Task #2587 (closed)
Opened 14 years ago
Closed 9 years ago
LDAP: remove DN from OMERO DB.
Reported by: | jamoore | Owned by: | bpindelski |
---|---|---|---|
Priority: | critical | Milestone: | 5.1.0-m2 |
Component: | Security | Version: | 5.0.5 |
Keywords: | n.a. | Cc: | bpindelski, cxallan, atarkowska, jrswedlow |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | 0.0d |
Sprint: | n.a. |
Description (last modified by jmoore)
Before 4.3.2, LdapPasswordProvider? Was only using the dn for checking a users password. Starting with 4.3.2, the query with filters that is initially used to look the user should be used, but the DN is still being stored. We could stop storing the DN of the user, and only store a flag "in_ldap" (or perhaps the connection information for the case of multiple server support).
See #6248 (4.3.2) for the work to check on every login.. Removing the DN to prevent synchronization errors, etc. still remains undone.
It may also be the appropriate time to remove the "password" table altogether, in combination with any work for specifying the DN or at least the source ("native", "LDAP") of groups. See #6719.
Change History (16)
comment:1 Changed 13 years ago by jmoore
- Description modified (diff)
comment:2 Changed 13 years ago by jmoore
- Description modified (diff)
- Milestone changed from Unscheduled to OME-5.0
- Summary changed from Have LdapPasswordProvider re-run query on all password lookups to LDAP: remove DN from OMERO DB.
comment:3 Changed 13 years ago by jmoore
comment:4 Changed 13 years ago by jmoore
- Description modified (diff)
comment:5 Changed 12 years ago by bpindelski
Referencing ticket #8344 has changed sprint.
comment:6 Changed 12 years ago by jmoore
Referencing ticket #8344 has changed sprint.
comment:7 Changed 12 years ago by jmoore
- Cc jrswedlow added
- Milestone changed from OMERO-Beta4.4 to OMERO-Beta4.4.1
Pushing. If we do anything along these lines in 4.4, it may have to be as a special release for production-grade sites.
comment:8 Changed 12 years ago by jmoore
- Cc bpindelski added
- Milestone changed from OMERO-4.4.x to OMERO-4.4.2
- Remaining Time set to 1.0
- Sprint set to 2012-08-28 (3)
- Status changed from new to accepted
comment:9 Changed 12 years ago by jmoore
- Remaining Time changed from 1.0 to 0
- Resolution set to fixed
- Status changed from accepted to closed
Solution taken is to set a boolean "ldap" on the experimenter table for ever row in "password" that has a non-empty DN and then delete the "dn" column.
Work currently pushed to https://github.com/joshmoore/openmicroscopy/tree/8344-ldap-groups for review. That branch will need to be rebased so I haven't yet created a PR. Exposing the values via hibernate and other API changes will be done by #9481 (LDAP API breakages)
comment:10 Changed 10 years ago by jamoore
- Milestone changed from OMERO-4.4.4 to 5.1.0-m2
- Resolution fixed deleted
- Sprint 2012-08-28 (3) deleted
- Status changed from closed to reopened
- Version set to 5.0.5
Re-opening after a discussion with Blazej about using an existing DN as the is_ldap flag.
comment:11 Changed 10 years ago by bpindelski
Josh's general impression is that this ticket can be tackled without a DB change, which is a bit counter-intuitive to the title and description of this ticket. What's really missing here is an exemplary failing use case which can be handled by adding logic that checks the contents of the password.dn column (if not empty, user is from LDAP). As this type of logic is already present in most of the LDAP-handling code, I still don't see what this ticket should fix (in the no-DB-changes scenario)? Where will the mentioned is_ldap flag be used?
comment:12 Changed 10 years ago by jamoore
Briefly, though we can discuss more tomorrow, the failing case is:
- user is created with DN, e.g cn=jdoe,ou=LabFoo
- user's DN changes to cn=jdoe,ou=BarLab (or even ou=FooLab, or ou=LabFoo,o=Uni -- this happens more than we expected)
- user can no longer log in.
The workaround here is to just say, if a user has any DN, i.e. !StringUtils.isEmpty(dn), then we consider this to be equivalent to is_ldap==true regardless of what the DN value is.
comment:13 Changed 10 years ago by bpindelski
After another round of scoping, it has been agreed that DB changes are fine to do during 5.1 and that the existing branch in Josh's repo has a workaround approach (at that time there was no possibility for breaking API changes). What needs to happen:
- The use case mentioned in https://trac.openmicroscopy.org.uk/ome/ticket/2587#comment:12 still holds and needs to be fixed.
- The dn column from password has to be dropped with a DB update script and an ldap column added to experimenter (set to true for each user who already had a DN set in the DB; false otherwise).
- bin/omero ldap setdn has to switch from accepting strings to using true/false, as the DN will now be only stored in the LDAP server. There might be scope for changing the name of the CLI method so that it resembles the new functionality closer.
- The interaction between the above changes and omero.ldap.sync_on_login can be ignored for now and handled fully in #6719.
comment:14 Changed 10 years ago by bpindelski
Work started on https://github.com/bpindelski/openmicroscopy/tree/2587_remove_dn.
comment:15 Changed 10 years ago by bpindelski
- Owner changed from jamoore to bpindelski
- Status changed from reopened to accepted
comment:16 Changed 9 years ago by Josh Moore <josh.moore@…>
- Resolution set to fixed
- Status changed from accepted to closed
(In [02be324dc62a425842e556a884eacc97ea0fe7ab/ome.git] on branch develop) Merge pull request #3119 from bpindelski/2587_remove_dn
Remove the "dn" column from "password" (fix #2587).
http://lists.openmicroscopy.org.uk/pipermail/ome-users/2011-September/002838.html