[ome-users] Weird LDAP issue - subtree/forest can't auth?

Jake Carroll jake.carroll at uq.edu.au
Wed Aug 6 09:28:29 BST 2014 

Interesting.

Thanks for the update. See below.

On 6 Aug 2014, at 5:47 pm, Josh Moore <josh at glencoesoftware.com<mailto:josh at glencoesoftware.com>> wrote:


On Aug 5, 2014, at 9:42 PM, Jake Carroll wrote:

Hi all.

Hi Jake,

On 5 Aug 2014, at 11:29 pm, Josh Moore <josh at glencoesoftware.com<mailto:josh at glencoesoftware.com><mailto:josh at glencoesoftware.com>> wrote:

On Aug 5, 2014, at 3:22 PM, Aleksandra Tarkowska wrote:

And one add on question: is this Active Directory?

Because this *IS* AD based (and we are hooking up to the LDAP semantics of it (because they won’t let us chat native AD to it for security reasons…), we can’t “see” the secondary internal container inside it. All we see is people in the above OU. We don’t “see” that container and (from what I can see) we can’t traverse into it, because all LDAP sees is a flat bind DN like the ou= string I showed you above.

So - the question is, is there any way around it, or do I need some kind of magical binddn that takes into account sub-containers?

The text regarding AD that will be added to the 5.0.3 release docs this week(*) is:

---------------------------
Active Directory (AD) supports a form of LDAP and can be used by OMERO like most other directory services.

In AD, the Domain Services (DS) ‘forest’ is a complete instance of an Active Directory which contains one or more domains. Querying a particular Domain Service will yield results which are local to that domain only. In an environment with just one domain it is possible to use the default configuration instructions for OMERO LDAP. If there are multiple domains in the forest then it is necessary to query the Global Catalogue to enable querying across all of them.

Global Catalogue

In an AD DS forest, a Global Catalogue provides a central repository of all the domain information from all of the domains. This can be queried in the same way as a specific Domain Service using LDAP, but it runs on different ports; 3268 and 3269 (SSL).

LDAP AD Global Catalogue server URL string

  bin/omero config set omero.ldap.urls ldap://ldap.example.com:3268

Note: A SSL URL above should look like this: ldaps://ldap.example.com:3269

I actually solved it by using an LDAP “OR” syntax (|) like this:

omero.ldap.user_filter=(|(ou=Queensland Brain Institute)(ou=Ageing Dementia Research))

All good :).

You might want to write some docco around compound filters and the other operators (such as ((|)) at some point to do what I’ve done here, to granularly allow concentric “rings” of more and more OU’s granular access to Omero.


Thanks guys!

-jc

---------------------------

Hopefully that will work for you.


(*): Once available, see
    https://www.openmicroscopy.org/site/support/omero5/sysadmins/server-ldap.html?highlight=active directory#active-directory


Thanks.
-jc

Cheers,
~Josh

From: Jake Carroll <jake.carroll at uq.edu.au<mailto:jake.carroll at uq.edu.au><mailto:jake.carroll at uq.edu.au><mailto:jake.carroll at uq.edu.au>>
Date: Tue, 5 Aug 2014 11:11:27 +0000
To: "ome-users at lists.openmicroscopy.org.uk<mailto:ome-users at lists.openmicroscopy.org.uk><mailto:ome-users at lists.openmicroscopy.org.uk><mailto:ome-users at lists.openmicroscopy.org.uk>" <ome-users at lists.openmicroscopy.org.uk<mailto:ome-users at lists.openmicroscopy.org.uk><mailto:ome-users at lists.openmicroscopy.org.uk><mailto:ome-users at lists.openmicroscopy.org.uk>>
Subject: [ome-users] Weird LDAP issue - subtree/forest can't auth?

Hi all.

Just a quick LDAP/auth question.

I've got an LDAP schema and hierarchy that seemed to be working quite well with Omero up until we tried to auth somebody who was a sub OU of my OU.

Anyone in the top-level container of the OU can auth perfectly, but people INSIDE that, inside another OU (within my OU) are having problems. Ostensibly, it should work, as they are part of the one larger container - but they happen to be "enclosed" within another LDAP base (within the primary base).

Any ideas why Omero doesn't like this and what I can do about it in terms of LDAP config within Omero? Does this involve compound filters or is there a way to match multiple bind DN's or some such?

Thanks, all!

-jc



----------
Jake Carroll --- Information Technology Manager
The Queensland Brain Institute, The University of Queensland, Australia
E: jake.carroll at uq.edu.au<mailto:jake.carroll at uq.edu.au>
P:  +61 7 334 66407
M:  0402739157

"We are shaped by our thoughts, we become what we think. When the mind is pure, joy follows like a shadow that never leaves" - Buddha.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20140806/d5a81bae/attachment.html>

More information about the ome-users mailing list