[ome-users] LDAP and posix groups

Alessandro Dellavedova alessandro.dellavedova at ifom-ieo-campus.it
Mon Jul 26 23:44:15 BST 2010


Hi Josh,

on behalf of Futhwo I'd like to say "Thank you" for the quick OMERO dollar workaround, tomorrow we'll test it and we'll post a feedback on the mailing list.

Futhwo (our senior sysadmin, cloaked) is extensively testing OMERO under Solaris and we'll be very happy to share the setup instructions and all the technical informations that are needed in order to run OMERO under this platform (we know that this is officially not supported, yet).

Basically we did choose Solaris due to the fact that we are deploying a multi-terabyte installation of OMERO 4.2.0 (88TB on a Sun..err..Oracle X4540 server) and we needed a reliable filesystem like ZFS, in order to protect ourselves from silent data corruption and other problems that arise when dealing with this tremendous amount of data (please see References).

Moreover, as soon as the ZFS version under Solaris will match the ZFS versions currently implemented under OpenSolaris and Nexenta Core, we'll get data-deduplication basically for free, and that will enable us to save some space on local storage (an early test showed a data-deduplication ratio of 1.55 for timelapse experiments, with a minor performance hit).

The need for local storage data deduplication was outlined by Martin Spitaler and Mark Woodbridge during their talk at the OME Meeting in Paris (slide 14), and data deduplication is a desiderata for OMERO.FS (http://www.openmicroscopy.org/site/support/omero4/server/fs). By using ZFS this will come basically for free.

HTH,

Alessandro

DISCLAIMER: We are not sponsored in any way by Sun/Oracle, we are just sharing our experience and we hope that this can be useful to someone else. If you are interested in the ZFS filesystem and you don't like Solaris/OpenSolaris/Nexenta Core you can also try FreeBSD 8.1 that implements ZFS version 15 (http://wiki.freebsd.org/ZFS).

REFERENCES:
End-to-end Data Integrity for File Systems: A ZFS Case Study - http://www.cs.wisc.edu/wind/Publications/zfs-corruption-fast10.html

OMERO Implementation at Imperial College London - http://openmicroscopy.org/site/community/minutes/meetings/june-2010-paris-users-meeting/presentations/3%20%20Martin%20Spitaler/spitaler%20100615%20OME%20metting.pdf/at_download/file

ZFS Deduplication - http://blogs.sun.com/bonwick/entry/zfs_dedup

Alessandro Dellavedova

Responsabile Sistemi Informativi

COGENTECH - Consortium for Genomic Technologies

Via Adamello, 16 - 20139 Milan, Italy
T +39 02 57489.857
F +39 02 9437.5990
E alessandro.dellavedova at ifom-ieo-campus.it
W www.ifom-ieo-campus.it	www.ieo.it

“There are risks and costs to a program of action. But, they are far less than the long-range risks and costs of comfortable inaction.” – John F. Kennedy (1917-1963)–

On Jul 26, 2010, at 8:03 PM, Josh Moore wrote:

> Hi Futhwo,
> 
> Unforunately, you've hit upon a rather interesting bug in 4.2.0.
> 
> I've created a ticket to track the issue:
> 
>  http://trac.openmicroscopy.org.uk/omero/ticket/2613
> 
> To workaround the issue you'll need to set an extra property:
> 
>  ./omero config set omero.dollar '$'
> 
> And then:
> 
>  ./omero config set omero.ldap.new_user_group ':query:(memberUid=$${omero.dollar}{uid})'
> 
> As odd as it may seem, an OMERO dollar should get you what you want. </end-bad-joke>
> ~Josh.
> 
> 
> On Jul 23, 2010, at 4:00 PM, Futhwo wrote:
> 
>> Hi
>> 
>> I am trying to set up OMERO to insert new users in the same groups he has on
>> the ldap directory (we use RFC 2307 standard).
>> 
>> In this standard group membership is defined by the "memberUid" multi value
>> in the group entry, wich value is the uid of the user belonging to the group
>> defined in the entry.
>> 
>> So to set up this for omero i used, as pointed in the examples:
>> 
>> ./omero config set omero.ldap.new_user_group ':query:(memberUid=${uid})'
>> 
>> To double-ckeck it:
>> 
>> ./omero config get
>> omero.config.updated=4.2.0
>> omero.ldap.base=dc=MYDOMAIN,dc=it
>> omero.ldap.config=true
>> omero.ldap.group_filter=(objectClass=posixGroup)
>> omero.ldap.group_mapping=name=cn
>> omero.ldap.new_user_group=:query:(memberUid=${uid})
>> omero.ldap.password=
>> omero.ldap.urls=ldap://MYLDAPSERVER:389
>> omero.ldap.user_filter=(objectClass=posixAccount)
>> omero.ldap.user_mapping=omeName=uid,firstName=givenName,lastName=sn,email=mail
>> omero.ldap.username=
>> 
>> (I substituted MYDOMAIN and MYLDAPSERVER of course).
>> 
>> This do not work, group membership still use the previous value for
>> omero.ldap_new_user_group, even if "omero config get" reports the new value.
>> 
>> If i restart the server i see in master.err:
>> 
>> 07/23/10 15:46:07.852 icegridnode: warning: failed to deploy application
>> `/opt/omero_dist/etc/grid/default.xml':
>> IceGrid::DeploymentException: application `OMERO':
>> invalid value for attribute `property set `__ACTIVE__' property value':
>> invalid variable `:query:(memberUid=${uid})':
>> undefined variable `uid'
>> 
>> I tried using ${cn} and ${omeName} with the same result.
>> 
>> If i try something like:
>> 
>> ./omero config set omero.ldap.new_user_group ':query:(memberUid=$uid)'
>> 
>> the server stop complaining at start, but the query issued to ldap will be
>> (taken from the openldap server debug):
>> 
>> filter="(&(objectClass=posixGroup)(memberUid=$uid))"
>> 
>> without the substitution of the $uid string with logging user id, so users
>> cannot login.
>> 
>> Thanks in advance to anyone who may help
>> 
>> Cheers
>> Futhwo
> 
> _______________________________________________
> ome-users mailing list
> ome-users at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users




More information about the ome-users mailing list