We're Hiring!

mapping gruops and users

Having a problem deploying OMERO? Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

The OMERO.server installation documentation begins here and you can find OMERO.web deployment documentation here.

Re: mapping gruops and users

Postby saleht » Fri Dec 02, 2016 6:03 pm

Hi jmoore,
i am very thx for your effort, i changed many times the configuration but still not working, but i think i know where is the problem, i changed the filter for groups and base
my latest configuration are :
omero.ldap.base=dc=ad,dc=hhu,dc=de
omero.ldap.config=true
omero.ldap.group_filter=(&(cn=CAi_*)(memberof=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de))
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=:query:(member=@{dn})
omero.ldap.password=********
omero.ldap.referral=follow
omero.ldap.sync_on_login=true
omero.ldap.urls=ldap://SVR-HHU-DC-1.ad.hhu.de:389
omero.ldap.user_filter=(memberof:1.2.840.113556.1.4.1941:=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de)
omero.ldap.user_mapping=omeName=sAMAccountName,firstName=givenName,lastName=sn,email=mail
omero.ldap.username=SVC_Omero

with this configuration
now when i am trying to do
Code: Select all
bin/omero login -u saleht

giving me that, can not find a default group to saleht, if i disable sync_on_login and re setting the default group for this user i able to log in,
it is so clear to me that the problem in one of group conf parametter
filter or mapping or new_ user_group

Note:
my Group Filter is correct because it gives correspond groups list when i am run this query form ldapsearch command
my command is
ldapsearch -x -LLL -D "SVC_Omero" -w ************** -p 389 -h SVR-HHU-DC-1.ad.hhu.de -b 'dc=ad,dc=hhu,dc=de' -s sub "(&(cn=CAi_*)(memberof=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de))" cn

snap from results :
dn:: Q049Q0FpX0FHX0JlbmdhLE9VPUZpbGVTaGFyZXMsT1U9WmVudHJ1bSBmw7xyIEluZm9ybWF0a
W9ucy0gdW5kIE1lZGllbnRlY2hub2xvZ2llLE9VPUhlaW5yaWNoLUhlaW5lLVVuaXZlcnNpdMOkdC
xEQz1BRCxEQz1oaHUsREM9ZGU=
cn: CAi_AG_Benga

dn:: Q049Q0FpX0FHX0JleWUsT1U9RmlsZVNoYXJlcyxPVT1aZW50cnVtIGbDvHIgSW5mb3JtYXRpb
25zLSB1bmQgTWVkaWVudGVjaG5vbG9naWUsT1U9SGVpbnJpY2gtSGVpbmUtVW5pdmVyc2l0w6R0LE
RDPUFELERDPWhodSxEQz1kZQ==
cn: CAi_AG_Beye

dn:: Q049Q0FpX0FHX0JvZWdlLE9VPUZpbGVTaGFyZXMsT1U9WmVudHJ1bSBmw7xyIEluZm9ybWF0a
W9ucy0gdW5kIE1lZGllbnRlY2hub2xvZ2llLE9VPUhlaW5yaWNoLUhlaW5lLVVuaXZlcnNpdMOkdC
xEQz1BRCxEQz1oaHUsREM9ZGU=
cn: CAi_AG_Boege

dn:: Q049Q0FpX0FHX0JyaWRnZXMsT1U9RmlsZVNoYXJlcyxPVT1aZW50cnVtIGbDvHIgSW5mb3JtY
XRpb25zLSB1bmQgTWVkaWVudGVjaG5vbG9naWUsT1U9SGVpbnJpY2gtSGVpbmUtVW5pdmVyc2l0w6
R0LERDPUFELERDPWhodSxEQz1kZQ==
cn: CAi_AG_Bridges

dn:: Q049Q0FpX0FHX0RfSGFlc2UsT1U9RmlsZVNoYXJlcyxPVT1aZW50cnVtIGbDvHIgSW5mb3JtY
XRpb25zLSB1bmQgTWVkaWVudGVjaG5vbG9naWUsT1U9SGVpbnJpY2gtSGVpbmUtVW5pdmVyc2l0w6
R0LERDPUFELERDPWhodSxEQz1kZQ==
cn: CAi_AG_D_Haese

