[ome-users] Weird LDAP issue - subtree/forest can't auth?

Josh Moore josh at glencoesoftware.com
Thu Aug 7 08:16:23 BST 2014 

On Aug 6, 2014, at 10:28 AM, Jake Carroll wrote:

> Thanks for the update. See below.

> ...

> I actually solved it by using an LDAP “OR” syntax (|) like this:
> 
> omero.ldap.user_filter=(|(ou=Queensland Brain Institute)(ou=Ageing Dementia Research))
> 
> All good :).
> 
> You might want to write some docco around compound filters and the other operators (such as ((|)) at some point to do what I’ve done here, to granularly allow concentric “rings” of more and more OU’s granular access to Omero.

Done: https://github.com/openmicroscopy/ome-documentation/pull/928

Thanks for the tip.
~J.

> Thanks guys!
> 
> -jc
> 
> ---------------------------
> 
> Hopefully that will work for you.
> 
> 
> (*): Once available, see
>    https://www.openmicroscopy.org/site/support/omero5/sysadmins/server-ldap.html?highlight=active directory#active-directory
> 
> 
> Thanks.
> -jc
> 
> Cheers,
> ~Josh
> 
> From: Jake Carroll <jake.carroll at uq.edu.au<mailto:jake.carroll at uq.edu.au><mailto:jake.carroll at uq.edu.au><mailto:jake.carroll at uq.edu.au>>
> Date: Tue, 5 Aug 2014 11:11:27 +0000
> To: "ome-users at lists.openmicroscopy.org.uk<mailto:ome-users at lists.openmicroscopy.org.uk><mailto:ome-users at lists.openmicroscopy.org.uk><mailto:ome-users at lists.openmicroscopy.org.uk>" <ome-users at lists.openmicroscopy.org.uk<mailto:ome-users at lists.openmicroscopy.org.uk><mailto:ome-users at lists.openmicroscopy.org.uk><mailto:ome-users at lists.openmicroscopy.org.uk>>
> Subject: [ome-users] Weird LDAP issue - subtree/forest can't auth?
> 
> Hi all.
> 
> Just a quick LDAP/auth question.
> 
> I've got an LDAP schema and hierarchy that seemed to be working quite well with Omero up until we tried to auth somebody who was a sub OU of my OU.
> 
> Anyone in the top-level container of the OU can auth perfectly, but people INSIDE that, inside another OU (within my OU) are having problems. Ostensibly, it should work, as they are part of the one larger container - but they happen to be "enclosed" within another LDAP base (within the primary base).
> 
> Any ideas why Omero doesn't like this and what I can do about it in terms of LDAP config within Omero? Does this involve compound filters or is there a way to match multiple bind DN's or some such?
> 
> Thanks, all!
> 
> -jc

More information about the ome-users mailing list