[ome-users] Group mapping (LDAP)
Aleksandra Tarkowska (Staff)
A.Tarkowska at dundee.ac.uk
Sun May 29 23:47:41 BST 2016
Hi Shaun
Sorry for a slow response. I tested your config with our AD and I think there are two issues here:
1. Base is incorrect:
omero.ldap.base=ou=Users,ou=University,dc=ad,dc=nottingham,dc=ac,dc=uk
it should be omero.ldap.base "ou=University,dc=ad,dc=nottingham,dc=ac,dc=uk"
otherwise it will never find any groups in users tree.
2. Group filter should be simply:
omero.ldap.group_filter "(|(cn=LS-Omero-SRM)(cn=LS-Omero-LSM710))"
because you are searching by CN (as in the example https://www.openmicroscopy.org/site/support/omero5.2/sysadmins/server-ldap.html#group-lookup:
Let me know if that works.
Ola
Software Engineer
Open Microscopy Environment
University of Dundee
On 23 May 2016, at 12:07, Shaun Hare <Shaun.Hare at nottingham.ac.uk<mailto:Shaun.Hare at nottingham.ac.uk>> wrote:
Ola
This appears significant to me from the logs (with a new user logging in) who is in appropriate AD group (LS-Omero-LSM710 in this case)
Default choice on create user: plzrk (ome.conditions.ValidationException: No group found for: cn=plzrk,ou=PL,ou=P,ou=Users,ou=University,dc=ad,dc=nottingham,dc=ac,dc=uk)
Logs have been uploaded
Shaun
From: ome-users <ome-users-bounces at lists.openmicroscopy.org.uk<mailto:ome-users-bounces at lists.openmicroscopy.org.uk>> on behalf of Shaun Hare <Shaun.Hare at nottingham.ac.uk<mailto:Shaun.Hare at nottingham.ac.uk>>
Reply-To: OME User Support List <ome-users at lists.openmicroscopy.org.uk<mailto:ome-users at lists.openmicroscopy.org.uk>>
Date: Monday, 23 May 2016 at 11:10
To: OME User Support List <ome-users at lists.openmicroscopy.org.uk<mailto:ome-users at lists.openmicroscopy.org.uk>>
Subject: Re: [ome-users] Group mapping (LDAP)
Thanks Ola
When I say re-install we had to rebuild due to a hardware issue
The ldap login works- this is the output form ldap active
Created session 84c4f29e-5070-4ad6-8909-5f5e83100e49 (cczsh at localhost:4064). Idle timeout: 10 min. Current group: system
It does not appear to put new users in the appropriate group (or create the group) the config detailed previously did that on 5.1
Testing wise as well it is difficult as I cannot delete and recreate users _ is there a method for that you could share (I know it is not desirable normally so as not to orphan images)
This is 5.2.2
I have added ldap.sync_on_login true
I will upload the logs
Many thanks
Shaun
OMERO Diagnostics 5.2.2-ice35-b17
================================================================================
Commands: java -version 1.8.0 (/bin/java)
Commands: python -V 2.7.5 (/home/omero/venv/bin/python -- 2 others)
Commands: icegridnode --version 3.5.1 (/bin/icegridnode)
Commands: icegridadmin --version 3.5.1 (/bin/icegridadmin)
Commands: psql --version 9.4.7 (/bin/psql)
Server: icegridnode running
Server: Blitz-0 active (pid = 39431, enabled)
Server: DropBox active (pid = 39459, enabled)
Server: FileServer active (pid = 39463, enabled)
Server: Indexer-0 active (pid = 39453, enabled)
Server: MonitorServer active (pid = 39443, enabled)
Server: OMERO.Glacier2 active (pid = 39451, enabled)
Server: OMERO.IceStorm active (pid = 39465, enabled)
Server: PixelData-0 active (pid = 39472, enabled)
Server: Processor-0 active (pid = 39479, enabled)
Server: Tables-0 active (pid = 39490, enabled)
Server: TestDropBox inactive (enabled)
Log dir: /home/omero/OMERO.server/var/log exists
