[ome-devel] LDAP configuration

Josh Moore josh at glencoesoftware.com
Sun Apr 3 20:44:24 BST 2011


On Apr 1, 2011, at 11:34 PM, McCaughey, Michael J wrote:

> Hey all-

Hi Mike,

> We're successfully running LDAP on 4.2.2 for authentication.  We would like to limit access and the creation of new users on OMERO to members of a specific ldap group.  Unfortunately, our local ldap service is configured so that users and groups are in different base OUs, so setting omero.ldap.base to the OU of the users allows authentication, but no filter can be constructed to validate group membership since the groups are located in a different base OU.  This means that anyone with a valid ldap entry can create a new experimenter entry in OMERO.  Setting the base OU to the correct one for groups means that the user DN cannot be properly constructed for the authentication bind.

Could you send a small (obfuscated) LDIF example of your setup? It'd be useful to know what you are up against, and if possible, add to the test suite:

  http://git.openmicroscopy.org/?p=ome.git;a=tree;f=components/server/test/ome/services/ldap

> I've been poking around the source, looking to add a second authentication pass using the ldap function isMemberOf to check ldap group membership for the new user (and possibly a new configuration attribute omero.ldap.memberof which would contain the full OU of the group), but if anyone has solved this already or has a better suggestion I'd be glad to hear it.

Though a new parameter and a second pass may well be necessary, I'd hope to spare any of us the work. Have you run into either the ":query:" or ":bean:" settings for "omero.ldap.new_user_group"?

An example of ":query:" can be found here:

  http://git.openmicroscopy.org/?p=ome.git;a=blob;f=components/server/test/ome/services/ldap/multipleGroups/test.xml;h=e3a37b9204d06d6dfdf5bf8f3532bf76e1011847;hb=HEAD

To set it on your OMERO installation use

  bin/omero config set omero.ldap.new_user_group :query:(&(objectClass=groupOfNames)(member=@{dn}))

which says that there must be a groupOfNames with a member property which equals the DN of the user in question. The QueryNewUserGroupBean:

  http://git.openmicroscopy.org/?p=ome.git;a=blob;f=components/server/src/ome/security/auth/QueryNewUserGroupBean.java;h=47de0a9945dd4beaea23d3d66616aadb02d9c1eb;hb=HEAD

performs the query replacing @{} properties from the user. If the query returns no group names, then the user creation is cancelled on line 290 of LdapImpl.java:

  http://git.openmicroscopy.org/?p=ome.git;a=blob;f=components/server/src/ome/logic/LdapImpl.java;h=6a609650ac01940529581293163806442b0056d6;hb=refs/heads/develop#l261

If ":query:" doesn't provide enough flexibility, the other option is to add your own NewUserGroupBean implementation:

  http://git.openmicroscopy.org/?p=ome.git;a=blob;f=components/server/src/ome/security/auth/NewUserGroupBean.java;h=2ba9343c796e5a5e250ce7858318c467ddc2ece9;hb=HEAD

You can read more about that particular extension point under:

  http://trac.openmicroscopy.org.uk/ome/wiki/OmeroLdap

As described under http://trac.openmicroscopy.org.uk/ome/wiki/ExtendingOmero, you would need to package your compiled implementation class along with a spring file matching the pattern "ome/services/service-*.xml" into an extensions.jar and copy it under lib/server. Your Spring XML configuration file would contain an element like:

<beans>
  <bean class="mike.MyNewUserGroupBean">
    <constructor-arg ref="someOtherBeanYouNeed"/>
  </bean>
</beans>

And finally you would configure your server to use the new bean via:

  bin/omero config set omero.ldap.new_user_group :bean:mike.MyNewUserGroupBean

If none of that works, well, I blame LDAP.

> Regards,
> Mike McCaughey

Best wishes,
~Josh.


More information about the ome-devel mailing list