Open Microscopy Environment

Hi,

We are trying to create omero groups using LDAP security groups. Anybody have luck with this and can point us in the right direction.

Scott

Hi Scott,

a little more information about your setup would be helpful. How are your LDAP groups defined? There are a number of threads here on the forums about the different configuration options (e.g. ":query:" and ":attribute:"). Do you have the OMERO-LDAP plugin working correctly now, even without groups?

Cheers,
~Josh

I am working with Scott on this project. He has been using Omero for years and we are moving to a new server and changing the authentication method to LDAP. We do have LDAP authentication working and when individuals log in, they are all placed in a default group. We basically have three separate labs and want to have those labs created and users added to them based on Global Security Groups which we have the ability to create. Our directory structure is as follows. All university employees and students are in a branch of the AD tree called People. It breaks down from there, but that would be the beginning of the branch and we have no control over that branch. Each college has an OU on another branch and we do have control of that branch. Under our own OU we have created a sub OU called Omero and in this OU we have placed three Global Security Groups with the name we would like each Omero lab to have. We have added each person we want in each lab as members of each group. Not being guru's on LDAP, we have not been able to figure out how to utilize Query or Attribute to reference these three security groups for its members. Any assistance would be appreciated.

jlbryants wrote:We do have LDAP authentication working and when individuals log in, they are all placed in a default group.

Excellent.

We basically have three separate labs and want to have those labs created and users added to them based on Global Security Groups which we have the ability to create. Our directory structure is as follows. All university employees and students are in a branch of the AD tree called People. It breaks down from there, but that would be the beginning of the branch and we have no control over that branch. Each college has an OU on another branch and we do have control of that branch. Under our own OU we have created a sub OU called Omero and in this OU we have placed three Global Security Groups with the name we would like each Omero lab to have. We have added each person we want in each lab as members of each group. Not being guru's on LDAP, we have not been able to figure out how to utilize Query or Attribute to reference these three security groups for its members. Any assistance would be appreciated.

I'm not an AD expert either so it depends on how the group membership is expressed. If AD keeps the "memberOf" property in sync for each user, then you can add the ":attribute:memberOf" setting for new_user_group, as described under "LDAP Properties".

If not, you'll need to use ":query:..." with a query which returns the groups for a particular user.

If you could provide a LDIF example file for your LDAP, we can help with concrete examples.

Cheers,
~Josh

This would be my directory information. Two of the three Groups in question are highlighted in Red.


