Open Microscopy Environment

The OME community
https://www.openmicroscopy.org/community/

LDAP Group Creation Based on Security Groups

https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=1095

Page 4 of 4

Re: LDAP Group Creation Based on Security Groups

PostPosted: Thu May 24, 2012 2:43 pm
by jmoore
jlbryants wrote:If I turn it off and the users LDAP password is changed, will the new password sync properly in Omero with sync_on_login set to false?


Definitely. The LDAP plugin in OMERO never stores the password so there's no synchronization needed. We do, however, sync the email, user name, and groups. Without sync_on_login, these can become stale, but with it turned on, groups can be removed which is likely the problem that you are experiencing.

Cheers,
~Josh

Re: LDAP Group Creation Based on Security Groups

PostPosted: Thu May 24, 2012 2:53 pm
by jlbryants
I read over the LDAP configuration again and I believe I have answered my own question. It looks to me that password checking is handled by the chainedPasswordProvider, so LDAP will be checked for current password.

Joe

Re: LDAP Group Creation Based on Security Groups

PostPosted: Thu May 24, 2012 3:06 pm
by jmoore
Exactly. Cheers, ~Josh

Re: LDAP Group Creation Based on Security Groups

PostPosted: Wed May 30, 2012 1:46 pm
by ehrenfeu
Hi Joe,

jlbryants wrote:[...]
When that user logs in again, they do not show as being in anything other than the default group.It removes the association with the other groups and shows them in the default group only. In other words, if I log back in as root and look under the administrative tab, I no longer see that person in any group other than default. Where am I going wrong.


that doesn't happen for me, sounds strange. Of course, after the first login a user is just in the "default" group, but when I change the group membership using an administrative account, the assignment doesn't disappear when the user logs on for the next time.

If I understood your postings correctly, you disabled the sync flag now. Did this fix the weird group behavior?

Cheers,
~Niko

Re: LDAP Group Creation Based on Security Groups

PostPosted: Mon Jun 04, 2012 7:03 am
by jmoore
Niko,

have you tried the sync_on_login flag yourself? The warning from etc/omero.properties describes just this behavior:
Code: Select all
# Whether or not values from LDAP will be
# sychronized to OMERO on each login. This includes
# not just the user name, email, etc, but also the
# groups that the user is a member of.
#
# WARNING:
# -------------------------------------------------
#   Currently setting this to true the user will be
#   removed from any groups to which they have been
#   added outside of LDAP! Please use carefully.
#


We had hoped to be able to remove this restriction for 4.4.0, but it's unclear whether or not we'll make it.

Cheers,
~Josh
All times are UTC
Page 4 of 4
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/