Personal tools

You are here: Home Support OMERO Platform v4 OMERO.server LDAP
 

LDAP

OMERO LDAP Authentication

LDAP is an open standard for querying and modifying directory services that is commonly used for authentication, authorization and accounting (AAA). OMERO.server supports the use of an LDAP server to query (but not modify) AAA information for the purposes of automatic user (an ''Experimenter'' or ''Scientist'' in OMERO parlance) creation.

LDAP Configuration

Like many pieces of OMERO.server configuration, LDAP specific configuration is done by specifying extra properties in the etc/omero.properties file inside your OMERO installation directory. The OMERO.server LDAP implementation is designed to handle three main use cases:

  • Allow every ''inetOrgPerson'' under omero.ldap.base to login
  • but restrict access based upon membership in omero.ldap.groups
  • but restrict access based upon the entry's attributes matching omero.ldap.attributes and omero.ldap.values

Note: We have started a discussion on the forums for discussing other use cases which are of interest: "What are your LDAP requirements?"

Example

Change any settings that are necessary via bin/omero config. These properties are stored in your Java preferences:

  • Enable or disable LDAP (true/false) 

    bin/omero config set omero.ldap.config true

  • LDAP server URL string 

    bin/omero config set omero.ldap.urls ldap://ldap.example.com:389

    NOTE: A SSL URL above should look like this: ldaps://ldap.example.com:636

  • LDAP server bind DN (if required; can be empty) 

    bin/omero config set omero.ldap.username cn=Manager,dc=example,dc=com

  • LDAP server bind password (if required; can be empty) 

    bin/omero config set omero.ldap.password secret

  • LDAP server base search DN 

    bin/omero config set omero.ldap.base dc=example,dc=com

  • The unique group CNs that the user must be a member of to be allowed access to OMERO (can be empty) 

    bin/omero config set omero.ldap.groups OmeroUsers

  • Attributes, separated by ',', that users must have to be allowed access to OMERO (can be empty) 

    bin/omero config set omero.ldap.attributes omeroUser,accountEnabled

  • Values, separated by ',', of the above 'omero.ldap.attributes' that must be fulfilled to be allowed access to OMERO (can be empty) 

    bin/omero config set omero.ldap.values true,true

  • LDAP server protocoll 

    bin/omero config set omero.ldap.protocol TLS

  • LDAP server key store path 

    bin/omero config set omero.ldap.keyStore /home/user/.mystore

    A keystore is a database of private keys and their associated X.509 certificate chains authenticating the corresponding public keys.

  • LDAP server key store password 

    bin/omero config set omero.ldap.keyStorePassword secret

  • LDAP server trust store path 

    bin/omero config set omero.ldap.trustStore /home/user/.keystore

    A truststore is a database of trusted entities and their associated X.509 certificate chains authenticating the corresponding public keys. The truststore contains the Certificate Authority (CA) certificates and the certificate(s) of the other party to which this entity intends to send encrypted (confidential) data. This file must contain the public key certificates of the CA and the client's public key certificate.

  • LDAP server trust store password 

    bin/omero config set omero.ldap.trustStorePassword secret

    NOTE: Empty values above should look like this: 'omero.ldap.groups='

See also: OMERO.server Installation, OMERO.server Security and Firewalls

Document Actions