dn:: Q049Q0FpX0FHX0RyZXhsZXIsT1U9RmlsZVNoYXJlcyxPVT1aZW50cnVtIGbDvHIgSW5mb3JtY
XRpb25zLSB1bmQgTWVkaWVudGVjaG5vbG9naWUsT1U9SGVpbnJpY2gtSGVpbmUtVW5pdmVyc2l0w6
R0LERDPUFELERDPWhodSxEQz1kZQ==
cn: CAi_AG_Drexler

dn:: Q049Q0FpX0FHX0VnZWxoYWFmLE9VPUZpbGVTaGFyZXMsT1U9WmVudHJ1bSBmw7xyIEluZm9yb
WF0aW9ucy0gdW5kIE1lZGllbnRlY2hub2xvZ2llLE9VPUhlaW5yaWNoLUhlaW5lLVVuaXZlcnNpdM
OkdCxEQz1BRCxEQz1oaHUsREM9ZGU=
cn: CAi_AG_Egelhaaf

dn:: Q049Q0FpX0FHX0VsdmVycyxPVT1GaWxlU2hhcmVzLE9VPVplbnRydW0gZsO8ciBJbmZvcm1hd
GlvbnMtIHVuZCBNZWRpZW50ZWNobm9sb2dpZSxPVT1IZWlucmljaC1IZWluZS1Vbml2ZXJzaXTDpH
QsREM9QUQsREM9aGh1LERDPWRl
cn: CAi_AG_Elvers

dn:: Q049Q0FpX0FHX0VybnN0LE9VPUZpbGVTaGFyZXMsT1U9WmVudHJ1bSBmw7xyIEluZm9ybWF0a
W9ucy0gdW5kIE1lZGllbnRlY2hub2xvZ2llLE9VPUhlaW5yaWNoLUhlaW5lLVVuaXZlcnNpdMOkdC
xEQz1BRCxEQz1oaHUsREM9ZGU=
cn: CAi_AG_Ernst

dn:: Q049Q0FpX0FHX0ZlaG0sT1U9RmlsZVNoYXJlcyxPVT1aZW50cnVtIGbDvHIgSW5mb3JtYXRpb
25zLSB1bmQgTWVkaWVudGVjaG5vbG9naWUsT1U9SGVpbnJpY2gtSGVpbmUtVW5pdmVyc2l0w6R0LE
RDPUFELERDPWhodSxEQz1kZQ==
cn: CAi_AG_Fehm


i think the problem in this line
omero.ldap.new_user_group=:query:(member=@{dn})


the problem is not related with
(memberof:1.2.840.113556.1.4.1941

because i try to disable the user filter i got same message

the blue line is the groups which should appear in Omero

thx again
saleht
 
Posts: 96
Joined: Wed Nov 16, 2016 1:06 pm

Re: mapping gruops and users

Postby jmoore » Sat Dec 03, 2016 10:21 am

Hi Saleh,

saleht wrote: with this configuration
now when i am trying to do
Code: Select all
bin/omero login -u saleht

giving me that, can not find a default group to saleht, if i disable sync_on_login and re setting the default group for this user i able to log in,
it is so clear to me that the problem in one of group conf parametter
filter or mapping or new_ user_group
...
i think the problem in this line
omero.ldap.new_user_group=:query:(member=@{dn})


Sounds like we're making progress. Could you send your Blitz-0.log and I can see if there's anything telling there? At the same time, could you try to update your ldapsearch to query by `(member=@{dn})`, replacing `@{dn}` with your own distinguished name and see if you get any results?

Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: mapping gruops and users

Postby saleht » Sun Dec 04, 2016 11:19 am

snap from logs :
2016-12-04 12:11:46,503 INFO [ ome.services.util.ServiceHandler] (2-thread-2) Args: [null, InternalSF@801634926]
2016-12-04 12:11:46,505 INFO [ ome.security.basic.EventHandler] (2-thread-2) Auth: user=0,group=0,event=null(Sessions),sess=a70699da-aceb-4143-8c92-01aaf17bac92
2016-12-04 12:11:46,510 INFO [ org.perf4j.TimingLogger] (2-thread-2) start[1480849906504] time[6] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$6.doWork]
2016-12-04 12:11:46,510 INFO [ ome.services.util.ServiceHandler] (2-thread-2) Rslt: (ome.model.meta.Experimenter:Id_0, ome.model.meta.ExperimenterGroup:Id_0, (0, 1), ... 4 more)
2016-12-04 12:11:46,511 INFO [ ome.services.util.ServiceHandler] (2-thread-2) Executor.doWork -- ome.services.sessions.SessionManagerImpl.reload[fe8d47a8-535a-426b-85f8-6a8c8efa4793]
2016-12-04 12:11:46,511 INFO [ ome.services.util.ServiceHandler] (2-thread-2) Args: [null, InternalSF@801634926]
2016-12-04 12:11:46,512 INFO [ ome.security.basic.EventHandler] (2-thread-2) Auth: user=0,group=0,event=null(Sessions),sess=a70699da-aceb-4143-8c92-01aaf17bac92
2016-12-04 12:11:46,517 INFO [ org.perf4j.TimingLogger] (2-thread-2) start[1480849906511] time[6] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$6.doWork]
2016-12-04 12:11:46,518 INFO [ ome.services.util.ServiceHandler] (2-thread-2) Rslt: (ome.model.meta.Experimenter:Id_0, ome.model.meta.ExperimenterGroup:Id_0, (0, 1), ... 4 more)
2016-12-04 12:11:46,518 INFO [ org.perf4j.TimingLogger] (2-thread-2) start[1480849906483] time[34] tag[omero.sessions.synchronization]
2016-12-04 12:11:46,518 INFO [ome.services.sessions.state.SessionCache] (2-thread-2) Synchronization took 34 ms.
2016-12-04 12:12:00,020 INFO [ ome.services.blitz.fire.SessionManagerI] (2-thread-4) Performing requestHeartbeats
2016-12-04 12:13:46,490 INFO [ome.services.sessions.state.SessionCache] (2-thread-5) Synchronizing session cache. Count = 3
2016-12-04 12:13:46,491 INFO [ ome.services.util.ServiceHandler] (2-thread-5) Executor.doWork -- ome.services.sessions.SessionManagerImpl.reload[a70699da-aceb-4143-8c92-01aaf17bac92]
2016-12-04 12:13:46,491 INFO [ ome.services.util.ServiceHandler] (2-thread-5) Args: [null, InternalSF@801634926]
2016-12-04 12:13:46,499 INFO [ ome.security.basic.EventHandler] (2-thread-5) Auth: user=0,group=0,event=null(Sessions),sess=a70699da-aceb-4143-8c92-01aaf17bac92
2016-12-04 12:13:46,509 INFO [ org.perf4j.TimingLogger] (2-thread-5) start[1480850026491] time[18] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$6.doWork]
2016-12-04 12:13:46,509 INFO [ ome.services.util.ServiceHandler] (2-thread-5) Rslt: (ome.model.meta.Experimenter:Id_0, ome.model.meta.ExperimenterGroup:Id_0, (0, 1), ... 4 more)
2016-12-04 12:13:46,510 INFO [ ome.services.util.ServiceHandler] (2-thread-5) Executor.doWork -- ome.services.sessions.SessionManagerImpl.reload[ac9a557e-5d67-43ff-abf5-36ebeb013a58]
2016-12-04 12:13:46,510 INFO [ ome.services.util.ServiceHandler] (2-thread-5) Args: [null, InternalSF@801634926]
2016-12-04 12:13:46,511 INFO [ ome.security.basic.EventHandler] (2-thread-5) Auth: user=0,group=0,event=null(Sessions),sess=a70699da-aceb-4143-8c92-01aaf17bac92
2016-12-04 12:13:46,517 INFO [ org.perf4j.TimingLogger] (2-thread-5) start[1480850026510] time[7] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$6.doWork]
2016-12-04 12:13:46,517 INFO [ ome.services.util.ServiceHandler] (2-thread-5) Rslt: (ome.model.meta.Experimenter:Id_0, ome.model.meta.ExperimenterGroup:Id_0, (0, 1), ... 4 more)
2016-12-04 12:13:46,518 INFO [ ome.services.util.ServiceHandler] (2-thread-5) Executor.doWork -- ome.services.sessions.SessionManagerImpl.reload[fe8d47a8-535a-426b-85f8-6a8c8efa4793]
2016-12-04 12:13:46,518 INFO [ ome.services.util.ServiceHandler] (2-thread-5) Args: [null, InternalSF@801634926]
2016-12-04 12:13:46,519 INFO [ ome.security.basic.EventHandler] (2-thread-5) Auth: user=0,group=0,event=null(Sessions),sess=a70699da-aceb-4143-8c92-01aaf17bac92
2016-12-04 12:13:46,525 INFO [ org.perf4j.TimingLogger] (2-thread-5) start[1480850026518] time[7] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$6.doWork]
2016-12-04 12:13:46,525 INFO [ ome.services.util.ServiceHandler] (2-thread-5) Rslt: (ome.model.meta.Experimenter:Id_0, ome.model.meta.ExperimenterGroup:Id_0, (0, 1), ... 4 more)
2016-12-04 12:13:46,525 INFO [ org.perf4j.TimingLogger] (2-thread-5) start[1480850026490] time[34] tag[omero.sessions.synchronization]
2016-12-04 12:13:46,525 INFO [ome.services.sessions.state.SessionCache] (2-thread-5) Synchronization took 34 ms.
2016-12-04 12:15:00,012 INFO [ ome.services.blitz.fire.SessionManagerI] (2-thread-2) Performing requestHeartbeats


