[ome-users] Omero ldap rights

Josh Moore josh at glencoesoftware.com
Thu Jun 28 08:32:36 BST 2012 

On Jun 28, 2012, at 9:29 AM, Jason Byars wrote:

> I will try to get a relevant log except together for the web/Insight
> behavior.

That'd be great, thanks.


> Sorry I wasn't clear on group naming issue.  I meant if I make a
> typo and spell a group name wrong on the ldap provider or if full DN's for
> the group was returned instead of the CN while working out the ldap query
> settings.  After I correct the groups on the ldap provider and fix my query
> syntax, I can look at the list of groups on the OMERO server, the
> corrections appear along side the mistakes.  I have been able to delete
> some of the mistakes via right clicking and choosing delete in Insight, but
> some refuse to die. How do I get rid of those groups?  They do not contain
> any data that should prevent me from deleting them.

That's our fault. It's not just data that can prevent the groups from being deleted, but any provenance or auditing information left in the database. Other than writing custom SQL scripts to try to purge this information, the best course of action is to rename the groups to something like 'disabled' so that they aren't confused with other groups.

~Josh

> Jason
> 
> On Thu, Jun 28, 2012 at 1:13 AM, Josh Moore <josh at glencoesoftware.com>wrote:
> 
>> Hi Jason,
>> 
>> On Jun 28, 2012, at 1:25 AM, Jason Byars wrote:
>> 
>>> I have a OMERO 4.3.4 setup querying an AD ldap source.  The users and
>>> groups appear to be assigning correctly.  What I am a bit unclear on is
>> how
>>> the concept of group ownership and administrator rights works with ldap.
>>> All users are listed but not selected as owners on the web interface
>>> initially.
>> 
>> 
>> There's currently no support for group-ownership synchronization from LDAP
>> groups.
>> This will most likely take place as part of 6502:
>> 
>> https://trac.openmicroscopy.org.uk/ome/ticket/6502
>> 
>> 
>>> If I assign group owners on the web interface it doesn't seem
>>> to stick.  If I do it from the Insight client, it appears to stick. Are
>> you
>>> supposed to manually assign group ownership and Administrator rights with
>>> the Insight client when using ldap?
>> 
>> There should be no difference between the two clients (web/insight). Could
>> you possibly send us the server log (var/log/Blitz-0.log) after you attempt
>> to do it in web?
>> 
>> 
>>> Also, is there an easy query to purge
>>> ldap group naming mistakes from the database?  Some mistakes I can delete
>>> via Insight, some I can't.  Thanks!
>> 
>> What do you mean by 'ldap group naming' mistakes? Do you mean removing
>> users from certain groups? Or changing the name of existing groups?
>> 
>> 
>>> Jason
>> 
>> Cheers,
>> ~Josh

More information about the ome-users mailing list