<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; ">
<div>
<div>Hi Yanling</div>
<div><br>
</div>
<div>If you have clean OMERO installation and would like to take an advantage of LDAP authentication you should keep user management on the LDAP level. First you should organise potential OMERO users in LDAP, assign them to the new groups, etc. You want OMERO
automatically create an account when your user logs in for the first time and even synchronise on user login. This doesn't mean you are giving access to everyone.</div>
<div><br>
</div>
<div>The simplest way is to create number of new groups in LDAP, assign members, and then set the following in OMERO config:</div>
<div><br>
</div>
<div><i>cn=OMERO-GROUP1,ou=groups,ou=example…</i></div>
<div><i>cn=OMERO-GROUP2,ou=groups,ou=example…</i></div>
<div><br>
</div>
<div>
<div><i>bin/omero config set omero.ldap.group_filter "(&(objectClass=groupOfNames)(|(cn=OMERO-GROUP1)(cn=OMERO-GROUP2)))"</i></div>
<div><br>
</div>
</div>
<div>By adding custom attributes on each user entry you can even filter these users within the above groups. There are various ways to set filters for user and/or group entries, see <a href="http://www.openmicroscopy.org/site/support/omero5/sysadmins/server-ldap.html#user-lookup">http://www.openmicroscopy.org/site/support/omero5/sysadmins/server-ldap.html#user-lookup</a>.</div>
<div><br>
</div>
<div>It will guarantee you full control on the authentication.</div>
<div><br>
</div>
<div>
<div><br>
</div>
<div>
<div>Kind regards</div>
<div>Ola</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Yanling Liu <<a href="mailto:vrnova@gmail.com">vrnova@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Wed, 10 Sep 2014 12:31:07 -0400<br>
<span style="font-weight:bold">To: </span>Blazej Pindelski <<a href="mailto:b.pindelski@dundee.ac.uk">b.pindelski@dundee.ac.uk</a>><br>
<span style="font-weight:bold">Cc: </span>OME OME-devel <<a href="mailto:ome-devel@lists.openmicroscopy.org.uk">ome-devel@lists.openmicroscopy.org.uk</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [ome-devel] LDAP question<br>
</div>
<div><br>
</div>
<div dir="ltr">
<div>
<div>Hello Blazej,<br>
<br>
</div>
Thanks for your message and I need more help here.<br>
<br>
Suppose we have a freshly installed clean OME system running, plus we have a known list of users accessing OME, what would be the correct procedure to configure OME so these known users can login using LDAP credentials?<br>
<br>
</div>
<div>We don't want to have new account automatically created in OME as we have controlled user base. We want to prepare OME so users can login to see their existing images rather than letting them to login in order to create their accounts. Could we first create
user accounts in OME using "bin/omero user add" and then configure OME to use LDAP? How do we turn off automatic account creation once we enable LDAP?<br>
<br>
</div>
<div>If LDAP is enabled, would it be possible to login using local root user? Would it be possible to create more local users such as a dedicated local "importer" account, while other users still use LDAP passwords to login?<br>
<br>
</div>
<div>I have read the documentation on converting non-LDAP user to LDAP users (<a href="http://www.openmicroscopy.org/site/support/faq/omero/how-do-you-convert-a-non-ldap-user-to-using-ldap">http://www.openmicroscopy.org/site/support/faq/omero/how-do-you-convert-a-non-ldap-user-to-using-ldap</a>).
How does this apply to our scenario?<br>
<br>
</div>
<div>Many thanks,<br>
Yanling<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Sep 5, 2014 at 11:28 AM, Blazej Pindelski <span dir="ltr">
<<a href="mailto:b.pindelski@dundee.ac.uk" target="_blank">b.pindelski@dundee.ac.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 5 Sep 2014, at 15:56, Yanling Liu <<a href="mailto:vrnova@gmail.com">vrnova@gmail.com</a>> wrote:<br>
> Hello,<br>
<br>
Hi Yanling<br>
<div>
<div class="h5"><br>
> Could I have some help in configuring OME to use LDAP?<br>
><br>
> Right now I have following information available:<br>
><br>
> domain name<br>
> domain controller<br>
> site/urls<br>
> base<br>
> bind password<br>
><br>
> but how do I put these information into OME? I have checked OME LDAP documentation page but it didn't mention domain name, domain controller, and bind password, when do I need to use them?<br>
><br>
> Any help?<br>
<br>
</div>
</div>
The best starting place would be <a href="http://www.openmicroscopy.org/site/support/omero5/sysadmins/server-ldap.html#minimum-configuration" target="_blank">
http://www.openmicroscopy.org/site/support/omero5/sysadmins/server-ldap.html#minimum-configuration</a>.<br>
The settings have to be understood as follows:<br>
- omero.ldap.config=true - switches on the LDAP subsystem in OMERO,<br>
- omero.ldap.urls=ldap://localhost:389 - that is the URL of the LDAP/AD server (site/urls in your case?),<br>
- omero.ldap.username and omero.ldap.password - those are the credentials (I'd imagine "bind password, in your case) used for connecting to the LDAP/AD server,<br>
- omero.ldap.base=ou=example,o=com - this is the base from which OMERO will start to look for users ("base" in your case).<br>
<br>
I hope that helps. If the documentation can be improved, please let us know.<br>
<br>
Regards,<br>
Blazej<br>
<br>
> Thanks,<br>
> Yanling<br>
> _______________________________________________<br>
> ome-devel mailing list<br>
> <a href="mailto:ome-devel@lists.openmicroscopy.org.uk">ome-devel@lists.openmicroscopy.org.uk</a><br>
> <a href="http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-devel" target="_blank">
http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-devel</a><br>
<br>
<br>
The University of Dundee is a registered Scottish Charity, No: SC015096<br>
</blockquote>
</div>
<br>
</div>
_______________________________________________ ome-devel mailing list <a href="mailto:ome-devel@lists.openmicroscopy.org.uk">
ome-devel@lists.openmicroscopy.org.uk</a> <a href="http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-devel">
http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-devel</a> </span><br>
<span style="font-size:10pt;">The University of Dundee is a registered Scottish Charity, No: SC015096</span>
</body>
</html>