User Story #1382 (new)
Opened 15 years ago
Last modified 12 years ago
Improve LDAP support — at Version 7
| Reported by: | jamoore | Owned by: | jamoore |
|---|---|---|---|
| Priority: | major | Milestone: | OMERO-Beta4.2 |
| Component: | Deployment | Keywords: | n.a. |
| Cc: | jay_copeland@…, stephen.ogg@…, FCORNELI@…, atarkowska, cxallan | Story Points: | n.a. |
| Sprint: | n.a. | Importance: | n.a. |
| Total Remaining Time: | 9.0d | Estimated Remaining Time: | n.a. |
Description (last modified by jmoore)
See forum threads:
- http://openmicroscopy.org/community/viewtopic.php?f=5&t=14
- http://www.openmicroscopy.org/community/viewtopic.php?f=5&t=382
Other configuration systems for comparison:
- http://www.liferay.com/community/wiki/-/wiki/Main/LDAP
- http://docs.jboss.org/jbportal/v2.7.1/referenceGuide/html/ldap.html
- http://drupal.org/node/62217
- http://www.sonatype.com/books/nexus-book/reference/ldap-sect-user-group-mapping.html
- http://typo3.org/documentation/document-library/extension-manuals/eu_ldap/2.7.10/view/1/2/
- http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration
Tasks:
- interface for LDAP plugins
- configuration- and possibly ice-based implementations
- posix and active directory configurations (cf. sonatype above)
- multiple server support (chaining) (thread)
Change History (7)
comment:1 Changed 15 years ago by jmoore
- Cc stephen.ogg at imb.a-star.edu.sg FCORNELI@… added; stephen.ogg at imb.a-star.edu.sg FCORNELI at its.jnj.com removed
comment:2 Changed 15 years ago by jmoore
- Cc stephen.ogg@… added; stephen.ogg at imb.a-star.edu.sg removed
comment:3 Changed 15 years ago by jmoore
- Milestone changed from OMERO-Beta4.1 to OMERO-Beta4.2
comment:4 Changed 14 years ago by jmoore
- Cc cxallan added
- Description modified (diff)
comment:5 Changed 14 years ago by jmoore
comment:6 Changed 14 years ago by jmoore
As a follow up on #2025, the new properties which we are currently testing are:
omero.ldap.user_filter=(objectClass=person)
omero.ldap.user_mapping=omeName=cn,firstName=givenName,lastName=sn,email=mail
omero.ldap.group_filter=(objectClass=groupOfNames)
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=default
#omero.ldap.new_user_group=:ou:
#omero.ldap.new_user_group=:attribute:memberOf
#omero.ldap.new_user_group=:query:(member=${dn})
The filters and mappings are as in the liferay documentation above. The "new_user_group" property is an experiment to allow for various styles of mapping:
- no prefix implies use the static group named "${omero.ldap.new_user_group}"
- the ":ou:" prefix means map the users last organizationl unit to a group name, "ou=IT,ou=division,o=college" would map to a group of "IT"
- the ":attribute:" prefix means take the possibly multi-valued attribute defined and add the user to all groups
- the ":query:" attribute is a query run under the group filter which has all the user mapping properties plus "${dn}" available to it, so that the above example looks for all groupOfNames with a member attribute with the dn as a value
- a possible (unimplemented) prefix ":bean:" could allow for implementing one's own NewUserGroupMapper
comment:7 Changed 14 years ago by jmoore
- Description modified (diff)
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
The liferay integration uses the following parameters:
ldap.auth.enabled=true ldap.auth.required=true ldap.users.dn=ou=People,dc=localdomain ldap.groups.dn=ou=Groups,dc=localdomain ldap.user.mappings=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=groupMembership ldap.user.impl=com.liferay.portal.security.ldap.LDAPUser ldap.group.mappings=groupName=cn\ndescription=description\nuser=uniqueMember ldap.import.user.search.filter=(objectClass=inetOrgPerson) ldap.import.group.search.filter=(objectClass=groupOfUniqueNames) ldap.auth.search.filter=(mail=@email_address@)