Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #11876 (closed)

Opened 7 years ago

Closed 7 years ago

BUG: LDAP group filter not working

Reported by: atarkowska Owned by:
Priority: blocker Milestone: OMERO-4.4.10
Component: Services Version: 4.4.9
Keywords: n.a. Cc: bpindelski, jamoore, jburel
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: n.a.

Description (last modified by atarkowska)

While setting up LDAP authentication limiting users to members of only one group it turned out that group filter is not taken to the account at all.

omero.ldap.urls=ldap://ldap.lifesci.dundee.ac.uk:389
omero.ldap.base=ou=lifesci,o=dundee
omero.ldap.config=True
omero.ldap.new_user_group=MY GROUP
omero.ldap.user_filter=(objectClass=inetorgperson)

Setting group filter to the following still let everyone log in:

omero.ldap.group_filter=(objectClass=groupOfNames)
omero.ldap.group_filter=(cn=omero-cls-gallery)
omero.ldap.group_filter=(&(objectClass=groupOfUniqueNames)(cn=omero-cls-gallery,ou=groups,ou=lifesci,o=dundee))

also

omero.ldap.group_filter=(objectClass=groupOfUniqueNames)
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=:filtered_dn_attribute:uniqueMember
2014-01-07 11:41:02,000 INFO  [  ome.security.auth.LdapPasswordProvider] (l.Server-6) Default choice on create user: atarkowska (ome.conditions.ValidationException: No group found for: cn=atarkowska...o=dundee)
2014-01-07 11:41:02,001 WARN  [                     ome.logic.AdminImpl] (l.Server-6) Password provider returned null: ome.security.auth.PasswordProviders@4e50079b

LSC ldap has no group mapping in user entry thats why we are unable to filter that directly. But as tested 2 years ago ticket 6248 I am sure it was possible and working well.

Change History (8)

comment:1 Changed 7 years ago by atarkowska

  • Description modified (diff)

comment:2 Changed 7 years ago by atarkowska

  • Description modified (diff)

comment:3 Changed 7 years ago by atarkowska

  • Description modified (diff)

comment:4 Changed 7 years ago by jamoore

  • Owner jamoore deleted

I won't be getting to this immediately, if anyone else can do some digging. It's also not an issue for the whole team, so changing CC.

comment:5 Changed 7 years ago by jamoore

  • Cc bpindelski jamoore jburel added; omero-team@… removed

comment:6 Changed 7 years ago by atarkowska

  • Description modified (diff)

comment:7 Changed 7 years ago by bpindelski

After discussing this problem with Ola and experimenting with ldapsearch it came out, that the settings needed to get user filtering based on group membership are the following:

omero.ldap.base=ou=lifesci,o=dundee
omero.ldap.config=true
omero.ldap.group_filter=(&(objectClass=groupOfUniqueNames)(cn=My-Secret-Group))
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=:query:(uniqueMember=@{dn})
omero.ldap.sync_on_login=true
omero.ldap.urls=ldap://ldap.example.com:389
omero.ldap.user_filter=(objectClass=person)
omero.ldap.user_mapping=omeName=cn,firstName=givenName,lastName=sn,email=mail

OMERO.server will only let in users who are a uniqueMember of the My-Secret-Group. The only catch here is that one cannot specify a custom name for the newly created group, as that will remove the uniqueMember filter (that situation was the use case for the CLS image repo).

comment:8 Changed 7 years ago by jamoore

  • Resolution set to worksforme
  • Status changed from new to closed

Thanks for digging here, Blazej. I'm going to close as "works for me" but link this under #6502 since essentially this is an RFE saying "let me use a group query but still but all the users in group X".

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.78377 sec.)

We're Hiring!