[ome-devel] LDAP question

Aleksandra Tarkowska A.Tarkowska at dundee.ac.uk
Thu Sep 11 13:53:38 BST 2014 

Hi Yanling

If you have clean OMERO installation and would like to take an advantage of LDAP authentication you should keep user management on the LDAP level. First you should organise potential OMERO users in LDAP, assign them to the new groups, etc. You want OMERO automatically create an account when your user logs in for the first time and even synchronise on user login. This doesn't mean you are giving access to everyone.

The simplest way is to create number of new groups in LDAP,  assign members, and then set the following in OMERO config:

cn=OMERO-GROUP1,ou=groups,ou=example...
cn=OMERO-GROUP2,ou=groups,ou=example...

bin/omero config set omero.ldap.group_filter "(&(objectClass=groupOfNames)(|(cn=OMERO-GROUP1)(cn=OMERO-GROUP2)))"

By adding custom attributes on each user entry you can even filter these users within the above groups. There are various ways to set filters for user and/or group entries, see http://www.openmicroscopy.org/site/support/omero5/sysadmins/server-ldap.html#user-lookup.

It will guarantee you full control on the authentication.


Kind regards
Ola

From: Yanling Liu <vrnova at gmail.com<mailto:vrnova at gmail.com>>
Date: Wed, 10 Sep 2014 12:31:07 -0400
To: Blazej Pindelski <b.pindelski at dundee.ac.uk<mailto:b.pindelski at dundee.ac.uk>>
Cc: OME OME-devel <ome-devel at lists.openmicroscopy.org.uk<mailto:ome-devel at lists.openmicroscopy.org.uk>>
Subject: Re: [ome-devel] LDAP question

Hello Blazej,

Thanks for your message and I need more help here.

Suppose we have a freshly installed clean OME system running, plus we have a known list of users accessing OME, what would be the correct procedure to configure OME so these known users  can login using LDAP credentials?

We don't want to have new account automatically created in OME as we have controlled user base. We want to prepare OME so users can login to see their existing images rather than letting them to login in order to create their accounts. Could we first create user accounts in OME using "bin/omero user add" and then configure OME to use LDAP? How do we turn off automatic account creation once we enable LDAP?

If LDAP is enabled, would it be possible to login using local root user? Would it be possible to create more local users such as a dedicated local "importer" account, while other users still use LDAP passwords to login?

I have read the documentation on converting non-LDAP user to LDAP users (http://www.openmicroscopy.org/site/support/faq/omero/how-do-you-convert-a-non-ldap-user-to-using-ldap). How does this apply to our scenario?

Many thanks,
Yanling

On Fri, Sep 5, 2014 at 11:28 AM, Blazej Pindelski <b.pindelski at dundee.ac.uk<mailto:b.pindelski at dundee.ac.uk>> wrote:
On 5 Sep 2014, at 15:56, Yanling Liu <vrnova at gmail.com<mailto:vrnova at gmail.com>> wrote:
> Hello,

Hi Yanling

> Could I have some help in configuring OME to use LDAP?
>
> Right now I have following information available:
>
> domain name
> domain controller
> site/urls
> base
> bind password
>
> but how do I put these information into OME? I have checked OME LDAP documentation page but it didn't mention domain name, domain controller, and bind password, when do I need to use them?
>
> Any help?

The best starting place would be http://www.openmicroscopy.org/site/support/omero5/sysadmins/server-ldap.html#minimum-configuration.
The settings have to be understood as follows:
- omero.ldap.config=true - switches on the LDAP subsystem in OMERO,
- omero.ldap.urls=ldap://localhost:389 - that is the URL of the LDAP/AD server (site/urls in your case?),
- omero.ldap.username and omero.ldap.password - those are the credentials (I'd imagine "bind password, in your case) used for connecting to the LDAP/AD server,
- omero.ldap.base=ou=example,o=com - this is the base from which OMERO will start to look for users ("base" in your case).

I hope that helps. If the documentation can be improved, please let us know.

Regards,
Blazej

> Thanks,
> Yanling
> _______________________________________________
> ome-devel mailing list
> ome-devel at lists.openmicroscopy.org.uk<mailto:ome-devel at lists.openmicroscopy.org.uk>
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-devel


The University of Dundee is a registered Scottish Charity, No: SC015096

_______________________________________________ ome-devel mailing list ome-devel at lists.openmicroscopy.org.uk<mailto:ome-devel at lists.openmicroscopy.org.uk> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-devel
The University of Dundee is a registered Scottish Charity, No: SC015096
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-devel/attachments/20140911/dd441ae5/attachment.html>

More information about the ome-devel mailing list