Open Microscopy Environment

The OME community
https://www.openmicroscopy.org/community/

ldap with user filter

https://www.openmicroscopy.org/community/viewtopic.php?f=4&t=748

Page 1 of 1

ldap with user filter

PostPosted: Thu Jul 14, 2011 7:36 am
by rdccmemg
I am using OMERO with an LDAP connection to a microsoft AD.
I've also set the omero.ldap.user_filter in a way so that only members of a specific security group can use OMERO.
This works nicely but when I remove a user from the security group in AD I would expect the user not to be able to logon to OMERO any more. But he still can. I guess the user_filter is only used when someone tries to logon that has never logged on before. Once the account is created in OMERO the user_filter isn't used anymore, right?
Or is there another way to get this behaviour?
to my feeling (as an IT admin not a scientist) this would ease the user management task.
Maybe something for furture releases?

thanks for your thoughts on this.

Re: ldap with user filter

PostPosted: Thu Jul 14, 2011 9:42 pm
by wmoore
Hi,

Thanks for your feedback. The "LDAP experts" on the team are away just now, but this seems like a feature we should consider, so I've created a ticket for this:

http://trac.openmicroscopy.org.uk/ome/ticket/6248

Cheers,

Will.

Re: ldap with user filter

PostPosted: Mon Jul 18, 2011 9:45 am
by jmoore
Hi,

I agree with Will that this should either be the default or a very easy configuration option. All that needs to happen is that a check against the user filter be added to the LdapPasswordProvier around line 80. Currently, the user is only looked up by username, instead of also by DN.

Since the PasswordProviders are intended to be extensible, you could make the appropriate change yourself in a subclass, and add the class files to extensions.jar (as described under ExtendingOmero). Otherwise, we should be able to provide such an option for 4.3.2.

Cheers,
~Josh.

Re: ldap with user filter

PostPosted: Wed Aug 03, 2011 8:11 am
by jmoore
We're just starting to work on #6248 and have a couple of questions:
  • What does your user_filter setting look like?
  • What do you think should happen if the DN stored in OMERO no longer matches the DN for the given username?
Cheers,
~Josh.

Re: ldap with user filter

PostPosted: Wed Aug 03, 2011 7:29 pm
by rdccmemg
My user_filter looks like this:

omero.ldap.user_filter=(memberOf=CN=OMERO-Users,OU=OMERO,DC=med,DC=ad10,DC=intern,DC=kuleuven,DC=ac,DC=be)

For your second question, are we talking about the case where a user-account was moved around in the AD structure and thus DN changed but username itself did not?
In this case, for my use, the DN in OMERO should be updated and the user should be granted access. Condition for all of this is of course that the user_filter responds positive to the username. If he/she lost the privilege to use OMERO, nothing get's updated in OMERO.

If you have more questions, just ask. Do note however that I'm on holidays until 1st of September. There could be a slight delay in my anwsers.

Thank you for your efforts.
Raf
All times are UTC
Page 1 of 1
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/