Sounds like we're making progress. Could you send your Blitz-0.log and I can see if there's anything telling there? At the same time, could you try to update your ldapsearch to query by `(member=@{dn})`, replacing `@{dn}` with your own distinguished name and see if you get any results?

i did not get you,
for a users like saleht or group like CAi_CAi
(member=saleht) ??
pls more info

Regards
Saleh
saleht
 
Posts: 96
Joined: Wed Nov 16, 2016 1:06 pm

Re: mapping gruops and users

Postby jmoore » Sun Dec 04, 2016 4:17 pm

saleht wrote:snap from logs :


Did you try to login during this 4 minute window?


i did not get you,
for a users like saleht or group like CAi_CAi
(member=saleht) ??
pls more info


You showed that
Code: Select all
ldapsearch -x -LLL -D "SVC_Omero" -w ************** -p 389 -h SVR-HHU-DC-1.ad.hhu.de -b 'dc=ad,dc=hhu,dc=de' -s sub "(&(cn=CAi_*)(memberof=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de))" cn


returned a number of groups. If you add in the member= filter, do you still get results?

Code: Select all
ldapsearch -x -LLL -D "SVC_Omero" -w ************** -p 389 -h SVR-HHU-DC-1.ad.hhu.de -b 'dc=ad,dc=hhu,dc=de' -s sub "(&(cn=CAi_*)(memberof=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de)(member=YOURFULLDNHERE)" cn



Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: mapping gruops and users

Postby saleht » Sun Dec 04, 2016 7:55 pm

yes the snap include logs throw login

[omero@localhost ~]$ ldapsearch -x -LLL -D "SVC_Omero" -w ************ -p 389 -h SVR-HHU-DC-1.ad.hhu.de -b 'dc=ad,dc=hhu,dc=de' -s sub "(sAMAccountName=saleht)" mail cn dn

dn: CN=Tibi\, Saleh (saleht),OU=IDMUsers,DC=AD,DC=hhu,DC=de
cn: Tibi, Saleh (saleht)
mail: Tibi.Saleh@uni-duesseldorf.de

my dn is dn: CN=Tibi\, Saleh (saleht),OU=IDMUsers,DC=AD,DC=hhu,DC=de
but iried

ldapsearch -x -LLL -D "SVC_Omero" -w ************** -p 389 -h SVR-HHU-DC-1.ad.hhu.de -b 'dc=ad,dc=hhu,dc=de' -s sub "(&(cn=CAi_*)(memberof=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de)(member= CN=Tibi\, Saleh (saleht),OU=IDMUsers,DC=AD,DC=hhu,DC=de)" cn

it gives erro , bad message -7 maybe because the syntax of dn has symboles like , or space or ()
i think the main problem is here
any idea ???
saleht
 