Log files: Blitz-0.log 95.0 MB errors=840 warnings=175
Log files: DropBox.log 55.0 KB errors=2 warnings=19
Log files: FileServer.log 7.0 KB
Log files: Indexer-0.log 731.0 KB errors=2 warnings=22
Log files: MonitorServer.log 29.0 KB
Log files: OMEROweb.lock 0.0 KB
Log files: OMEROweb.log 523.0 KB errors=936 warnings=293
Log files: OMEROweb_brokenrequest.lock 0.0 KB
Log files: OMEROweb_brokenrequest.log 122.0 KB errors=189 warnings=126
Log files: PixelData-0.log 293.0 KB
Log files: Processor-0.log 2.0 MB errors=833 warnings=6
Log files: Tables-0.log 36.0 KB errors=0 warnings=7
Log files: TestDropBox.log n/a
Log files: master.err 93.0 KB errors=0 warnings=63
Log files: master.out 0.0 KB
Log files: Total size 100.26 MB
Environment:OMERO_HOME=(unset)
Environment:OMERO_NODE=(unset)
Environment:OMERO_MASTER=(unset)
Environment:OMERO_USERDIR=(unset)
Environment:OMERO_TMPDIR=(unset)
Environment:PATH=/home/omero/venv/bin:/sbin:/bin:/usr/sbin:/usr/bin:/home/omero/OMERO.server/bin
Environment:PYTHONPATH=(unset)
Environment:ICE_HOME=(unset)
Environment:LD_LIBRARY_PATH=(unset)
Environment:DYLD_LIBRARY_PATH=(unset)
OMERO SSL port:4064
OMERO TCP port:4063
OMERO data dir:'/data_repository_san' Exists? TrueIs writable? True
OMERO temp dir:'/home/omero/omero/tmp' Exists? TrueIs writable? True (Size: 0)
JVM settings: Blitz-${index} -Xmx620m -XX:MaxPermSize=512m -XX:+IgnoreUnrecognizedVMOptions
JVM settings: Indexer-${index} -Xmx413m -XX:MaxPermSize=512m -XX:+IgnoreUnrecognizedVMOptions
JVM settings: PixelData-${index} -Xmx620m -XX:MaxPermSize=512m -XX:+IgnoreUnrecognizedVMOptions
JVM settings: Repository-${index} -Xmx413m -XX:MaxPermSize=512m -XX:+IgnoreUnrecognizedVMOptions
OMERO.web status... [RUNNING] (PID 40047)
Django version: 1.8.12
omero.db.name=omero_db
omero.db.pass=********
omero.db.user=omero
omero.ldap.base=ou=Users,ou=University,dc=ad,dc=nottingham,dc=ac,dc=uk
omero.ldap.config=true
omero.ldap.group_filter=(|(cn=LS-Omero-SRM,ou=Groups,ou=LS,ou=L,ou=Groups,ou=University,dc=ad,dc=nottingham,dc=ac,dc=uk)(cn=LS-Omero-LSM710,ou=Groups,ou=LS,ou=L,ou=Groups,ou=University,dc=ad,dc=nottingham,dc=ac,dc=uk))
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=:query:(member=@{dn})
omero.ldap.password=********
omero.ldap.sync_on_login=true
omero.ldap.urls=ldap://********:389
omero.ldap.user_filter=(|(memberOf=CN=LS-Omero-SRM,ou=Groups,ou=LS,ou=L,ou=Groups,ou=University,dc=ad,dc=nottingham,dc=ac,dc=uk)(memberOf=CN=LS-Omero-LSM710,ou=Groups,ou=LS,ou=L,ou=Groups,ou=University,dc=ad,dc=nottingham,dc=ac,dc=uk))
omero.ldap.user_mapping=omeName=sAMAccountName,firstName=givenName,lastName=sn,email=mail
omero.ldap.username=CN=********,CN=Users,DC=ad,DC=nottingham,DC=ac,DC=uk
omero.web.application_server=wsgi-tcp
omero.web.application_server.port=4080
omero.web.login_logo=https://www.nottingham.ac.uk/life-sciences/facilities/slim/omero/slim150x76.jpg
From: ome-users <ome-users-bounces at lists.openmicroscopy.org.uk<mailto:ome-users-bounces at lists.openmicroscopy.org.uk>> on behalf of "Aleksandra Tarkowska (Staff)" <A.Tarkowska at dundee.ac.uk<mailto:A.Tarkowska at dundee.ac.uk>>
Reply-To: OME User Support List <ome-users at lists.openmicroscopy.org.uk<mailto:ome-users at lists.openmicroscopy.org.uk>>
Date: Monday, 23 May 2016 at 10:46
To: OME User Support List <ome-users at lists.openmicroscopy.org.uk<mailto:ome-users at lists.openmicroscopy.org.uk>>
Subject: Re: [ome-users] Group mapping (LDAP)
Hi Shaun,
What exactly you mean by re-install, did you upgrade?
