Task #11876 (closed)
Opened 11 years ago
Closed 11 years ago
BUG: LDAP group filter not working
Reported by: | atarkowska | Owned by: | |
---|---|---|---|
Priority: | blocker | Milestone: | OMERO-4.4.10 |
Component: | Services | Version: | 4.4.9 |
Keywords: | n.a. | Cc: | bpindelski, jamoore, jburel |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | n.a. |
Description (last modified by atarkowska)
While setting up LDAP authentication limiting users to members of only one group it turned out that group filter is not taken to the account at all.
omero.ldap.urls=ldap://ldap.lifesci.dundee.ac.uk:389 omero.ldap.base=ou=lifesci,o=dundee omero.ldap.config=True omero.ldap.new_user_group=MY GROUP omero.ldap.user_filter=(objectClass=inetorgperson)
Setting group filter to the following still let everyone log in:
omero.ldap.group_filter=(objectClass=groupOfNames) omero.ldap.group_filter=(cn=omero-cls-gallery) omero.ldap.group_filter=(&(objectClass=groupOfUniqueNames)(cn=omero-cls-gallery,ou=groups,ou=lifesci,o=dundee))
also
omero.ldap.group_filter=(objectClass=groupOfUniqueNames) omero.ldap.group_mapping=name=cn omero.ldap.new_user_group=:filtered_dn_attribute:uniqueMember
2014-01-07 11:41:02,000 INFO [ ome.security.auth.LdapPasswordProvider] (l.Server-6) Default choice on create user: atarkowska (ome.conditions.ValidationException: No group found for: cn=atarkowska...o=dundee) 2014-01-07 11:41:02,001 WARN [ ome.logic.AdminImpl] (l.Server-6) Password provider returned null: ome.security.auth.PasswordProviders@4e50079b
LSC ldap has no group mapping in user entry thats why we are unable to filter that directly. But as tested 2 years ago ticket 6248 I am sure it was possible and working well.
Change History (8)
comment:1 Changed 11 years ago by atarkowska
- Description modified (diff)
comment:2 Changed 11 years ago by atarkowska
- Description modified (diff)
comment:3 Changed 11 years ago by atarkowska
- Description modified (diff)
comment:4 Changed 11 years ago by jamoore
- Owner jamoore deleted
comment:5 Changed 11 years ago by jamoore
- Cc bpindelski jamoore jburel added; omero-team@… removed
comment:6 Changed 11 years ago by atarkowska
- Description modified (diff)
comment:7 Changed 11 years ago by bpindelski
After discussing this problem with Ola and experimenting with ldapsearch it came out, that the settings needed to get user filtering based on group membership are the following:
omero.ldap.base=ou=lifesci,o=dundee omero.ldap.config=true omero.ldap.group_filter=(&(objectClass=groupOfUniqueNames)(cn=My-Secret-Group)) omero.ldap.group_mapping=name=cn omero.ldap.new_user_group=:query:(uniqueMember=@{dn}) omero.ldap.sync_on_login=true omero.ldap.urls=ldap://ldap.example.com:389 omero.ldap.user_filter=(objectClass=person) omero.ldap.user_mapping=omeName=cn,firstName=givenName,lastName=sn,email=mail
OMERO.server will only let in users who are a uniqueMember of the My-Secret-Group. The only catch here is that one cannot specify a custom name for the newly created group, as that will remove the uniqueMember filter (that situation was the use case for the CLS image repo).
comment:8 Changed 11 years ago by jamoore
- Resolution set to worksforme
- Status changed from new to closed
Thanks for digging here, Blazej. I'm going to close as "works for me" but link this under #6502 since essentially this is an RFE saying "let me use a group query but still but all the users in group X".
I won't be getting to this immediately, if anyone else can do some digging. It's also not an issue for the whole team, so changing CC.