[ome-devel] LDAP configuration

McCaughey, Michael J michael.j.mccaughey at Vanderbilt.Edu
Fri Apr 1 22:34:24 BST 2011


Hey all-
We're successfully running LDAP on 4.2.2 for authentication.  We would like to limit access and the creation of new users on OMERO to members of a specific ldap group.  Unfortunately, our local ldap service is configured so that users and groups are in different base OUs, so setting omero.ldap.base to the OU of the users allows authentication, but no filter can be constructed to validate group membership since the groups are located in a different base OU.  This means that anyone with a valid ldap entry can create a new experimenter entry in OMERO.  Setting the base OU to the correct one for groups means that the user DN cannot be properly constructed for the authentication bind.

I've been poking around the source, looking to add a second authentication pass using the ldap function isMemberOf to check ldap group membership for the new user (and possibly a new configuration attribute omero.ldap.memberof which would contain the full OU of the group), but if anyone has solved this already or has a better suggestion I'd be glad to hear it.

Regards,
Mike McCaughey


More information about the ome-devel mailing list