Could you detail more what is not working exactly, is there any error in Blitz-1.log file?
Could you give us more details about your previous and recent installations, which version did you use before and now,
output of:
- bin/omero config get --hide-password
- bin/omero admin diagnostics
Could you send example ldap entry of user and group?
Could you try CLI and show the output of:
- bin/omero ldap active
- bin/omero ldap discover
- bin/omero ldap getdn --user-name USERNAME
- bin/omero login username at server:4064 #please use ldap user
Could you also send all logs stored in /path/to/omero/var/log
If you prefer not to share all the above, please use http://qa.openmicroscopy.org.uk/qa/upload/
From the other hand, did you try `omero.ldap.sync_on_login true` https://www.openmicroscopy.org/site/support/omero5.2/sysadmins/server-ldap.html#synchronizing-ldap-on-user-login
Ola
Software Engineer
Open Microscopy Environment
University of Dundee
On 20 May 2016, at 18:15, Shaun Hare <Shaun.Hare at nottingham.ac.uk<mailto:Shaun.Hare at nottingham.ac.uk>> wrote:
Hi community members
We have previously had configuration working for group mapping here at Nottingham University
However after a re-install the settings don’t seem to be working – could anyone please advise if there is a issue here
What we are trying to achieve is new users go into the group they are a member of (note they will belong to many groups)
E.g members of cn=LS-OMERO-SRM go into that group
Settings
omero.ldap.base=ou=Users,ou=University,dc=ad,dc=nottingham,dc=ac,dc=uk
omero.ldap.config=true
omero.ldap.group_filter=(|(cn=LS-OMERO-SRM)(cn=LS-OMERO-LSM710))
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=:query:(member=@{dn})
omero.ldap.password=********
omero.ldap.urls=*********
omero.ldap.user_filter=(|(memberOf=CN=LS-Omero-SRM,ou=Groups,ou=LS,ou=L,ou=Groups,ou=University,dc=ad,dc=nottingham,dc=ac,dc=uk)(memberOf=CN=LS-Omero-LSM710,ou=Groups,ou=LS,ou=L,ou=Groups,ou=University,dc=ad,dc=nottingham,dc=ac,dc=uk))
omero.ldap.user_mapping=omeName=sAMAccountName,firstName=givenName,lastName=sn,email=mail
omero.ldap.username=CN=*********,CN=Users,DC=ad,DC=nottingham,DC=ac,DC=uk
Many thanks in anticipation
Shaun
This message and any attachment are intended solely for the addressee
and may contain confidential information. If you have received this
message in error, please send it back to me, and immediately delete it.
Please do not use, copy or disclose the information contained in this
message or in any attachment. Any views or opinions expressed by the
author of this email do not necessarily reflect the views of the
University of Nottingham.
This message has been checked for viruses but the contents of an
attachment may still contain software viruses which could damage your
computer system, you are advised to perform your own checks. Email
communications with the University of Nottingham may be monitored as
permitted by UK legislation.
_______________________________________________
ome-users mailing list
ome-users at lists.openmicroscopy.org.uk<mailto:ome-users at lists.openmicroscopy.org.uk>
http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
The University of Dundee is a registered Scottish Charity, No: SC015096
This message and any attachment are intended solely for the addressee
and may contain confidential information. If you have received this
message in error, please send it back to me, and immediately delete it.
Please do not use, copy or disclose the information contained in this
message or in any attachment. Any views or opinions expressed by the
author of this email do not necessarily reflect the views of the
University of Nottingham.
This message has been checked for viruses but the contents of an
attachment may still contain software viruses which could damage your
computer system, you are advised to perform your own checks. Email
communications with the University of Nottingham may be monitored as
permitted by UK legislation.
This message and any attachment are intended solely for the addressee
and may contain confidential information. If you have received this
message in error, please send it back to me, and immediately delete it.
Please do not use, copy or disclose the information contained in this
message or in any attachment. Any views or opinions expressed by the
author of this email do not necessarily reflect the views of the
University of Nottingham.
This message has been checked for viruses but the contents of an
attachment may still contain software viruses which could damage your
computer system, you are advised to perform your own checks. Email
communications with the University of Nottingham may be monitored as
permitted by UK legislation.
_______________________________________________
ome-users mailing list
ome-users at lists.openmicroscopy.org.uk<mailto:ome-users at lists.openmicroscopy.org.uk>
http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
The University of Dundee is a registered Scottish Charity, No: SC015096
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20160529/2f91d040/attachment.html>
More information about the ome-users
mailing list