dn: CN=jlbryants,OU=DN-BUDGETINGINFOSYSTEM,OU=DN-FINANCEADMIN,OU=DN-DEANSOFF,OU=DN,OU=HSC,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: jlbryants
sn: Bryant
c: US
l: GAINESVILLE
st: FL
title: IT Specialist
description: IT Specialist
postalCode: 326100405
postOfficeBox: PO BOX 100405
physicalDeliveryOfficeName: PO BOX 100405
telephoneNumber: (352) 273-5708
facsimileTelephoneNumber:: IA==
givenName: Joseph
initials: L
distinguishedName:
CN=jlbryants,OU=DN-BUDGETINGINFOSYSTEM,OU=DN-FINANCEADMIN,OU=DN-DEANSOFF,OU=DN
,OU=HSC,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu
instanceType: 4
whenCreated: 20071217140325.0Z
whenChanged: 20120404182835.0Z
displayName: Bryant,Joseph Langley
uSNCreated: 3031119
info: 12/17/2007 3:21:04 PM
memberOf:
CN=DN-HRSA-Faculty-Development-Folder,OU=HRSA Faculty Development,OU=DATA,OU=D
N$,OU=DENTISTRY,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=AHC-MBX01-Users,OU=Email Groups,OU=Groups,OU=AHC,OU=HSC,OU=Departments,OU=U
F,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-HIA-2014-sg,OU=ResourceGroupPermissions,OU=Resources,OU=Mail,OU=DENTISTR
Y,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-Omero-Brown-Lab,OU=Omero,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departments,OU
=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-Omero-Grieshaber-Lab,OU=Omero,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departmen
ts,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=PS_UF_N_ALL_IT_WORKERS_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,
DC=edu
memberOf:
CN=DN-Oral-Surgery-CT-Folder,OU=Oral-Surgery,OU=Radiology-CT,OU=DATA,OU=DN$,OU
=DENTISTRY,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=_HSC-DN-DEANSOFF-DN-FINANCEADMIN-USERS_autoGS,OU=AutoGroups,OU=Groups,OU=UF
,DC=ad,DC=ufl,DC=edu
memberOf:
CN=_HSC-DN-FINANCEADMIN-DN-BUDGETINGINFOSYSTEM-USERS_autoGS,OU=AutoGroups,OU=G
roups,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=_HSC-DN-DN-DEANSOFF-USERS_autoGS,OU=AutoGroups,OU=Groups,OU=UF,DC=ad,DC=ufl
,DC=edu
memberOf:
CN=_HSC-DN-USERS_autoGS,OU=AutoGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=AHCExchangeDowntime,OU=MailboxMigrations,OU=Groups,OU=AHC,OU=HSC,OU=Departm
ents,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-Ortho-Clinic-Users,OU=Dolphin,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departmen
ts,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-OCS-Users,OU=OCS User Groups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=PS_UF_PA_IDM_NETMGR_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=
edu
memberOf:
CN=DN-MiPACS-Users,OU=MiPACS,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departments,OU=U
