[ome-users] ldap new_user_group not working with :dn_attribute:

Tjelvar Olsson (JIC) Tjelvar.Olsson at jic.ac.uk
Fri Apr 8 13:25:11 BST 2016 

Hi Ola,

Thank you for pointing me in the direction of the relevant logs.

The issue was that I had set the ldap_base to high in the tree. This meant that the groups were not accessible to OMERO, resulting in the error message below.

2016-04-08 07:59:21,440 ERROR [     o.s.blitz.fire.PermissionsVerifierI] (l.Server-2) Exception thrown while checking password for:hartleym
ome.conditions.InternalException: Full DN (cn=aaa,ou=groups,dc=scicomp,dc=jic,dc=ac,dc=uk) does not start with base DN (ou=people,dc=scicomp,dc=jic,dc=ac,dc=uk)

Changing the ldap_base from:

omero.ldap.base=ou=people,dc=scicomp,dc=jic,dc=ac,dc=uk

to:

omero.ldap.base=dc=scicomp,dc=jic,dc=ac,dc=uk

sorted out the issue.

Kind regards,

Tjelvar

--
Dr. Tjelvar Olsson
Scientific Computing Lab Manager
John Innes Centre
Genome Centre 105b, ext: 2587

> On 8 Apr 2016, at 13:04, Aleksandra Tarkowska (Staff) <A.Tarkowska at dundee.ac.uk> wrote:
> 
> Hi Tjelvar
> 
> Could you send logs OMERO.server/var/log/Blitz-0.log and OMEROweb.log to let us look what the problem is exactly?
> 
> Ola
> Software Engineer
> Open Microscopy Environment
> University of Dundee
> 
>> On 8 Apr 2016, at 12:50, Tjelvar Olsson (JIC) <Tjelvar.Olsson at jic.ac.uk> wrote:
>> 
>> Dear all,
>> 
>> I’m trying to configure OMERO to assign users to specific groups from an LDAP server.
>> 
>> I have gotten to the stage where I can get it to assign the full domain name as the default group the first time a user logs in to OMERO, e.g.
>> 
>> cn=awesome,ou=groups,dc=scicomp,dc=jic,dc=ac,dc=uk
>> 
>> Now I am trying, and failing, to get OMERO to use the common name (cn) of the ldap group as the OMERO group name, e.g. awesome.
>> 
>> However,
>> 
>> When I use :dn_attribute:memberOf instead of :attribute:memberOf as the value of the “new_user_group” the (web) login hangs (on first login) and eventually returns with an “Internal Server Error” page.
>> 
>> Has anyone managed to configure an OMERO server to talk to LDAP using the :dn_attribute:?
>> 
>> Below is the configuration used in the failing case.
>> 
>> $ ./bin/omero config get
>> omero.db.name=omero
>> omero.db.pass=secret
>> omero.db.user=omero_db_user
>> omero.ldap.base=ou=people,dc=scicomp,dc=jic,dc=ac,dc=uk
>> omero.ldap.config=true
>> omero.ldap.group_mapping=name=cn
>> omero.ldap.new_user_group=:dn_attribute:memberOf
>> omero.ldap.urls=ldap://192.168.99.100:389
>> omero.ldap.user_filter=(objectClass=inetOrgPerson)
>> omero.ldap.user_mapping=omeName=uid,firstName=givenName,lastName=sn,email=mail
>> omero.web.application_server=wsgi
>> 
>> Kind regards,
>> 
>> Tjelvar
>> _______________________________________________
>> ome-users mailing list
>> ome-users at lists.openmicroscopy.org.uk
>> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
> 
> 
> The University of Dundee is a registered Scottish Charity, No: SC015096
> _______________________________________________
> ome-users mailing list
> ome-users at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users

More information about the ome-users mailing list