We're Hiring!

Open Microscopy Environment

The OME community

Skip to content

ldap with user filter

General user discussion about using the OMERO platform to its fullest. Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

There are workflow guides for various OMERO functions on our help site - http://help.openmicroscopy.org

You should find answers to any basic questions about using the clients there.
Post a reply

ldap with user filter

Postby rdccmemg » Thu Jul 14, 2011 7:36 am

I am using OMERO with an LDAP connection to a microsoft AD.
I've also set the omero.ldap.user_filter in a way so that only members of a specific security group can use OMERO.
This works nicely but when I remove a user from the security group in AD I would expect the user not to be able to logon to OMERO any more. But he still can. I guess the user_filter is only used when someone tries to logon that has never logged on before. Once the account is created in OMERO the user_filter isn't used anymore, right?
Or is there another way to get this behaviour?
to my feeling (as an IT admin not a scientist) this would ease the user management task.
Maybe something for furture releases?

thanks for your thoughts on this.
rdccmemg
 
Posts: 15
Joined: Wed Jul 13, 2011 2:59 pm
Top

Re: ldap with user filter

Postby wmoore » Thu Jul 14, 2011 9:42 pm

Hi,

Thanks for your feedback. The "LDAP experts" on the team are away just now, but this seems like a feature we should consider, so I've created a ticket for this:

http://trac.openmicroscopy.org.uk/ome/ticket/6248

Cheers,

Will.
User avatar
wmoore
Team Member
 
Posts: 674
Joined: Mon May 18, 2009 12:46 pm
Top

Re: ldap with user filter

Postby jmoore » Mon Jul 18, 2011 9:45 am

Hi,

I agree with Will that this should either be the default or a very easy configuration option. All that needs to happen is that a check against the user filter be added to the LdapPasswordProvier around line 80. Currently, the user is only looked up by username, instead of also by DN.

Since the PasswordProviders are intended to be extensible, you could make the appropriate change yourself in a subclass, and add the class files to extensions.jar (as described under ExtendingOmero). Otherwise, we should be able to provide such an option for 4.3.2.

Cheers,
~Josh.
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany
Top

Re: ldap with user filter

Postby jmoore » Wed Aug 03, 2011 8:11 am

We're just starting to work on #6248 and have a couple of questions:
  • What does your user_filter setting look like?
  • What do you think should happen if the DN stored in OMERO no longer matches the DN for the given username?
Cheers,
~Josh.
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany
Top

Re: ldap with user filter

Postby rdccmemg » Wed Aug 03, 2011 7:29 pm

My user_filter looks like this:

omero.ldap.user_filter=(memberOf=CN=OMERO-Users,OU=OMERO,DC=med,DC=ad10,DC=intern,DC=kuleuven,DC=ac,DC=be)

For your second question, are we talking about the case where a user-account was moved around in the AD structure and thus DN changed but username itself did not?
In this case, for my use, the DN in OMERO should be updated and the user should be granted access. Condition for all of this is of course that the user_filter responds positive to the username. If he/she lost the privilege to use OMERO, nothing get's updated in OMERO.

If you have more questions, just ask. Do note however that I'm on holidays until 1st of September. There could be a slight delay in my anwsers.

Thank you for your efforts.
Raf
rdccmemg
 
Posts: 15
Joined: Wed Jul 13, 2011 2:59 pm
Top
Post a reply

Return to User Discussion

Who is online

Users browsing this forum: Google [Bot] and 1 guest

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
cron