We're Hiring!

Open Microscopy Environment

The OME community

Skip to content

LDAP Group Creation Based on Security Groups

Having a problem deploying OMERO? Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

The OMERO.server installation documentation begins here and you can find OMERO.web deployment documentation here.
Post a reply

Re: LDAP Group Creation Based on Security Groups

Postby jlbryants » Mon Apr 16, 2012 4:26 pm

Hi Josh,

There is no concern with matching something else in AD so I used your first option.

(&(OU=Omero)(member=@{dn}))"

When I attempted to login the login failure says: Failed to lon onto OMERO. Please check your user name and/or password or try again.

The Blitz-0.log shows the following.

Marker - Apr 16, 2012 12:14:47 PM
2012-04-16 12:14:49,135 INFO [ ome.services.util.ServiceHandler] (l.Server-0) Executor.doWork -- ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO(jlbryants)
2012-04-16 12:14:49,136 INFO [ ome.services.util.ServiceHandler] (l.Server-0) Args: [null, InternalSF@325623314]
2012-04-16 12:14:49,136 INFO [ ome.security.basic.EventHandler] (l.Server-0) Auth: user=0,group=0,event=null(Sessions),sess=54b24107-f005-4377-ad8b-5e5485187501
2012-04-16 12:14:49,193 INFO [ org.perf4j.TimingLogger] (l.Server-0) start[1334592889136] time[57] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$8.doWork]
2012-04-16 12:14:49,193 INFO [ ome.services.util.ServiceHandler] (l.Server-0) Rslt: true
2012-04-16 12:14:49,194 INFO [ ome.services.util.ServiceHandler] (l.Server-9) Executor.doWork -- ome.services.sessions.SessionManagerImpl.createSession
2012-04-16 12:14:49,194 INFO [ ome.services.util.ServiceHandler] (l.Server-9) Args: [null, InternalSF@325623314]
2012-04-16 12:14:49,211 INFO [ ome.security.basic.EventHandler] (l.Server-9) Auth: user=0,group=0,event=3915(Sessions),sess=54b24107-f005-4377-ad8b-5e5485187501
2012-04-16 12:14:49,215 WARN [ome.services.sessions.SessionManagerImpl] (l.Server-9) Exception while running executeDefaultGroup
ome.conditions.ValidationException: The user 52 has no default group set.
at ome.logic.AdminImpl.getDefaultGroup(AdminImpl.java:802)
at ome.services.sessions.SessionManagerImpl._getDefaultGroup(SessionManagerImpl.java:1216)
at ome.services.sessions.SessionManagerImpl.checkPrincipalNameAndDefaultGroup(SessionManagerImpl.java:763)
at ome.services.sessions.SessionManagerImpl.access$000(SessionManagerImpl.java:85)
at ome.services.sessions.SessionManagerImpl$2.doWork(SessionManagerImpl.java:305)
at sun.reflect.GeneratedMethodAccessor268.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:440)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.security.basic.EventHandler.invoke(EventHandler.java:150)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy64.doWork(Unknown Source)
at ome.services.util.Executor$Impl.execute(Executor.java:371)
at ome.services.sessions.SessionManagerImpl.createSession(SessionManagerImpl.java:300)
at ome.services.sessions.SessionManagerImpl.createWithAgent(SessionManagerImpl.java:252)
at ome.services.blitz.fire.SessionManagerI.create(SessionManagerI.java:173)
at Glacier2._SessionManagerDisp.___create(_SessionManagerDisp.java:92)
at Glacier2._SessionManagerDisp.__dispatch(_SessionManagerDisp.java:125)
at IceInternal.Incoming.invoke(Incoming.java:159)
at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
at Ice.ConnectionI.message(ConnectionI.java:972)
at IceInternal.ThreadPool.run(ThreadPool.java:577)
at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)
2012-04-16 12:14:49,216 INFO [ org.perf4j.TimingLogger] (l.Server-9) start[1334592889194] time[22] tag[omero.call.exception]
2012-04-16 12:14:49,216 INFO [ ome.services.util.ServiceHandler] (l.Server-9) Excp: ome.conditions.ApiUsageException: Can't find default group for jlbryants
2012-04-16 12:15:00,018 INFO [ ome.services.blitz.fire.SessionManagerI] (3-thread-1) Performing requestHeartbeats
2012-04-16 12:18:00,014 INFO [ ome.services.blitz.fire.SessionManagerI] (3-thread-5) Performing requestHeartbeats
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm
Top

Re: LDAP Group Creation Based on Security Groups

Postby jmoore » Tue Apr 17, 2012 9:20 am

jlbryants wrote:There is no concern with matching something else in AD so I used your first option.

(&(OU=Omero)(member=@{dn}))"

When I attempted to login the login failure says: Failed to lon onto OMERO. Please check your user name and/or password or try again.

The Blitz-0.log shows the following.
...
ome.conditions.ValidationException: The user 52 has no default group set.


This sounds like the "OU=" style query may not be supported on your server. Can you perform the query outside of OMERO replace "@{dn}" with the DN for your user? Also, what is group group_filter setting?

Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany
Top

Re: LDAP Group Creation Based on Security Groups

Postby jlbryants » Tue Apr 17, 2012 5:17 pm

The group filter is currently set to (objectClass=member).

I am working on a different server and will give your other suggestion a try in a bit.
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm
Top

Re: LDAP Group Creation Based on Security Groups

Postby jmoore » Tue Apr 17, 2012 6:17 pm

The objectClass of your groups is "group", so to be able to match anything at all, you'll need to change your group_filter minimally to "(objectClass=group)" and then restart.

Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany
Top

Re: LDAP Group Creation Based on Security Groups

Postby jlbryants » Wed Apr 25, 2012 8:03 pm

Josh,

I was on a scheduled vacation. I'd like to continue with your assistance. Please see the attachment and see if this can help to move forward.

Joe
Attachments
Search_jlbryants.tiff
The information returned is correct. I am currently a member of all three groups.
Search_jlbryants.tiff (62.56 KiB) Viewed 3535 times
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm
Top

Re: LDAP Group Creation Based on Security Groups

Postby jmoore » Thu Apr 26, 2012 1:00 pm

Hi Joe,

that query certainly looks like what we're shooting for. Have you set it on the OMERO server and restarted? What behavior are you seeing now?

Cheers,
~Josh.
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany
Top

Re: LDAP Group Creation Based on Security Groups

Postby jlbryants » Thu Apr 26, 2012 2:11 pm

Hi josh,

The group filter is set as:
omero.ldap.group_filter=(objectClass=group)

I have tried the following:
omero.ldap.new_user_group=:query:'(&(OU=Omero,OU=Groups,OU=Dentistry,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu)(member=@{dn}))'

and I still get:
The user 52 has no default group set.
Can't find default group for jlbryants.
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm
Top

Re: LDAP Group Creation Based on Security Groups

Postby jmoore » Thu Apr 26, 2012 2:21 pm

Did you move the previous 'jlbryants' user out of the way? (e.g. by renaming him)
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany
Top

Re: LDAP Group Creation Based on Security Groups

Postby jlbryants » Thu Apr 26, 2012 2:38 pm

I actually logged into Omero as the root and deleted myself before trying it again.
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm
Top

Re: LDAP Group Creation Based on Security Groups

Postby jlbryants » Thu Apr 26, 2012 2:40 pm

Actually, I should be more clear. I right clicked myself and selected cut which removed me. The only existing user is root.
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm
Top
PreviousNext
Post a reply

Return to Installation and Deployment

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group