F,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-Windent-Users,OU=Windent,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departments,OU
=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-Help-sg,OU=ResourceGroupPermissions,OU=Resources,OU=Mail,OU=DENTISTRY,OU
=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-Response-Clickers-sg,OU=ResourceGroupPermissions,OU=Resources,OU=Mail,OU
=DENTISTRY,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-D7-11-sg,OU=ResourceGroupPermissions,OU=Resources,OU=Mail,OU=DENTISTRY,O
U=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-Staff,OU=Distribution-Lists,OU=Mail,OU=DENTISTRY,OU=HSC,OU=Departments,O
U=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-INFO-SYS-DL,OU=Distribution-Lists,OU=Mail,OU=DENTISTRY,OU=HSC,OU=Departm
ents,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=HSC-DN-Exchange-Users,OU=HSC,OU=Exchange User Groups,OU=Groups,OU=UF,DC=ad,
DC=ufl,DC=edu
memberOf:
CN=UFX-SIP-Enabled-Users,OU=UF Exchange,OU=Groups,OU=UFAD,DC=ad,DC=ufl,DC=edu
memberOf:
CN=PS_UF_N_MKT_SHOPPER_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=
edu
memberOf:
CN=PS_UF_SF_STUDENT_SS_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=
edu
memberOf:
CN=PS_UF_SS_USER_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-LD-ADMINS,OU=Groups,OU=DN-IT,OU=DENTISTRY,OU=HSC,OU=Departments,OU=UF,DC
=ad,DC=ufl,DC=edu
memberOf:
CN=DN-ITTechs,OU=FileAccess,OU=Groups,OU=DN-IT,OU=DENTISTRY,OU=HSC,OU=Departme
nts,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=PS_UF_SY_BUSUNIT_UFLOR_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,
DC=edu
memberOf:
CN=UF_AFF_MANAGED_USER_autoGS,OU=UF-affiliations,OU=Groups,OU=UF,DC=ad,DC=ufl,
DC=edu
memberOf:
CN=UF_AFF_TEAMS_autoGS,OU=UF-affiliations,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=PS_UF_HR_EMPLOYEE_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=ed
u
memberOf:
CN=PS_UF_FI_USER_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=PS_UF_TL_EMPLOYEE_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=ed
u
memberOf:
CN=PS_UF_PA_STAFF_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=PS_UF_PA_GA_GUEST_BULK_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,
DC=edu
memberOf:
CN=PS_UF_PY_EMPLOYEE_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=ed
u
memberOf:
CN=PS_UF_PA_AUTHUSERS_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=e
du
memberOf:
CN=PS_UF_BN_EMPLOYEE_SS_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC
=edu
memberOf:
CN=PS_UF_HR_USER_AutoGS,OU=PSRoleGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=_HSC-DENTISTRY-DN-DEANS OFFICE-USERS_autoGS,OU=AutoGroups,OU=Groups,OU=UF,D
C=ad,DC=ufl,DC=edu
memberOf:
CN=_HSC-DENTISTRY-USERS_autoGS,OU=AutoGroups,OU=Groups,OU=UF,DC=ad,DC=ufl,DC=e
