[ome-users] LDAP question

Josh Moore josh at glencoesoftware.com
Thu Mar 31 10:46:23 BST 2011 

On Mar 30, 2011, at 11:40 PM, Wood, Christopher wrote:

> Thanks Josh,
> 
> I was able to change my username to lower case and login with ldap as you suggested.

Glad to hear it.

> Can the omero admin create ldap users? For example, if user joe (or JOE) wants to use omero, can I create an ldap user without knowing joe's password?

The current clients don't provide a way to set the DN (#4828), but the API does, so...

> Or can I get a list of usernames and write a script to do the mapping between omero username and ldap username.

Definitely. I'm attaching a CLI plugin that you can drop in your OMERO_DIST/lib/python/omero/plugins directory. Consider this an experimental feature that may be included in 4.3 (#4832). Any changes you want/need to make to it, we'd be very glad to hear about.

$ bin/omero -s root at localhost ldap discover --commands
Using session 0ea0fb10-c5f3-4f22-a9e3-1b766fbd59df (root at localhost:4064). Idle timeout: 10.0 min. Current group: system
Connecting to ldap://localhost:1389...
bin/omero ldap setdn root dn=uid=root,ou=people,ou=lifesci,o=dundee
bin/omero ldap setdn flim dn=cn=flim,ou=edir,ou=people,ou=lifesci,o=dundee
...

You probably _don't_ want to run the "root" one (and the plugin may should filter it out by default). The second command you can copy and paste to the command line to set the user's DN. Note: "discover" uses the python-ldap module internally in order to workaround your case-sensitivity issue (#4821). Authentication to LDAP, use of certificates, etc. have not yet been added to the plugin. However, you're welcome to use some other means to get the DNs, and then just call bin/omero ldap setdn.

> Chris

Cheers,
~Josh.

> 
> -----Original Message-----
> From: Josh Moore [mailto:josh at glencoesoftware.com] 
> Sent: Wednesday, March 30, 2011 2:24 PM
> To: Wood, Christopher
> Cc: OME Users
> Subject: Re: [ome-users] LDAP question
> 
> Thanks for the log, Chris. I stand corrected; the issue is a bit more complicated. In OMERO, case exactness is enforced during password checking to prevent collisions between users (cjw and CJW, for example). We would need to provide a constraint to prevent two users from having names that match in all but case if we allow the LDAP check to be case-insensitive.
> 
> I've created http://trac.openmicroscopy.org.uk/ome/ticket/4821
> to track the feature.
> 
> If you have any thoughts or suggestions, please let us know.
> ~Josh.
> 
> On Mar 30, 2011, at 3:15 PM, Wood, Christopher wrote:
> 
>> Hi Josh,
>> Here is the log file,  look for the login attempts for cjw and CJW
>> 
>> Thanks for your help.
>> Chris
>> 
>> -----Original Message-----
>> From: Josh Moore [mailto:josh at glencoesoftware.com] 
>> Sent: Wednesday, March 30, 2011 7:13 AM
>> To: Wood, Christopher
>> Cc: ome-users at lists.openmicroscopy.org.uk
>> Subject: Re: [ome-users] LDAP question
>> 
>> 
>> On Mar 30, 2011, at 12:04 AM, Wood, Christopher wrote:
>> 
>>> Hi,
>> 
>> Hi Chris,
>> 
>>> We have just set up an omero 4.2.2 server to use ldap. I seems to work, but we are having an issue with upper/lower case usernames.
>>> 
>>> Our domain usernames are usually our initials, so I we login to everything as 'abc'. I always use lower case without problems. When I tried to login to omero for the first time with abc, I could not login. Logging in with all upper case ABC worked, and it created an ldap omero user as 'ABC', all caps (as it should).
>>> Another person logged in with lower case, 'xyz', and it worked. It seems that the case of the username depends on who initially created a user account.
>> 
>> This certainly sounds odd. Could you possibly send the var/log/Blitz-0.log file (off list if you prefer), so we can see if a particular exception caused the initial failure during your lowercase login.
>> 
>>> Is there any way to get around this from the omero point of view, so all usernames can be lowercase, regardless of the case on the ldap server
>> 
>> You should be able to change your username via WebAdmin now, without effecting the LDAP login. What's happened (I think) is that the password check, for whatever reason, required capitals. However, after the successful login your dn was inserted into the password table. That should now be used to perform the lookup, regardless of what your username is.
>> 
>> At the moment, there's no way to set a flag to have all usernames lower cased. By subclassing on of the LDAP extension points, however, it should be achievable.
>> 
>>> Thanks
>>> Chris
>> 
>> Cheers,
>> ~Josh.
>> <Blitz-0.zip>
>

More information about the ome-users mailing list