[ome-users] LDAP questions

Josh Moore josh at glencoesoftware.com
Fri Mar 16 12:17:46 GMT 2012


On Mar 16, 2012, at 12:44 PM, Harri Jäälinoja wrote:

> Hi All,
> 
> I would like to ask your advice for our particular LDAP environment. We don't have hear the attribute structure described in the OMERO documentation, "cn=frank,ou=TheLab,ou=LifeSciences,o=TheCollege". Instead, the attributes we can use are these (ldapsearch -A):
> # hajaalin, helsinki.fi
> dn: uid=hajaalin,dc=helsinki,dc=fi
> displayName:
> objectClass:
> uid:
> hyPersonUnixUidNumber:
> givenName:
> mailFile:
> gecos:
> homeDirectory:
> uidNumber:
> gidNumber:
> cn:
> sn:
> loginShell:
> hyFullDisplayName:
> hyGroupMemberships:
> hyPersonNodes:
> hyGroupOwnerships:
> 
> You can see the schema at http://www.helsinki.fi/atk/luvat/ldap/ (description in Finnish).
> 
> Attribute hyGroupMemberships is multivalued, some of the values describe research groups who should be allowed access to OMERO, for example:
> hyGroupMemberships: uid=grp-A91900-bi-vart,ou=alma_workgroups,ou=groups,o=hy
> 
> So for example to allow access to two groups, we set the user filter like this:
> omero config set omero.ldap.user_filter '(&(objectClass=person)(|(hyGroupMemberships=uid=grp-A91900-bi-vart,ou=alma_workgroups,ou=groups,o=hy)(hyGroupMemberships=uid=grp-A34520-biu,ou=alma_workgroups,ou=groups,o=hy)))'

Hi Harri,

> My questions are:
> 
> 1. Is there a max length for the OMERO config variable values? If yes, how many groups could we add like this before hitting the limit?

Not that I know of, but let us know if you have any problems. Searching briefly, I can only find Spring/LDAP issues related to size limits on query results, but not necessarily query strings. One post mentioned a 10MB limit for Active Directory!

> 2. Now changes in LDAP configuration require OMERO restart to take effect. Will this maybe change in the future? A restart might be inconvenient especially in case we manage to implement image analysis on OMERO. Well, this is not a major issue, there are not new groups joining every day, but anyway :)

Eventually the configuration should not require a restart [#3171], but that won't be implemented in time for 4.4. For your case, it will probably be best to take advantage of existing extension points to allow more dynamic handling of the filter, possibly automatically if there is any metadata associated to which groups should be OMERO-enabled.

> 3. Am I correct in assuming that it is not possible to extract the research group info (e.g. bi-vart) from our LDAP schema with the OMERO LDAP config prefixes? Except for the ":bean:" prefix?

I'm not sure it's not possible without trying it out. Would it be possible to get an LDIF dump for our test suite?
https://github.com/openmicroscopy/openmicroscopy/blob/develop/components/server/test/ome/services/ldap

Something like the :query: syntax might suffice:
https://github.com/openmicroscopy/openmicroscopy/blob/develop/components/server/test/ome/services/ldap/testQueryGroup/test.xml

> 4. If I manage to write HY_NewUserGroupBean.java to implement the NewUserGroupBean interface, how do I install it? Where to I put the
> class file?

Basic instructions for bundling the classes can be found here:

  https://trac.openmicroscopy.org.uk/ome/wiki/ExtendingOmero#JavaDeployment

but they may be too terse. If so, let us know.

> Best regards,
> Harri

Cheers,
~Josh

[#3171] https://trac.openmicroscopy.org.uk/ome/ticket/3171




More information about the ome-users mailing list