[ome-users] LDAP Config for PosixGroups
Josh Moore
josh at glencoesoftware.com
Thu Jan 31 15:33:13 GMT 2019
On Thu, Jan 31, 2019 at 4:28 PM Andreas Mueller
<Andreas.Mueller at biologie.uni-osnabrueck.de> wrote:
>
> On 31.01.19 16:16, Josh Moore wrote:
> > Andreas,
> >
> > On Thu, Jan 31, 2019 at 4:10 PM Andreas Mueller
> > <Andreas.Mueller at biologie.uni-osnabrueck.de> wrote:
> > ...snip...
> > >
> > > And - HURRAR - I can log in !!!
> >
> > Progress!
> >
> >
> > > But: with the wrong firstName, the wrong lastName and everyone can
> > > login to the system .. I've no restrictions.
> > > ____
> > >
> > > I think omero has to login to the ldap-system with the dn of the user
> > > and read *then* the private (hidden) attributes, because only the user
> > > can read the own attributes.
> > >
> > > > Can you fix that ????
> >
> > I don't think so, at least not without re-writing the LDAP plugin. I
> > would ask your IT for a service account that can bind and see the
> > properties that you are looking for.
>
> Oh, ok .. I will ask him
>
> But, that service account can read the attributes from every person on
> our university - that could be a problem :-/
I'd _hope_ that there would also be a service account that would only
be able to access semi-reasonable properties (email) for all those
users, but I've never worked with the type of setup that you have.
> > > Next step: how can I restrict the access ?
> >
> > Can you explain? What access are you looking to restrict?
>
> With my last config every person from our university can log in to the
> omero (nearly 20.000 Persons).
>
> I make some test with group-config. (omero.ldap.group...)
Your previous configurations were looking quite ok (barring the
user_filter); this "filtered attribute" issue was just causing
problems.
> Or I have to manualy allow every account..
Definitely not!
> - Feierabend - (morgen geht's weiter)
> Andreas
Bis dann,
~Josh
More information about the ome-users
mailing list