We're Hiring!

LDAP Group Creation Based on Security Groups

Having a problem deploying OMERO? Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

The OMERO.server installation documentation begins here and you can find OMERO.web deployment documentation here.

Re: LDAP Group Creation Based on Security Groups

Postby jmoore » Thu Apr 26, 2012 2:56 pm

Deleting a user is not possible, so perhaps what you did was only to remove your user from the group? You will need to either create a new DB for testing or change the name of the user in the DB.

Another option (to simplify testing) is to turn on the sync_on_login property:
Code: Select all
# Whether or not values from LDAP will be
# sychronized to OMERO on each login. This includes
# not just the user name, email, etc, but also the
# groups that the user is a member of.
#
# WARNING:
# -------------------------------------------------
#   Currently setting this to true the user will be
#   removed from any groups to which they have been
#   added outside of LDAP! Please use carefully.
#
omero.ldap.sync_on_login=false


Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: LDAP Group Creation Based on Security Groups

Postby jlbryants » Thu May 03, 2012 4:34 pm

Hi Josh,

Scott went ahead and setup Omero with a clean DB. I then added the LDAP configuration which I will provide from the XML file below. I have blanked out the password. I have again tried to login and will provide the error we are now receiving. Please look over everything and offer what ever input you can.

Thanks,

Joe

Config.xml:

<properties id="__ACTIVE__">
<property name="omero.config.profile" value="default"/>
<property name="omero.config.version" value="4.2.1"/>
<property name="omero.db.name" value="omero"/>
<property name="omero.db.user" value="omero"/>
<property name="omero.db.pass" value="omero"/>
<property name="omero.data.dir" value="/Omero-data"/>
<property name="omero.ldap.config" value="true"/>
<property name="omero.ldap.urls" value="ldap://ad.ufl.edu:389"/>
<property name="omero.ldap.username" value="CN=DN-OmeroServerLDAP,OU=ServiceAccounts,OU=DN-IT,OU=DENTISTRY,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu"/>
<property name="omero.ldap.password" value="***************************"/>
<property name="omero.ldap.base" value="OU=UF,DC=ad,DC=ufl,DC=edu"/>
<property name="omero.ldap.user_filter" value="(objectClass=user)"/>
<property name="omero.ldap.sync_on_login" value="true"/>
<property name="omero.security.password_provider" value="chainedPasswordProvider"/>
<property name="omero.ldap.user_mapping" value="omeName=cn,firstName=givenName,lastName=sn,email=mail"/>
<property name="omero.ldap.group_filter" value="(objectClass=group)"/>
<property name="omero.ldap.group_mapping" value="name=cn"/>
<property name="omero.ldap.new_user_group" value=":query:(&amp;(OU=Omero,OU=Groups,OU=Dentistry,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu)(member=@{dn}))"/>
</properties>
<properties id="default">
<property name="omero.config.version" value="4.2.1"/>
<property name="omero.db.name" value="omero"/>
<property name="omero.db.user" value="omero"/>
<property name="omero.db.pass" value="omero"/>
<property name="omero.data.dir" value="/Omero-data"/>
<property name="omero.ldap.config" value="true"/>
<property name="omero.ldap.urls" value="ldap://ad.ufl.edu:389"/>
<property name="omero.ldap.username" value="CN=DN-OmeroServerLDAP,OU=ServiceAccounts,OU=DN-IT,OU=DENTISTRY,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu"/>
<property name="omero.ldap.password" value="***************************"/>
<property name="omero.ldap.base" value="OU=UF,DC=ad,DC=ufl,DC=edu"/>
<property name="omero.ldap.user_filter" value="(objectClass=user)"/>
<property name="omero.ldap.sync_on_login" value="true"/>
<property name="omero.security.password_provider" value="chainedPasswordProvider"/>
<property name="omero.ldap.user_mapping" value="omeName=cn,firstName=givenName,lastName=sn,email=mail"/>
<property name="omero.ldap.group_filter" value="(objectClass=group)"/>
<property name="omero.ldap.group_mapping" value="name=cn"/>
<property name="omero.ldap.new_user_group" value=":query:(&amp;(OU=Omero,OU=Groups,OU=Dentistry,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu)(member=@{dn}))"/>
</properties>
</icegrid>


The erorr in the Blitz log:

2012-05-03 12:23:23,979 INFO [ ome.security.auth.LdapPasswordProvider] (l.Server-3) Default choice on create user: jlbryants (ome.conditions.ValidationException: No group found for: cn=jlbryants,ou=DN-BUDGETINGINFOSYSTEM,ou=DN-FINANCEADMIN,ou=DN-DEANSOFF,ou=DN,ou=HSC,ou=People,ou=UF,dc=ad,dc=ufl,dc=edu)
2012-05-03 12:23:23,980 INFO [ org.perf4j.TimingLogger] (l.Server-3) start[1336062203542] time[438] tag[omero.call.exception]
2012-05-03 12:23:23,980 WARN [ ome.services.util.ServiceHandler] (l.Server-3) Unknown exception thrown.
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm

Re: LDAP Group Creation Based on Security Groups

Postby jmoore » Mon May 07, 2012 8:43 am

Hi Joe,

hmmm,...sorry to hear you're still having problems. Could you try or have you already tried a direct LDAP query with (member=<your DN here>)?

