=com
memberOf: cn=edmcrfus1_users,ou=edmcrfus1,ou=EDM Crf,ou=EDM,ou=Groups,dc=Enterprise,dc=amgen,dc=com
memberOf: cn=edmcorpus1_users,ou=edmcorpus1,ou=EDM Corporate,ou=EDM,ou=Groups,dc=Enterprise,dc=amgen,dc=com
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: person
objectClass: top
amgen-comCN: Lloyd Owens
cn: Owens, Lloyd
employeeType: Consultant
givenName: Lloyd
sn: Owens
uid: lloydo
uniqueIdentifier: 118744
**********
I noted that the output does not list that I am in the columbusarg group

Also, if I use my login id in the search
ldapsearch -LLL -h ldap.amgen.com -p 389 -x -b dc=enterprise,dc=amgen,dc=com '(cn=lloydo)'
I get no output whatsoever.

NB: At my company, LDAP is in sync with Active Directory so that my windows login id and password is passed to LDAP. I

[jmoore]

Hi Lloyd,

dn: uniqueidentifier=118744,ou=People,dc=Enterprise,dc=amgen,dc=com
cn: Owens, Lloyd
uid: lloydo

Based on the default setting for user_mapping, you should be able to login with "Owens, Lloyd". If you want to login with lloydo, you'll need to run:

Code: Select all

bin/omero config set omero.ldap.user_mapping omeName=uid,firstName=givenName,lastName=sn,email=mail


Also, if I use my login id in the search
ldapsearch -LLL -h ldap.amgen.com -p 389 -x -b dc=enterprise,dc=amgen,dc=com '(cn=lloydo)'
I get no output whatsoever.

Can you try with the search '(uid=lloydo)' ?

Cheers,
~Josh

[lloyd.owens]

The search
ldapsearch -LLL -h ldap.amgen.com -p 389 -x -b dc=enterprise,dc=amgen,dc=com '(uid=lloydo)'
Gives me sensible output the same result as
ldapsearch -LLL -h ldap.amgen.com -p 389 -x -b dc=enterprise,dc=amgen,dc=com '(cn=Owens, Lloyd)'
shown in a previous post.