[ome-users] difficulty with writing LDAP requests for our environment

Josh Moore josh at glencoesoftware.com
Tue Mar 27 19:31:16 BST 2012 

On Mar 27, 2012, at 7:24 PM, Steve Moulton wrote:

> Greetings All,
> 
> I am relatively new to both OMERO and LDAP but old enough in net years to figure out I can't bulldoze my way through this one without help.
> 
> Desired configuration:
> 
> .  Authorization handled through OMERO administrative interface - I don't want users in OMERO unless they are authorized that way.  I don't want OMERO to automatically create users based on their LDAP presense.
> 
> .  Authentication through a LDAP server that is used to serve lots of users and functions.  Id est, I cannot modify the LDAP directory.

Hmmm....before tackling the rest of this, these two desires would sound like a LdapPasswordProvider that does not call createFromLdap:

  https://github.com/openmicroscopy/openmicroscopy/blob/dev_4_3/components/server/src/ome/security/auth/LdapPasswordProvider.java#L112


> What I am seeing at the LDAP server:
> 
> SRCH base="dc=mung1,dc=mung2,dc=mung3" scope=2 deref=3 filter="(&(objectClass=posixAccount)(cn=sam))"
> 
> (w/ munged details).
> 
> What I have configured for the particular user:
> 
> > omero ldap list
>  (dc=mung1,dc=mung2,dc=mung3,objectClass=posixAccount,cn=Moulton, Steve)
> 
> 
> What I really want presented to LDAP
> 
>  (dc=munge1,dc=munge2,dc=munge3,objectClass=posixAccount,uid=sam)

What configuration did you have set on the server when you saw this? i.e.

  $ bin/omero config get | grep ldap

> Regardless of what I set the ldap string for the user to, I always get
> (cn=OMERO user name) appended.    I really don't want a cn appended - I need
> to do lookup by uid.
> 
> I have tried to set my user name to "Moulton, Steve" to force cn lookups, but
> the generated string when I try to connect via the web interface is always
> downcased, regardless of what I type.

There are case sensitivity issues both with OMERO and various LDAP configuration.

> In either case, that would involve
> an excess of overconfiguration - users here don't use canonical names,
> they use their UIDs.

Understood. That's what "omero.ldap.user_mapping" is intended for, perhaps something like:

  omero.ldap.user_mapping=omeName=uid,firstName=givenName,lastName=sn,email=mail

> I've tried setting various configuration bits, all of which are either ineffectual or make things worse.
> 
> So, any one know a way to inject uid=(omero user name) rather than cn=(omero user name)?

Let us know how that works in terms of getting the right user name. In order to prevent user creation, though, you're going to need custom code. See the other recent ome-users thread[1] I've been having Harri, on what it would take to write your own LdapPasswordProvider. (He was writing a NewUserGroupBean, but it will be a similar process)

Cheers,
~Josh

[1] http://lists.openmicroscopy.org.uk/pipermail/ome-users/2012-March/002978.html

More information about the ome-users mailing list