[ome-users] LDAP group mapping question

Josh Moore josh at glencoesoftware.com
Mon May 16 12:47:58 BST 2016

Hi Harri,

On Thu, May 12, 2016 at 12:10 PM, Jäälinoja, Harri Tapio
<harri.jaalinoja at helsinki.fi> wrote:
> Hi all,
> I've set up LDAP authentication, the basic case where all users are added to
> one default group works ok. This is probably enough for our unit. However,
> there is another use case where it would be necessary to divide users
> according to research groups. Previously we used a plugin, but I'd like to
> check with you first if it's possible to get the desired result with the
> improved LDAP support.
> The LDAP groups we use look like this, we can administer them in a system
> called "Alma":
> ldapsearch -H ldaps://ldap-internal.it.helsinki.fi:636 -x -s sub -b
> ou=alma_workgroups,ou=groups,o=hy "(&(uid=grp-A91900-lmu-cust))"
> #
> # grp-A91900-lmu-cust, alma_workgroups, groups, hy
> dn: uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy
> objectClass: hyGroup
> objectClass: top
> objectClass: groupOfUniqueNames
> hyAccountingCode: A91900
> hyCnSV: LMU-customers
> hyCnEN: LMU-customers
> uid: grp-A91900-lmu-cust
> cn: LMU-customers
> uniqueMember: uid=foobar,dc=helsinki,dc=fi
> uniqueMember: uid=foobaq,dc=helsinki,dc=fi
> Users can be members or owners of these groups:
> ldapsearch -H ldaps://ldap-internal.it.helsinki.fi:636 -s sub -b
> dc=helsinki,dc=fi -x
> "(&(uid=hajaalin)(hyGroupOwnerships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy))"
> #
> hyGroupOwnerships: uid=grp-A91900-lmuisa_,ou=alma_workgroups,ou=groups,o=hy
> hyGroupOwnerships: uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy
> hyGroupMemberships:
> uid=grp-A91900-lmu-staff,ou=alma_workgroups,ou=groups,o=hy
> hyGroupMemberships: uid=GRP-A00000-All,ou=groups,o=hy
> This way I can restrict access to the appropriate groups, this is the part
> I'm happy with for our unit:
> omero.ldap.user_filter=(|(hyGroupMemberships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy)(hyGroupOwnerships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy))
> But then to the more complicated use case. If I set
> omero.ldap.new_user_group:attribute:hyGroupMemberships,
> a whole bunch of groups will be created, but only one is relevant (the one
> indicating the research group), so somehow I should use
> :filtered_attribute:. So far I have tried using the same filter as for
> users:
> omero.ldap.group_filter=(|(hyGroupMemberships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy)(hyGroupOwnerships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy))
> But the result is "no group found for user" in the log.
> Is this even possible when the groups and users are in different subtrees?
> omero.ldap.base=dc=helsinki,dc=fi
> To find the groups with ldapsearch I have to set "-b
> ou=alma_workgroups,ou=groups,o=hy".

The little reading I've done on the subject just now points to this
*not* being possible. Options (none of them costless) that I can see:

 * investigate "null/empty base" searches
 * add multiple base support to OMERO
 * use a custom PasswordProvider
 * add one of the trees as a virtual directory in the other

> Using :filtered_attribute:hyGroupMemberships would only work for group
> members. Group leaders don't have that attribute set, they would need
> :filtered_attribute:hyGroupOwnerships. Is it possible to use something like
> :filtered_attribute:(|(hyGroupMemberships,hyGroupOwnerships))?

:filtered_attribute: is currently not that smart. It only looks for
individual properties. The :query: configuration may do what you need,
but we'll have to solve the base issue first.


> Thanks in advance for any suggestions!
> Best regards,
> Harri

More information about the ome-users mailing list