du
memberOf:
CN=_HSC-DN-DEANS OFFICE-DN-FINANCE - ADMIN-USERS_autoGS,OU=AutoGroups,OU=Group
s,OU=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=_HSC-DN-FINANCE - ADMIN-DN-BUDGETING - INFO SYS-USERS_autoGS,OU=AutoGroups,
OU=Groups,OU=UF,DC=ad,DC=ufl,DC=edu
uSNChanged: 810281330
department: DN-BUDGETING - INFO SYS
company: SENIOR VP-HEALTH SCIENCE CTR
proxyAddresses: sip:jlbryants@ufl.edu
proxyAddresses: smtp:JBRYANT@gw.dental.ufl.edu
proxyAddresses:
X500:/o=UF/ou=First Administrative Group/cn=Recipients/cn=jlbryants
proxyAddresses: smtp:jlbryants@ufl.edu
proxyAddresses: SMTP:JBRYANT@dental.ufl.edu
proxyAddresses: smtp:jlbryants@hsc.ufl.edu
proxyAddresses: smtp:jlbryants@ad.ufl.edu
proxyAddresses: smtp:jlbryants@mail.ufl.edu
streetAddress:: DQpJTkZPUk1BVElPTiBTWVNURU1TDQpQTyBCT1ggMTAwNDA1
garbageCollPeriod: 7776000
employeeType: T
name: jlbryants
objectGUID:: 39dhE+u7f0CPJyrMFRuaAQ==
userAccountControl: 544
badPwdCount: 0
codePage: 0
countryCode: 0
employeeID: 91073139
badPasswordTime: 129765579715953170
lastLogon: 129784678121008178
pwdLastSet: 129761318901166282
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAJCD6TbTy8Pm++BIUJFcHAA==
accountExpires: 9223372036854775807
logonCount: 420
sAMAccountName: jlbryants
sAMAccountType: 805306368
showInAddressBook:
CN=\#College of Dentistry,CN=All Address Lists,CN=Address Lists Container,CN=U
F,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=ufl,DC=edu
showInAddressBook:
CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Co
ntainer,CN=UF,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=ufl,
DC=edu
showInAddressBook:
CN=\#Information Technology Support Services,CN=All Address Lists,CN=Address L
ists Container,CN=UF,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,
DC=ufl,DC=edu
showInAddressBook:
CN=A-B,CN=Sort by lastname,CN=All Address Lists,CN=Address Lists Container,CN=
UF,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=ufl,DC=edu
showInAddressBook:
CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=UF,CN=Microsof
t Exchange,CN=Services,CN=Configuration,DC=ad,DC=ufl,DC=edu
legacyExchangeDN:
/o=UF/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=jlbr
yants
userPrincipalName: jlbryants@ufl.edu
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=ufl,DC=edu
dSCorePropagationData: 20110622153913.0Z
dSCorePropagationData: 20110621145405.0Z
dSCorePropagationData: 20110413161541.0Z
dSCorePropagationData: 20110329183613.0Z
dSCorePropagationData: 16010714042433.0Z
lastLogonTimestamp: 129780377108945246
msDS-RevealedDSAs:
CN=SSRB230A-AUTHDC,OU=Remote DCs,OU=Domain Controllers,DC=ad,DC=ufl,DC=edu
msDS-RevealedDSAs:
CN=SSRB230A-AUTHDC,OU=Remote DCs,OU=Domain Controllers,DC=ad,DC=ufl,DC=edu
