We're Hiring!

Assigning LDAP users to groups not on LDAP

General user discussion about using the OMERO platform to its fullest. Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

There are workflow guides for various OMERO functions on our help site - http://help.openmicroscopy.org

You should find answers to any basic questions about using the clients there.

Assigning LDAP users to groups not on LDAP

Postby ratamero » Thu Feb 01, 2018 9:51 am

Hi there!

We have LDAP authentication up and running, with new LDAP users being placed on the default group. The problem we have is that the AD structure we have access to via LDAP does not contain the information we need to assign people to the groups we'd like to have on OMERO. It would be easy, however, to have advance knowledge of which usernames would need to be assigned to each group even before those users logged in for the very first time.

Is there a way to do this group assignment automatically from something like a lookup table upon their first LDAP login? Of course, the alternative would be relying on group owners/PIs to add their students to the correct group, which is probably fine but not ideal.
ratamero
 
Posts: 46
Joined: Mon Jan 29, 2018 5:55 pm

Re: Assigning LDAP users to groups not on LDAP

Postby jmoore » Thu Feb 01, 2018 11:38 am

ratamero wrote:Hi there!


Good morning!

Is there a way to do this group assignment automatically from something like a lookup table upon their first LDAP login?


Options I can think of from hardest to easiest:
  • Run your own LDAP which overlays on top of the AD
  • Write your own (LDAP) password plugin which encodes this information
  • Pre-create users with the groups before they login, perhaps via a cron

Let us know if you'd like to hear more about any of those.
Cheers,
~Josh.
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: Assigning LDAP users to groups not on LDAP

Postby ratamero » Thu Feb 01, 2018 2:32 pm

Pre-creating users sounds feasible enough, and it didn't occur to me at all. So if I'm doing this via cron, I'd need to:

1) Create all relevant groups
2) Create all relevant users within the correct groups
(Optionally) 3) add users to a public-data group
4) use bin/omero ldap setdn so they can log in via LDAP

Is that correct? If so, I still have a couple of questions:

1) if I was to keep a list of users and respective groups (that could be amended over time), would trying to create an existing user/group just "fail nicely" or would I need to keep control over which users/groups have been created already?
2) when creating a group, which would be the simplest way to know which ID was assigned to it?

Thanks again!
ratamero
 
Posts: 46
Joined: Mon Jan 29, 2018 5:55 pm

Re: Assigning LDAP users to groups not on LDAP

Postby jmoore » Thu Feb 01, 2018 3:49 pm

ratamero wrote:Pre-creating users sounds feasible enough, and it didn't occur to me at all. So if I'm doing this via cron, I'd need to:

1) Create all relevant groups
2) Create all relevant users within the correct groups
(Optionally) 3) add users to a public-data group
4) use bin/omero ldap setdn so they can log in via LDAP

Is that correct?


Nearly.

1) Create all relevant groups
2) Create all relevant users using bin/omero ldap create
3) Place users in relevant groups (incl public-data)

If so, I still have a couple of questions:

1) if I was to keep a list of users and respective groups (that could be amended over time), would trying to create an existing user/group just "fail nicely" or would I need to keep control over which users/groups have been created already?


`bin/omero group add` has an --ignore-existing flag:

Code: Select all
  --ignore-existing                     Do not fail if user already exists


I'm less sure that the other commands are going to behave as you want.

2) when creating a group, which would be the simplest way to know which ID was assigned to it?


Hmm... looks like the `bin/omero group` commands are not well-behaved so stdout cannot be (easily) captured.

If you reach the point where scripting in bash is becoming too difficult, I would suggest it all be done in Python directly. Regardless, I've captured various TODOs in https://trello.com/c/79gX6yRu/58-rfe-bin-omero-group-creation.

All the best,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: Assigning LDAP users to groups not on LDAP

Postby ratamero » Thu Feb 01, 2018 4:22 pm

Ignoring existing stuff is less of a problem exactly where it can be done - we won't have new groups very often, and it's no big deal creating those manually when that happens. Now that I think about it, even new users will probably only appear a few times per year, and I would need to be informed by their PI before they log into OMERO in any case. Maybe the time I would save is not worth the scripting time. In any case, thanks again! I'm glad it raise a few TODOs :)
ratamero
 
Posts: 46
Joined: Mon Jan 29, 2018 5:55 pm

Re: Assigning LDAP users to groups not on LDAP

Postby jmoore » Thu Feb 01, 2018 4:35 pm

https://xkcd.com/1205/ wins again. Hope you enjoy OMERO!

~Josh.
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: Assigning LDAP users to groups not on LDAP

Postby ratamero » Thu Feb 01, 2018 4:44 pm

I'm already enjoying it - I hope everyone else in the department enjoys it as much as I do ;)
ratamero
 
Posts: 46
Joined: Mon Jan 29, 2018 5:55 pm


Return to User Discussion

Who is online

Users browsing this forum: No registered users and 1 guest