Task #6248 (new)
Opened 13 years ago
Last modified 12 years ago
LDAP - remove user from security group — at Version 4
Reported by: | wmoore | Owned by: | jmoore |
---|---|---|---|
Priority: | major | Milestone: | OMERO-Beta4.3.2 |
Component: | Configuration | Version: | n.a. |
Keywords: | n.a. | Cc: | cxallan, jamoore, atarkowska |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | 0.5d |
Sprint: | 2011-08-04 (2) |
Description (last modified by jmoore)
If a user is removed from the LDAP security group used to create their OMERO account, they can still log in:
https://www.openmicroscopy.org/community/viewtopic.php?f=4&t=748
The user_filter property should (optionally?) be applied on every login.
Note: In discussions with Ola, there are at least two issues that this solution will not cover:
- since the original DN is stored in OMERO, there is the possibility that it will become out of sync, e.g. if the user changes his/her OMERO username. The current plan will be to signal an InternalException to the user.
- this will only work for LDAP configurations in which group membership is a property on the user so that it can be filtered via omero.ldap.user_filter. In cases where group membership is a property of the groups, then we will need to rework how group_filter and new_user_group interact.
Change History (4)
comment:1 Changed 13 years ago by wmoore
comment:2 Changed 13 years ago by jmoore
- Remaining Time set to 0.5
- Sprint set to 2011-08-04 (2)
As mentioned on the forum, this should be just a matter of re-checking against the filter on every login. I'll add that logic and then pass to Ola for testing. We can decide from there if we want to add any configuration options to maintain the previous logic, or to make the "user in a group" logic easier to implement.
comment:3 Changed 13 years ago by jmoore
- Description modified (diff)
comment:4 Changed 13 years ago by jmoore
- Description modified (diff)
Output when logging in with mismatched DNs:
~/git/dist $ bin/omero login foo@localhost Password: Internal error. Please contact your administrator: DNs don't match: '' and 'cn=foo,o=example' Password:
If there's anything we can suggest to the user just now (see forum), please go ahead on the forum.