msDS-RevealedDSAs:
CN=SSRB230A-AUTHDC,OU=Remote DCs,OU=Domain Controllers,DC=ad,DC=ufl,DC=edu
msDS-RevealedDSAs:
CN=SSRB230A-AUTHDC,OU=Remote DCs,OU=Domain Controllers,DC=ad,DC=ufl,DC=edu
msDS-RevealedDSAs:
CN=SSRB230A-AUTHDC,OU=Remote DCs,OU=Domain Controllers,DC=ad,DC=ufl,DC=edu
msDS-RevealedDSAs:
CN=CTX36-AUTHDC,OU=Remote DCs,OU=Domain Controllers,DC=ad,DC=ufl,DC=edu
msDS-RevealedDSAs:
CN=CTX36-AUTHDC,OU=Remote DCs,OU=Domain Controllers,DC=ad,DC=ufl,DC=edu
msDS-RevealedDSAs:
CN=CTX36-AUTHDC,OU=Remote DCs,OU=Domain Controllers,DC=ad,DC=ufl,DC=edu
msDS-RevealedDSAs:
CN=CTX36-AUTHDC,OU=Remote DCs,OU=Domain Controllers,DC=ad,DC=ufl,DC=edu
msDS-RevealedDSAs:
CN=CTX36-AUTHDC,OU=Remote DCs,OU=Domain Controllers,DC=ad,DC=ufl,DC=edu
mail: JBRYANT@dental.ufl.edu
mobile:: IA==
pager:: IA==
msRTCSIP-PrimaryHomeServer:
CN=Lc Services,CN=Microsoft,CN=1:1,CN=Pools,CN=RTC Service,CN=Microsoft,CN=Sys
tem,DC=ad,DC=ufl,DC=edu
msExchSafeSendersHash::
BAs8AL0JoQCJV3YBlyHMAepVWwMyJVcGJLDyB5yd9gcF/w0IGAmCChK/pQr9dOsKgA4XCy3ChwtJM3
MODPP8Djz+3A8FzRUQzuSeEgOFIxQftVgWUU70F40/9xg9kiIa8qbdGoC5ERvcvQMcoKPmHHIONx1c
WWsdiXuFHVO9iB32jKodPHCFHgjJpyCt5ZQhG0IQIicXkiK87bAiQZzMIpzN1CIhsvUiRSjHI6psvi
RCGRolcmswJdz98iZyXFwnf4F4KKHCmCkm+jAqiJmIKqcEbyvfVxYsvjQYLAEAKSxtz58sXhrJLC0A
zixlWdIsCVHjLIHY6i3Fr/0t6FJBL/SFIjFXIJ4xdkDTMRTjVzM2fJ4zxa1bNCSSEjXVAH41njIXNp
LWQzbhBo02iG6ZNrnATjcDAVU34vS3Nzp4vDjjIcQ4yqgCOsRbeTtVqDs80iOtPKWPOT2a9yw/FhZD
P+svC0DMkDJATGcCQ/lpvEnS1OhKsFRCSxkWe0vNOHtLOh5ATboYRU/ow5FPiX9hUD21ilHh4KlRO+
HvUUsLJ1KJI/pSNyTzU4YoS1SQsppV3hyfVd9x1VVOJwpX4E86V/M5sFjGJhhZ8TA0WROXb1mX1RVa
cqUwWrdaqFpnGfhachjJW2bO41vmDAhd4skjXpS3f1/2N75fMl3YX7yHCWE8yithW+RYYZx1sGGz6A
Ji9fddZJ3zVmaa2g5nJqcSaGNwT2im50VpVx12afEH5WnE+r9q2vDuazgLGGxMoeJs2JbybNXDKG1U
fjZtG5w/bUXfl2348ONuI63kcJKPH3OOcZJzuHmjdDUHpnQqX650o3/hdZE45nWmM9t2arKrd4ks9n
iKHk163JI1ewnulHz1lMh8eKhNfT+uhX1chRN/btwkf2W/1H9adbWAiwOXghedn4Q8poSH9ycSiCMZ
YogKmdWIlzoOieijNYnC8QyKRoNiisw4zYoDhcuLRW9jjeK9pI1tfsKNZ6jpjSWmKY6l07WP5vf3jw
RoOJDkZKmQd6vik8YY6ZP9qx2UtGKqlINwcJWl0cSW0wTYlr3ZkZd0jd6YtJ74mK5B7ZkzT0ybTUpk
m0y9oZuGEaWb+PHznbut/J2rjsCe40Usn6QbTqCltqigR7fbof2136Fb3+ij7/7CpENlKKWko4am+F
y5p9WkEKuPLamsCU9lrRj2a61mYG2tYLdmrgKtsK5RyWqvj7kXsaS+hrIcIrqzWSqCtBOe4rRp2TS1
caNytn76wrcTWm24ar5kuU+rtrlEHTK6nlmJuhW7ELtvEAi9/vwgvk3LYL5dxgC/4Z9bvwI8eb+16g
TBWikkw89If8NVYIbEkOm7xPME+sRKKgjFc9jGxRhzN8aLTL/HHUPBxyLt9MiNC5PJ5jfmycR3w8pk
Q6/Lh4oozHYVU8zS53XN4dHHzaUmDs4JRuDOqMT+zwsNtNBkIgLR4AID0VwinNHB77fRRyWG0ssQx9
KZLcrSwCHu0ztQzNSkzc/U0EQL1cdzONUtgfXVXwYS1lUCB9duNAnXLJI814aGDtiO1TXZdUvx2qtA
LNtsrmnbCDRL3LFfQ90dDZjdk4Xk3vQheuBTR6fgV1FS4lfal+Jeey/j3eAE5CE1JeQQozLkO0Kv5A
jCxuR/0sLlMPD45QIrF+Z5qMvmc7lC58fDDelGDX3pBMt96ZXpwunVHbnqVgYq6znae+sVJNnt+nW2
