[ome-users] LDAP question
Wood, Christopher
CJW at stowers.org
Mon Sep 19 03:37:23 BST 2011
Hi,
Our A.D./ldap server has some upper case/lower case inconsistencies in the way usernames are assigned. Sometime lower case initials, sometimes upper case.
Previously, in 4.3.1, we would create a user using lower case usernames and then use setdn to set there distinguished name to enable using ldap.
This always worked.
In version 4.3.2, the assigned username(for existing users) and distinguished name do not work if the case of the username does not match that in ldap.
Changing the case (from "abc" to "ABC") fixes the problem, but I don't want to figure out which names need to be changed and then explain to users they need to use upper case.
Is there anything I can do to get around this problem.
Thanks
Chris
________________________________________
From: Josh Moore [josh at glencoesoftware.com]
Sent: Thursday, March 31, 2011 4:46 AM
To: Wood, Christopher
Cc: OME Users
Subject: Re: [ome-users] LDAP question
On Mar 30, 2011, at 11:40 PM, Wood, Christopher wrote:
> Thanks Josh,
>
> I was able to change my username to lower case and login with ldap as you suggested.
Glad to hear it.
> Can the omero admin create ldap users? For example, if user joe (or JOE) wants to use omero, can I create an ldap user without knowing joe's password?
The current clients don't provide a way to set the DN (#4828), but the API does, so...
> Or can I get a list of usernames and write a script to do the mapping between omero username and ldap username.
Definitely. I'm attaching a CLI plugin that you can drop in your OMERO_DIST/lib/python/omero/plugins directory. Consider this an experimental feature that may be included in 4.3 (#4832). Any changes you want/need to make to it, we'd be very glad to hear about.
$ bin/omero -s root at localhost ldap discover --commands
Using session 0ea0fb10-c5f3-4f22-a9e3-1b766fbd59df (root at localhost:4064). Idle timeout: 10.0 min. Current group: system
Connecting to ldap://localhost:1389...
bin/omero ldap setdn root dn=uid=root,ou=people,ou=lifesci,o=dundee
bin/omero ldap setdn flim dn=cn=flim,ou=edir,ou=people,ou=lifesci,o=dundee
...
You probably _don't_ want to run the "root" one (and the plugin may should filter it out by default). The second command you can copy and paste to the command line to set the user's DN. Note: "discover" uses the python-ldap module internally in order to workaround your case-sensitivity issue (#4821). Authentication to LDAP, use of certificates, etc. have not yet been added to the plugin. However, you're welcome to use some other means to get the DNs, and then just call bin/omero ldap setdn.
> Chris
Cheers,
~Josh.
>
> -----Original Message-----
> From: Josh Moore [mailto:josh at glencoesoftware.com]
> Sent: Wednesday, March 30, 2011 2:24 PM
> To: Wood, Christopher
> Cc: OME Users
> Subject: Re: [ome-users] LDAP question
>
> Thanks for the log, Chris. I stand corrected; the issue is a bit more complicated. In OMERO, case exactness is enforced during password checking to prevent collisions between users (cjw and CJW, for example). We would need to provide a constraint to prevent two users from having names that match in all but case if we allow the LDAP check to be case-insensitive.
>
> I've created http://trac.openmicroscopy.org.uk/ome/ticket/4821
> to track the feature.
>
> If you have any thoughts or suggestions, please let us know.
> ~Josh.
>
> On Mar 30, 2011, at 3:15 PM, Wood, Christopher wrote:
>
>> Hi Josh,
>> Here is the log file, look for the login attempts for cjw and CJW
>>
>> Thanks for your help.
>> Chris
>>
>> -----Original Message-----
>> From: Josh Moore [mailto:josh at glencoesoftware.com]
>> Sent: Wednesday, March 30, 2011 7:13 AM
>> To: Wood, Christopher
>> Cc: ome-users at lists.openmicroscopy.org.uk
>> Subject: Re: [ome-users] LDAP question
>>
>>
>> On Mar 30, 2011, at 12:04 AM, Wood, Christopher wrote:
>>
>>> Hi,
>>
>> Hi Chris,
>>
>>> We have just set up an omero 4.2.2 server to use ldap. I seems to work, but we are having an issue with upper/lower case usernames.
>>>
>>> Our domain usernames are usually our initials, so I we login to everything as 'abc'. I always use lower case without problems. When I tried to login to omero for the first time with abc, I could not login. Logging in with all upper case ABC worked, and it created an ldap omero user as 'ABC', all caps (as it should).
>>> Another person logged in with lower case, 'xyz', and it worked. It seems that the case of the username depends on who initially created a user account.
>>
>> This certainly sounds odd. Could you possibly send the var/log/Blitz-0.log file (off list if you prefer), so we can see if a particular exception caused the initial failure during your lowercase login.
>>
>>> Is there any way to get around this from the omero point of view, so all usernames can be lowercase, regardless of the case on the ldap server
>>
>> You should be able to change your username via WebAdmin now, without effecting the LDAP login. What's happened (I think) is that the password check, for whatever reason, required capitals. However, after the successful login your dn was inserted into the password table. That should now be used to perform the lookup, regardless of what your username is.
>>
>> At the moment, there's no way to set a flag to have all usernames lower cased. By subclassing on of the LDAP extension points, however, it should be achievable.
>>
>>> Thanks
>>> Chris
>>
>> Cheers,
>> ~Josh.
>> <Blitz-0.zip>
>
More information about the ome-users
mailing list