[ome-users] LDAP group mapping question

Jäälinoja, Harri Tapio harri.jaalinoja at helsinki.fi
Thu May 12 11:10:33 BST 2016


Hi all,


I've set up LDAP authentication, the basic case where all users are added to one default group works ok. This is probably enough for our unit. However, there is another use case where it would be necessary to divide users according to research groups. Previously we used a plugin, but I'd like to check with you first if it's possible to get the desired result with the improved LDAP support.


The LDAP groups we use look like this, we can administer them in a system called "Alma":


ldapsearch -H ldaps://ldap-internal.it.helsinki.fi:636 -x -s sub -b ou=alma_workgroups,ou=groups,o=hy "(&(uid=grp-A91900-lmu-cust))"
#

# grp-A91900-lmu-cust, alma_workgroups, groups, hy
dn: uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy
objectClass: hyGroup
objectClass: top
objectClass: groupOfUniqueNames
hyAccountingCode: A91900
hyCnSV: LMU-customers
hyCnEN: LMU-customers
uid: grp-A91900-lmu-cust
cn: LMU-customers
uniqueMember: uid=foobar,dc=helsinki,dc=fi
uniqueMember: uid=foobaq,dc=helsinki,dc=fi


Users can be members or owners of these groups:

ldapsearch -H ldaps://ldap-internal.it.helsinki.fi:636 -s sub -b dc=helsinki,dc=fi -x "(&(uid=hajaalin)(hyGroupOwnerships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy))"
#
hyGroupOwnerships: uid=grp-A91900-lmuisa_,ou=alma_workgroups,ou=groups,o=hy
hyGroupOwnerships: uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy
hyGroupMemberships: uid=grp-A91900-lmu-staff,ou=alma_workgroups,ou=groups,o=hy
hyGroupMemberships: uid=GRP-A00000-All,ou=groups,o=hy


This way I can restrict access to the appropriate groups, this is the part I'm happy with for our unit:
omero.ldap.user_filter=(|(hyGroupMemberships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy)(hyGroupOwnerships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy))


But then to the more complicated use case. If I set
omero.ldap.new_user_group:attribute:hyGroupMemberships,
a whole bunch of groups will be created, but only one is relevant (the one indicating the research group), so somehow I should use :filtered_attribute:. So far I have tried using the same filter as for users:
omero.ldap.group_filter=(|(hyGroupMemberships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy)(hyGroupOwnerships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy))
But the result is "no group found for user" in the log.

Is this even possible when the groups and users are in different subtrees?
omero.ldap.base=dc=helsinki,dc=fi
To find the groups with ldapsearch I have to set "-b ou=alma_workgroups,ou=groups,o=hy".

Using :filtered_attribute:hyGroupMemberships would only work for group members. Group leaders don't have that attribute set, they would need :filtered_attribute:hyGroupOwnerships. Is it possible to use something like
:filtered_attribute:(|(hyGroupMemberships,hyGroupOwnerships))?



Thanks in advance for any suggestions!


Best regards,

Harri


---

Harri Jäälinoja

Light Microscopy Unit

Institute of Biotechnology

University of Helsinki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20160512/d0657c6e/attachment.html>


More information about the ome-users mailing list