7oOjNu8X/cjwa79F8dHhsPLqJRrzo2yH81Ubq/VaptD1g9Z19ukPmvbEsMH2DFfl9lJ8//ch1h/4zy
v4+IiQQvlXSwf7tTZT/fcJjv2xAav+3Mqa/w==
msExchMailboxMoveTargetUserBL:
CN=a83c43323c1c4c6891c4451156e835afjlbryants-MailboxImport1,CN=MailboxImportRe
quests,CN=Mailbox Replication,CN=UF,CN=Microsoft Exchange,CN=Services,CN=Confi
guration,DC=ad,DC=ufl,DC=edu
msExchMailboxMoveTargetUserBL:
CN=97b3d2259cae4482aa57cd14fa0f080ejlbryants-MailboxImport,CN=MailboxImportReq
uests,CN=Mailbox Replication,CN=UF,CN=Microsoft Exchange,CN=Services,CN=Config
uration,DC=ad,DC=ufl,DC=edu
homeMTA:
CN=Microsoft MTA,CN=AHC-MB01,CN=Servers,CN=Exchange Administrative Group (FYDI
BOHF23SPDLT),CN=Administrative Groups,CN=UF,CN=Microsoft Exchange,CN=Services,
CN=Configuration,DC=ad,DC=ufl,DC=edu
msExchUserAccountControl: 0
msExchHomeServerName:
/o=UF/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=S
ervers/cn=AHC-MB01
msExchVersion: 44220983382016
msExchWhenMailboxCreated: 20111119023700.0Z
msExchMobileMailboxFlags: 1
msRTCSIP-UserPolicies: 0=920182951
msExchPoliciesExcluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
msExchMailboxGuid:: EfE6HDgj30eraYYLulpu6Q==
msExchRecipientTypeDetails: 1
UFLDepartmentManagedBy: 34010605
msExchMailboxSecurityDescriptor::
AQAEjBQAAAAgAAAAAAAAACwAAAABAQAAAAAABQoAAAABAQAAAAAABQoAAAACAMAFKgAAAAACFAABAA
IAAQEAAAAAAAUKAAAAAAIkAAEAAAABBQAAAAAABRUAAAAkIPpNtPLw+b74EhS7+QQAAAIkAAEAAAAB
BQAAAAAABRUAAAAkIPpNtPLw+b74EhQwmgUAAAIkAAAABAABBQAAAAAABRUAAAAkIPpNtPLw+b74Eh
STVwwAABIkAAEAAAABBQAAAAAABRUAAAAkIPpNtPLw+b74EhS/jQ8AARIkAAEAAAABBQAAAAAABRUA
AAAkIPpNtPLw+b74EhQAAgAAARIkAAEAAAABBQAAAAAABRUAAAAkIPpNtPLw+b74EhQHAgAAARIkAA
EAAAABBQAAAAAABRUAAAAkIPpNtPLw+b74EhRb1A0AARIkAAEAAAABBQAAAAAABRUAAAAkIPpNtPLw
+b74EhRdBAAAARIkAAEAAAABBQAAAAAABRUAAAAkIPpNtPLw+b74EhRtuAYAARIkAAEAAAABBQAAAA
AABRUAAAAkIPpNtPLw+b74EhTCOwUAARIkAAEAAAABBQAAAAAABRUAAAAkIPpNtPLw+b74EhTcCwsA
ARIkAAEAAAABBQAAAAAABRUAAAAkIPpNtPLw+b74EhTp/AwAABIkAAEAAAABBQAAAAAABRUAAAAkIP
pNtPLw+b74EhRsuAYAABIkAAEAAAABBQAAAAAABRUAAAAkIPpNtPLw+b74EhReBAAAABIkAAAAAgAB
BQAAAAAABRUAAAAkIPpNtPLw+b74EhREXQYAABIkAAAAAgABBQAAAAAABRUAAAAkIPpNtPLw+b74Eh
RMsAQAABIkAAAAAgABBQAAAAAABRUAAAAkIPpNtPLw+b74EhRVHgQAABIkAAAAAgABBQAAAAAABRUA
AAAkIPpNtPLw+b74EhSWHgQAABIkAAAAAgABBQAAAAAABRUAAAAkIPpNtPLw+b74EhShUQcAABIkAA
AAAgABBQAAAAAABRUAAAAkIPpNtPLw+b74EhSp3QAAABIkAAAAAgABBQAAAAAABRUAAAAkIPpNtPLw
+b74EhTNtQEAABIkAAAAAgABBQAAAAAABRUAAAAkIPpNtPLw+b74EhTp/AwAABIkAAAAAgABBQAAAA
AABRUAAAAkIPpNtPLw+b74EhTq/AwAABIkAAAAAgABBQAAAAAABRUAAAAkIPpNtPLw+b74EhTxeAUA
ABIUAAEAAAABAQAAAAAABRIAAAAAEhQAAAACAAEBAAAAAAAFFAAAAAASJAAAAAIAAQUAAAAAAAUVAA
AAJCD6TbTy8Pm++BIUXgQAAAASJAAAAAIAAQUAAAAAAAUVAAAAJCD6TbTy8Pm++BIUbLgGAAASJAAA
AAIAAQUAAAAAAAUVAAAAJCD6TbTy8Pm++BIUb7gGAAASJAAAAAIAAQUAAAAAAAUVAAAAJCD6TbTy8P