Posts: 96
Joined: Wed Nov 16, 2016 1:06 pm

Re: mapping gruops and users

Postby saleht » Sun Dec 04, 2016 10:12 pm

i serached in the internet i found that ( ) \ have some encoding
my full dn is, this correct and it works
CN=Tibi\\c5, Saleh \\28saleht\\29,OU=IDMUsers,DC=AD,DC=hhu,DC=de


now when i did the follwing command, i did not get any results, it suppose to ge a group called CAi_CAi

ldapsearch -x -LLL -D "SVC_Omero" -w ************** -p 389 -h SVR-HHU-DC-1.ad.hhu.de -b 'dc=ad,dc=hhu,dc=de' -s sub "(&(cn=CAi_*)(memberof=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de)(member=CN=Tibi\\c5, Saleh \\28saleht\\29,OU=IDMUsers,DC=AD,DC=hhu,DC=de)" cn
saleht
 
Posts: 96
Joined: Wed Nov 16, 2016 1:06 pm

Re: mapping gruops and users

Postby jmoore » Mon Dec 05, 2016 7:53 am

saleht wrote:i serached in the internet i found that ( ) \ have some encoding
my full dn is, this correct and it works
CN=Tibi\\c5, Saleh \\28saleht\\29,OU=IDMUsers,DC=AD,DC=hhu,DC=de



What do you mean this works? In which context did you use it?

now when i did the follwing command, i did not get any results, it suppose to ge a group called CAi_CAi

ldapsearch -x -LLL -D "SVC_Omero" -w ************** -p 389 -h SVR-HHU-DC-1.ad.hhu.de -b 'dc=ad,dc=hhu,dc=de' -s sub "(&(cn=CAi_*)(memberof=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de)(member=CN=Tibi\\c5, Saleh \\28saleht\\29,OU=IDMUsers,DC=AD,DC=hhu,DC=de)" cn


I think you're missing an ending parenthesis to close the new clause:

Code: Select all
(&(cn=...)(memberof=...)(member=...)   ) <-- add this


Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: mapping gruops and users

Postby saleht » Mon Dec 05, 2016 9:27 am

What do you mean this works? In which context did you use it?

if i used this in any filte it works CN=Tibi\\c5, Saleh \\28saleht\\29
that means my dn is correct



(&(cn=...)(memberof=...)(member=...) ) <-- add thi

this was a typo, it still giving no reuslts

i founded that if i used member= in any query, this query will not give any results
for example :
[omero@localhost ~]$ ldapsearch -x -LLL -D "SVC_Omero" -p 389 -h SVR-HHU-DC-1.ad.hhu.de -b 'dc=ad,dc=hhu,dc=de' -s sub "(&(cn=CAi_*)(member=CN=Tibi\\c5, Saleh \\28saleht\\29))" cn

it should gives CAi_CAi
saleht
 
Posts: 96
Joined: Wed Nov 16, 2016 1:06 pm

Re: mapping gruops and users

Postby jmoore » Mon Dec 05, 2016 9:22 pm

Hi Saleh,

saleht wrote:i founded that if i used member= in any query, this query will not give any results
for example :
$ ldapsearch -x -LLL -D "SVC_Omero" -p 389 -h SVR-HHU-DC-1.ad.hhu.de -b 'dc=ad,dc=hhu,dc=de' -s sub "(&(cn=CAi_*)(member=CN=Tibi\\c5, Saleh \\28saleht\\29))" cn

it should gives CAi_CAi


At this point, you may be best served by finding someone who's familiar with your institutes LDAP server for getting this (or a similar) query to work. Until there's an ldapsearch combining your group_filter and your :query: statement and returning the groups you intended, we're beyond the realm of OMERO.

If that turns out to be a dead-end and you have "memberOf" attributes on your user entries pointing back to the group, you can try using :filtered_attribute: (or depending on the value filtered_dn_attribute) instead.

Cheers,
~Josh.
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: mapping gruops and users

Postby saleht » Tue Dec 06, 2016 8:26 am

thx al lot issue solved
i used
$bin/omero config set Omero.ldap.new_user_group :filtered_dn_attribute:memberOf

it works perfect now thx agian
saleht
 
Posts: 96
Joined: Wed Nov 16, 2016 1:06 pm

Previous

Return to Installation and Deployment

Who is online

Users browsing this forum: No registered users and 1 guest

cron