[ome-users] LDAP group mapping question
Jäälinoja, Harri Tapio
harri.jaalinoja at helsinki.fi
Wed May 18 09:20:03 BST 2016
Hi Josh,
thanks for checking this. I'll have first a fresh look at the old bean we have. It used to work, but some problem came up with some users, and I didn't have time yet to figure out what was going wrong. I'll let you know how it goes.
Cheers,
Harri
________________________________________
From: ome-users <ome-users-bounces at lists.openmicroscopy.org.uk> on behalf of Josh Moore <josh at glencoesoftware.com>
Sent: 16 May 2016 14:47:58
To: OME User Support List
Subject: Re: [ome-users] LDAP group mapping question
Hi Harri,
On Thu, May 12, 2016 at 12:10 PM, Jäälinoja, Harri Tapio
<harri.jaalinoja at helsinki.fi> wrote:
> Hi all,
>
>
> I've set up LDAP authentication, the basic case where all users are added to
> one default group works ok. This is probably enough for our unit. However,
> there is another use case where it would be necessary to divide users
> according to research groups. Previously we used a plugin, but I'd like to
> check with you first if it's possible to get the desired result with the
> improved LDAP support.
>
>
> The LDAP groups we use look like this, we can administer them in a system
> called "Alma":
>
>
> ldapsearch -H ldaps://ldap-internal.it.helsinki.fi:636 -x -s sub -b
> ou=alma_workgroups,ou=groups,o=hy "(&(uid=grp-A91900-lmu-cust))"
> #
>
> # grp-A91900-lmu-cust, alma_workgroups, groups, hy
> dn: uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy
> objectClass: hyGroup
> objectClass: top
> objectClass: groupOfUniqueNames
> hyAccountingCode: A91900
> hyCnSV: LMU-customers
> hyCnEN: LMU-customers
> uid: grp-A91900-lmu-cust
> cn: LMU-customers
> uniqueMember: uid=foobar,dc=helsinki,dc=fi
> uniqueMember: uid=foobaq,dc=helsinki,dc=fi
>
>
> Users can be members or owners of these groups:
>
> ldapsearch -H ldaps://ldap-internal.it.helsinki.fi:636 -s sub -b
> dc=helsinki,dc=fi -x
> "(&(uid=hajaalin)(hyGroupOwnerships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy))"
> #
> hyGroupOwnerships: uid=grp-A91900-lmuisa_,ou=alma_workgroups,ou=groups,o=hy
> hyGroupOwnerships: uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy
> hyGroupMemberships:
> uid=grp-A91900-lmu-staff,ou=alma_workgroups,ou=groups,o=hy
> hyGroupMemberships: uid=GRP-A00000-All,ou=groups,o=hy
>
>
> This way I can restrict access to the appropriate groups, this is the part
> I'm happy with for our unit:
> omero.ldap.user_filter=(|(hyGroupMemberships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy)(hyGroupOwnerships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy))
>
>
> But then to the more complicated use case. If I set
> omero.ldap.new_user_group:attribute:hyGroupMemberships,
> a whole bunch of groups will be created, but only one is relevant (the one
> indicating the research group), so somehow I should use
> :filtered_attribute:. So far I have tried using the same filter as for
> users:
> omero.ldap.group_filter=(|(hyGroupMemberships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy)(hyGroupOwnerships=uid=grp-A91900-lmu-cust,ou=alma_workgroups,ou=groups,o=hy))
> But the result is "no group found for user" in the log.
>
> Is this even possible when the groups and users are in different subtrees?
> omero.ldap.base=dc=helsinki,dc=fi
> To find the groups with ldapsearch I have to set "-b
> ou=alma_workgroups,ou=groups,o=hy".
The little reading I've done on the subject just now points to this
*not* being possible. Options (none of them costless) that I can see:
* investigate "null/empty base" searches
* add multiple base support to OMERO
* use a custom PasswordProvider
* add one of the trees as a virtual directory in the other
> Using :filtered_attribute:hyGroupMemberships would only work for group
> members. Group leaders don't have that attribute set, they would need
> :filtered_attribute:hyGroupOwnerships. Is it possible to use something like
> :filtered_attribute:(|(hyGroupMemberships,hyGroupOwnerships))?
:filtered_attribute: is currently not that smart. It only looks for
individual properties. The :query: configuration may do what you need,
but we'll have to solve the base issue first.
Cheers,
~Josh.
> Thanks in advance for any suggestions!
>
>
> Best regards,
> Harri
_______________________________________________
ome-users mailing list
ome-users at lists.openmicroscopy.org.uk
http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
More information about the ome-users
mailing list