m++BIU0bUBAAASJAAAAAIAAQUAAAAAAAUVAAAAJCD6TbTy8Pm++BIU61ACAAASJAAAAAIAAQUAAAAA
AAUVAAAAJCD6TbTy8Pm++BIU8vwMAAASJAABAA8AAQUAAAAAAAUVAAAAJCD6TbTy8Pm++BIUBwIAAA
ASJAABAA8AAQUAAAAAAAUVAAAAJCD6TbTy8Pm++BIUW9QNAAASJAABAA8AAQUAAAAAAAUVAAAAJCD6
TbTy8Pm++BIUXQQAAAASJAABAA8AAQUAAAAAAAUVAAAAJCD6TbTy8Pm++BIUbbgGAAASJAABAA8AAQ
UAAAAAAAUVAAAAJCD6TbTy8Pm++BIUwjsFAAASJAABAA8AAQUAAAAAAAUVAAAAJCD6TbTy8Pm++BIU
3AsLAAASJAABAA8AAQUAAAAAAAUVAAAAJCD6TbTy8Pm++BIU4Q0LAAASJAABAA8AAQUAAAAAAAUVAA
AAJCD6TbTy8Pm++BIU6fwMAAASJAABAA8AAQUAAAAAAAUVAAAAJCD6TbTy8Pm++BIUAAIAAA==
GLPwdExpired: 2012-06-12-13:03:46
mailNickname: jlbryants
mDBUseDefaults: FALSE
UFLDepartmentID: 34010605
msRTCSIP-UserEnabled: TRUE
msExchRBACPolicyLink:
CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN=UF,CN=Microsoft Excha
nge,CN=Services,CN=Configuration,DC=ad,DC=ufl,DC=edu
msExchMobileMailboxPolicyLink:
CN=HSC Exchange - Default Policy,CN=Mobile Mailbox Policies,CN=UF,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=ad,DC=ufl,DC=edu
extensionAttribute15: DN-INFORMATION SYSTEM
msRTCSIP-FederationEnabled: TRUE
msExchTextMessagingState: 302120705
msExchTextMessagingState: 16842751
protocolSettings:: SFRUUMKnMcKnMcKnwqfCp8KnwqfCpw==
protocolSettings:: T1dBwqcx
protocolSettings:: SU1BUDTCpzDCp8KnwqfCp8KnwqfCp8Knwqc=
protocolSettings:: TUFQScKnMcKnwqfCp8KnMMKnwqfCpw==
protocolSettings:: UE9QM8KnMMKnwqfCp8KnwqfCp8KnwqfCpw==
msRTCSIP-OptionFlags: 257
homeMDB:
CN=AHC-DAG01-DB09,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPD
LT),CN=Administrative Groups,CN=UF,CN=Microsoft Exchange,CN=Services,CN=Config
uration,DC=ad,DC=ufl,DC=edu
msExchArchiveQuota: 52428800
msExchDelegateListLink:
CN=hsc-adm-ireilly,OU=Management Accounts,OU=ITCENTER,OU=HSC,OU=Departments,OU
=UF,DC=ad,DC=ufl,DC=edu
msRTCSIP-InternetAccessEnabled: TRUE
msExchELCMailboxFlags: 50
msExchMailboxTemplateLink:
CN=Retain Permanently,CN=Retention Policies Container,CN=UF,CN=Microsoft Excha
nge,CN=Services,CN=Configuration,DC=ad,DC=ufl,DC=edu
msExchArchiveName: Online Archive - Bryant,Joseph Langley
msExchArchiveDatabaseLink:
CN=AHC-DAG01-OA01,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPD
LT),CN=Administrative Groups,CN=UF,CN=Microsoft Exchange,CN=Services,CN=Config
uration,DC=ad,DC=ufl,DC=edu
msExchBlockedSendersHash:: gjACc242MtA=
msExchALObjectVersion: 134
msExchUMDtmfMap: reversedPhone:8075372253
msExchUMDtmfMap: emailAddress:5279268
msExchUMDtmfMap: lastNameFirstName:279268567374
msExchUMDtmfMap: firstNameLastName:567374279268
msExchRecipientDisplayType: 1073741824
msRTCSIP-PrimaryUserAddress: sip:jlbryants@ufl.edu
msExchArchiveGUID:: ittysG0PvUS2XTQ4XQ4xjg==
msRTCSIP-DeploymentLocator: SRV:
msExchUserCulture: en-US
msExchArchiveWarnQuota: 47185920

