[ome-devel] LDAP question

Munro, Ian i.munro at imperial.ac.uk
Fri Sep 12 17:04:45 BST 2014


Hi Yanling

Currently our setup works like this.

1) The sysadmin provides the users with a username/password for a shared drive with  a suitable quota.
2)  The users then copy files into this drive with a directory structure of /username/dataset/files.
3) The script then iterates through these folders at 2am, importing the images into a shared group (but owned by each individual) into a dataset
  named  from the directory path above.
4) The script deletes the originals on a successful import.

None of the above is OME specific apart from the cli used by the script.
I’m sure that better solutions can be envisaged but this works for us at the moment.

Regards

Ian



On 12 Sep 2014, at 16:10, Yanling Liu <vrnova at gmail.com<mailto:vrnova at gmail.com>> wrote:

Hello Ian,

Thanks for bring up the solution. However, I have some questions related to the solution:

1. Does it means we would have to create user folders manually on the partition? Will OME take control of the partition and automatically populate user folders from database?

2. What is the relationship between folder and files on the partition to projects and datasets in OME? What I mean is that if scopes save data in folders and sub-folders on the partition, how to map this folder structure to projects and datasets in OME? This is the most confusing part to me as there are two incompatible data organization methods: projects/datasets vs. folders and subfolders.

3. how is the partition being exposed to scopes? On a Linux machine, do I setup samba to expose the partition? Or if OME can provide access for scopes to the partition?

4. Does the partition have to be a local partition instead of NFS mounts?

Sounds to me the "importer" user level is a much easier solution as the importer client application forces user to create projects and datasets so there's no concept of folders (I like projects/datasets instead of folders)

Looking forward to hear back from you.

Thanks,
Yanling




On Thu, Sep 11, 2014 at 9:49 AM, Munro, Ian <i.munro at imperial.ac.uk<mailto:i.munro at imperial.ac.uk>> wrote:
Dear Yanling

FWIW our solution to this problem was for the acquisition machines (microscope)  to save the data to a partition on the same machine as the OMERO server in a directory with the name of the user.

A script then looks at that partition & , on finding a new file, does the import under the  appropriate user name.

The root password is only required by the script.

Best

Ian


On 11 Sep 2014, at 14:34, Yanling Liu <vrnova at gmail.com<mailto:vrnova at gmail.com>> wrote:

Thank you Ola,

This actually raise up the urgency for having a separate user role level to import images for other users. As you may probably know from my previous messages, we have imaging facilities to produce images for end users. To allow imaging facilities to upload images to their customers, right now I have following two methods:

1. create an admin "importer" user and share this account across imaging facilities, or
2. grant admin rights to all imaging facilities user accounts.

Either way there's potential security hazard for destroying the system with admin rights. If there's a "importer" user privilege level, I can simply grant this privilege to imaging facilities user accounts so that they can upload images for end users without having to give them admin rights.

I know your team is busying on many development works but this importer privilege level is critical to properly run OME in our environment. I would appreciate a lot if you can take this into your consideration.

Thanks,
Yanling

On Thu, Sep 11, 2014 at 9:12 AM, Aleksandra Tarkowska <A.Tarkowska at dundee.ac.uk<mailto:A.Tarkowska at dundee.ac.uk>> wrote:
Sorry forgot to add one thing here.
You need to remember that user "importer" will have to be a system user
(admin like root) and import data as another user. Otherwise you will end
up with ownership mismatch.


Kind regards
Ola



On 11/09/2014 14:00, "Josh Moore" <josh at glencoesoftware.com<mailto:josh at glencoesoftware.com>> wrote:

>>If LDAP is enabled, would it be possible to login using local root user?
>
>Yes. The OMERO root is always non-LDAP.
>
>> Would it be possible to create more local users such as a dedicated
>>local "importer" account, while other users still use LDAP passwords to
>>login?
>
>Yes. Only those users who have a DN set in the "password" table will be
>authorized against LDAP.



The University of Dundee is a registered Scottish Charity, No: SC015096

_______________________________________________
ome-devel mailing list
ome-devel at lists.openmicroscopy.org.uk<mailto:ome-devel at lists.openmicroscopy.org.uk>
http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-devel



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-devel/attachments/20140912/ef06c855/attachment.html>


More information about the ome-devel mailing list