~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: LDAP Group Creation Based on Security Groups

Postby jlbryants » Fri May 11, 2012 7:39 pm

I have used Softerra LDAP Browser and searched for my cn in the specific OU for Omero setting the filter for group and it returns all three omero groups for my cn.
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm

Re: LDAP Group Creation Based on Security Groups

Postby jmoore » Tue May 15, 2012 2:17 pm

How did you search for your cn? The query listed is looking for the dn:
Code: Select all
(&(OU=Omero,OU=Groups,OU=Dentistry,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu)(member=@{dn}))


If your system stores cn for the member, then you could try changing @{dn} to @{cn}.

Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: LDAP Group Creation Based on Security Groups

Postby jlbryants » Thu May 24, 2012 12:23 pm

Josh,

I gave that a try and that didn't work either. Is there a way to use LDAP for user authentication and then we manually put them in groups after their user account is created in Omero by LDAP. Another question is, do groups need to be setup in Omero to match my security groups in LDAP or are the groups automatically created based on the new_user_group setting we are currently trying to resolve?

Thanks,

Joe
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm

Re: LDAP Group Creation Based on Security Groups

Postby ehrenfeu » Thu May 24, 2012 12:46 pm

I gave that a try and that didn't work either. Is there a way to use LDAP for user authentication and then we manually put them in groups after their user account is created in Omero by LDAP.

that's exactly what we did on our OMERO here, no LDAP groups (so far) but just authentication via LDAP
Another question is, do groups need to be setup in Omero to match my security groups in LDAP or are the groups automatically created based on the new_user_group setting we are currently trying to resolve?

don't know for the security groups, but if you're manually putting them into groups in OMERO, you can assign the correct permissions as you need anyway - or did I get you wrong here?

Cheers
Niko
User avatar
ehrenfeu
 
Posts: 90
Joined: Fri May 11, 2012 8:21 am
Location: Basel, Switzerland

Re: LDAP Group Creation Based on Security Groups

Postby jmoore » Thu May 24, 2012 2:23 pm

Joe & Niko,

You will have to assign all of the LDAP users to at least one group on creation. This is (perhaps wrongly) required so that user will be able to login immediately upon creation.

One option would be to set the property:
Code: Select all
bin/omero config set omero.ldap.new_user_group LDAP_USERS

so that all users would be added to the otherwise unused LDAP_USERS group. Then for each user, you could go in an add them to arbitrary other groups and possibly remove them from the LDAP_USERS group.

There's no requirement to have groups in OMERO match groups in LDAP whatsoever as long as sync_on_login is not used, and all groups will be created by OMERO if they do not already exist.

Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: LDAP Group Creation Based on Security Groups

Postby jlbryants » Thu May 24, 2012 2:34 pm

Hi Niko,

Thanks for your reply. On the second part of my inquiry, it was suggested the reason groups might not be working is because I would need to create the three groups we need manually. Then when a user attempted to log in it would validate them as a LDAP member, check the security groups they are a member of and if those security groups existed as groups in Omero, they would be added to the group. It is thought groups will not be created in Omero from LDAP, they must be created manually.

As for the first part, may be you can direct me a bit. When a user logs in and are authenticated by LDAP it puts them in a default group. I have then gone into Omero as the root user and added the existing user to the groups they should be in. When that user logs in again, they do not show as being in anything other than the default group.It removes the association with the other groups and shows them in the default group only. In other words, if I log back in as root and look under the administrative tab, I no longer see that person in any group other than default. Where am I going wrong.

Thanks,

Joe
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm

Re: LDAP Group Creation Based on Security Groups

Postby jlbryants » Thu May 24, 2012 2:38 pm

Josh,

I just saw your post and am curious about turning off omero.ldap.sync_on_login which is currently on for my setup. If I turn it off and the users LDAP password is changed, will the new password sync properly in Omero with sync_on_login set to false?

Joe
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm

PreviousNext

Return to Installation and Deployment

Who is online

Users browsing this forum: No registered users and 1 guest