jlbryants wrote:
This would be my directory information. Two of the three Groups in question are highlighted in Red.
memberOf:
CN=DN-Omero-Brown-Lab,OU=Omero,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departments,OU
=UF,DC=ad,DC=ufl,DC=edu
memberOf:
CN=DN-Omero-Grieshaber-Lab,OU=Omero,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departmen
ts,OU=UF,DC=ad,DC=ufl,DC=edu

In this case, the setting

Code: Select all

:attribute:memberOf

would add your user to these two groups but I'm afraid also to the all the other, non-OMERO groups sine the group_filter setting is not currently being applied for :attribute: settings. I've filed a ticket to add that functionality.

Two remaining possibilities are: either to subclass the AttributeNewUserGroupBean, or there is a chance that a :query: setting will still work for you.

Could you provide a similar dump for one of the 2 OMERO groups listed?

Thanks,
~Josh

Thanks for the continued support Josh. Yes, if there would be a way to use the group_filter to filter the memberOf attribute to Groups in a specific OU, that would be great. That is how the Omero OU is being used in our setup. Below is the information you requested.

dn: CN=DN-Omero-Grieshaber-Lab,OU=Omero,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu
changetype: add
objectClass: top
objectClass: group
cn: DN-Omero-Grieshaber-Lab
member:
CN=tsrichards,OU=DN-ORALBIO,OU=DN,OU=HSC,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu
member:
CN=jtizzi,OU=DN-ADMIN,OU=DN-ORALBIO,OU=DN,OU=HSC,OU=People,OU=UF,DC=ad,DC=ufl,
DC=edu
member:
CN=ngriesha,OU=DN-ORALBIO,OU=DN,OU=HSC,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu
member:
CN=sgriesha,OU=DN-ORALBIO,OU=DN,OU=HSC,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu
member:
CN=jlbryants,OU=DN-BUDGETINGINFOSYSTEM,OU=DN-FINANCEADMIN,OU=DN-DEANSOFF,OU=DN
,OU=HSC,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu
member: CN=heather.brown,OU=STUDENTS,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu
member: CN=jrunac,OU=STUDENTS,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu
member: CN=andreak,OU=STUDENTS,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu
distinguishedName:
CN=DN-Omero-Grieshaber-Lab,OU=Omero,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departmen
ts,OU=UF,DC=ad,DC=ufl,DC=edu
instanceType: 4
whenCreated: 20120302181207.0Z
whenChanged: 20120403161456.0Z
uSNCreated: 631293318
memberOf:
CN=DN-Omero-Users,OU=Omero,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departments,OU=UF,
DC=ad,DC=ufl,DC=edu
uSNChanged: 673768107
name: DN-Omero-Grieshaber-Lab
objectGUID:: pTGCHjptQ0aS+aTh8CznBA==
objectSid:: AQUAAAAAAAUVAAAAJCD6TbTy8Pm++BIUD1ISAA==
sAMAccountName: DN-Omero-Grieshaber-Lab
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ad,DC=ufl,DC=edu
dSCorePropagationData: 16010101000000.0Z

jlbryants wrote:member: CN=heather.brown,OU=STUDENTS,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu

Since your groups have the "member" attributes, it should be possible for you to use :query: via something like:

Code: Select all

omero.ldap.new_user_group=:query:(&(...OU=omero...)(member=@{dn}))"


Let me know if you need help specifying the query to match OU=omero.

Cheers,
~Josh

I guess I do because what I tried gave a ValidationException: The user 52 has no default group set.

What I entered:
omero.ldap.new_user_group=:query:(&(DN=OU=Omero,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu)(member=@{dn}))"

What appears in the config.xml file is:
<property name="omero.ldap.new_user_group" value=":query:(&amp;(CN=OU=Omero,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu)(member=@{dn}))"/>

The query you tried is only looking for exact matches to OU=Omero rather than the subgroups. I've read some posts saying OU filters aren't (fully) supported on AD so we may need to try out a few different queries. This post has one example which would suggest:

Code: Select all

(&(OU=Omero)(member=@{dn}))"


If thre's a potential that that could match something else in AD, you might want to be more explicit:

Code: Select all

(&(OU=Omero)(OU=Groups)(OU=DENTISTRY),OU=UF,DC=ad,DC=ufl,DC=edu)(member=@{dn}))"


Or alternatively try the wildcard version:

Code: Select all

(CN=*,OU=Omero,OU=Groups,OU=DENTISTRY,OU=HSC,OU=Departments,OU
=UF,DC=ad,DC=ufl,DC=edu)


Hopefully, one of these will help.
Cheers,
~Josh