[ome-users] LDAP question

Josh Moore josh at glencoesoftware.com
Mon Sep 19 11:10:02 BST 2011 

Hi Chris,

what's happened is that since we haven't fixed the general upper/lower case issues you reported previously[1], when we fixed a new issue[2], it broke your workaround. First of all, our apologies.

In way of an explanation, starting with 4.3.2, the default password provider checks the user_filter against LDAP on every login to detect users who no longer should have rights to OMERO. Since the case-sensitivty of the user_filter is exactly your problem, delaying the call to setdn is not enough.

I've packaged the password provider from 4.3.1 into an extensions.jar for the moment:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: extensions.jar
Type: application/java-archive
Size: 8941 bytes
Desc: not available
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20110919/0119f7bf/attachment.jar>
-------------- next part --------------


The code for doing so has been linked from the 4821 ticket[1], which I've CC'd you on. To use it:

 * copy it into lib/server of your deployment directory (assuming you don't already use extensions.jar)
 * run: bin/omero config set omero.security.password_provider customChainedPasswordProvider
 * restart OMERO.

For more information on how extension jars work, see ExtendingOmero[3].

Again, sorry for the inconvenience.
Cheers,
~Josh.

[1] https://trac.openmicroscopy.org.uk/ome/ticket/4821
[2] https://trac.openmicroscopy.org.uk/ome/ticket/6248
[3] http://trac.openmicroscopy.org.uk/ome/wiki/ExtendingOmero

On Sep 19, 2011, at 4:37 AM, Wood, Christopher wrote:

> Hi,
> 
> Our A.D./ldap server has some upper case/lower case inconsistencies in the way usernames are assigned. Sometime lower case initials, sometimes upper case. 
> 
> Previously, in 4.3.1, we would create a user using lower case usernames and then use setdn to set there distinguished name to enable using ldap.
> This always worked.
> 
> In version 4.3.2, the assigned username(for existing users) and distinguished name do not work if the case of the username does not match that in ldap.
> Changing the case (from "abc" to "ABC") fixes the problem, but I don't want to figure out which names need to be changed and then explain to users they need to use upper case.
> 
> Is there anything I can do to get around this problem.
> 
> Thanks
> Chris
> ________________________________________
> From: Josh Moore [josh at glencoesoftware.com]
> Sent: Thursday, March 31, 2011 4:46 AM
> To: Wood, Christopher
> Cc: OME Users
> Subject: Re: [ome-users] LDAP question
> 
> On Mar 30, 2011, at 11:40 PM, Wood, Christopher wrote:
> 
>> Thanks Josh,
>> 
>> I was able to change my username to lower case and login with ldap as you suggested.
> 
> Glad to hear it.
> 
>> Can the omero admin create ldap users? For example, if user joe (or JOE) wants to use omero, can I create an ldap user without knowing joe's password?
> 
> The current clients don't provide a way to set the DN (#4828), but the API does, so...
> 
>> Or can I get a list of usernames and write a script to do the mapping between omero username and ldap username.
> 
> Definitely. I'm attaching a CLI plugin that you can drop in your OMERO_DIST/lib/python/omero/plugins directory. Consider this an experimental feature that may be included in 4.3 (#4832). Any changes you want/need to make to it, we'd be very glad to hear about.
> 
> $ bin/omero -s root at localhost ldap discover --commands
> Using session 0ea0fb10-c5f3-4f22-a9e3-1b766fbd59df (root at localhost:4064). Idle timeout: 10.0 min. Current group: system
> Connecting to ldap://localhost:1389...
> bin/omero ldap setdn root dn=uid=root,ou=people,ou=lifesci,o=dundee
> bin/omero ldap setdn flim dn=cn=flim,ou=edir,ou=people,ou=lifesci,o=dundee
> ...
> 
> You probably _don't_ want to run the "root" one (and the plugin may should filter it out by default). The second command you can copy and paste to the command line to set the user's DN. Note: "discover" uses the python-ldap module internally in order to workaround your case-sensitivity issue (#4821). Authentication to LDAP, use of certificates, etc. have not yet been added to the plugin. However, you're welcome to use some other means to get the DNs, and then just call bin/omero ldap setdn.
> 
>> Chris
> 
> Cheers,
> ~Josh.
> 
>> 
>> -----Original Message-----
>> From: Josh Moore [mailto:josh at glencoesoftware.com]
>> Sent: Wednesday, March 30, 2011 2:24 PM
>> To: Wood, Christopher
>> Cc: OME Users
>> Subject: Re: [ome-users] LDAP question
>> 
>> Thanks for the log, Chris. I stand corrected; the issue is a bit more complicated. In OMERO, case exactness is enforced during password checking to prevent collisions between users (cjw and CJW, for example). We would need to provide a constraint to prevent two users from having names that match in all but case if we allow the LDAP check to be case-insensitive.
>> 
>> I've created http://trac.openmicroscopy.org.uk/ome/ticket/4821
>> to track the feature.
>> 
>> If you have any thoughts or suggestions, please let us know.
>> ~Josh.
>> 
>> On Mar 30, 2011, at 3:15 PM, Wood, Christopher wrote:
>> 
>>> Hi Josh,
>>> Here is the log file,  look for the login attempts for cjw and CJW
>>> 
>>> Thanks for your help.
>>> Chris
>>> 
>>> -----Original Message-----
>>> From: Josh Moore [mailto:josh at glencoesoftware.com]
>>> Sent: Wednesday, March 30, 2011 7:13 AM
>>> To: Wood, Christopher
>>> Cc: ome-users at lists.openmicroscopy.org.uk
>>> Subject: Re: [ome-users] LDAP question
>>> 
>>> 
>>> On Mar 30, 2011, at 12:04 AM, Wood, Christopher wrote:
>>> 
>>>> Hi,
>>> 
>>> Hi Chris,
>>> 
>>>> We have just set up an omero 4.2.2 server to use ldap. I seems to work, but we are having an issue with upper/lower case usernames.
>>>> 
>>>> Our domain usernames are usually our initials, so I we login to everything as 'abc'. I always use lower case without problems. When I tried to login to omero for the first time with abc, I could not login. Logging in with all upper case ABC worked, and it created an ldap omero user as 'ABC', all caps (as it should).
>>>> Another person logged in with lower case, 'xyz', and it worked. It seems that the case of the username depends on who initially created a user account.
>>> 
>>> This certainly sounds odd. Could you possibly send the var/log/Blitz-0.log file (off list if you prefer), so we can see if a particular exception caused the initial failure during your lowercase login.
>>> 
>>>> Is there any way to get around this from the omero point of view, so all usernames can be lowercase, regardless of the case on the ldap server
>>> 
>>> You should be able to change your username via WebAdmin now, without effecting the LDAP login. What's happened (I think) is that the password check, for whatever reason, required capitals. However, after the successful login your dn was inserted into the password table. That should now be used to perform the lookup, regardless of what your username is.
>>> 
>>> At the moment, there's no way to set a flag to have all usernames lower cased. By subclassing on of the LDAP extension points, however, it should be achievable.
>>> 
>>>> Thanks
>>>> Chris
>>> 
>>> Cheers,
>>> ~Josh.
>>> <Blitz-0.zip>
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 243 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20110919/0119f7bf/attachment.sig>

More information about the ome-users mailing list