Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #6248 (new)

Opened 13 years ago

Last modified 12 years ago

LDAP - remove user from security group — at Version 4

Reported by: wmoore Owned by: jmoore
Priority: major Milestone: OMERO-Beta4.3.2
Component: Configuration Version: n.a.
Keywords: n.a. Cc: cxallan, jamoore, atarkowska
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: 0.5d
Sprint: 2011-08-04 (2)

Description (last modified by jmoore)

If a user is removed from the LDAP security group used to create their OMERO account, they can still log in:

https://www.openmicroscopy.org/community/viewtopic.php?f=4&t=748

The user_filter property should (optionally?) be applied on every login.

Note: In discussions with Ola, there are at least two issues that this solution will not cover:

  1. since the original DN is stored in OMERO, there is the possibility that it will become out of sync, e.g. if the user changes his/her OMERO username. The current plan will be to signal an InternalException to the user.
  2. this will only work for LDAP configurations in which group membership is a property on the user so that it can be filtered via omero.ldap.user_filter. In cases where group membership is a property of the groups, then we will need to rework how group_filter and new_user_group interact.

Change History (4)

comment:1 Changed 13 years ago by wmoore

If there's anything we can suggest to the user just now (see forum), please go ahead on the forum.

comment:2 Changed 13 years ago by jmoore

  • Remaining Time set to 0.5
  • Sprint set to 2011-08-04 (2)

As mentioned on the forum, this should be just a matter of re-checking against the filter on every login. I'll add that logic and then pass to Ola for testing. We can decide from there if we want to add any configuration options to maintain the previous logic, or to make the "user in a group" logic easier to implement.

comment:3 Changed 13 years ago by jmoore

  • Description modified (diff)

comment:4 Changed 13 years ago by jmoore

  • Description modified (diff)

Output when logging in with mismatched DNs:

~/git/dist $ bin/omero login foo@localhost
Password:
Internal error. Please contact your administrator:
DNs don't match: '' and 'cn=foo,o=example'
Password:
Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.67889 sec.)

© 2000-2014 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 3.0 Unported License
OME source code is available under the GNU General public license or through commercial license from Glencoe Software

We're Hiring!