Page 1 of 1

LDAP with omero 4.4.4 and Ubunut 12.04

PostPosted: Mon Oct 22, 2012 9:18 am
by frias
Hi!

I am a bit lost in getting LDAP integrated into omero. We have per user the posixAccount configured:

omero@head:~$ ldapsearch -x -LLL "(uid=microscope)"
dn: uid=microscope,ou=people,dc=ccc,dc=loc
cn: microscope
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uid: microscope
uidNumber: 1030
gidNumber: 100
homeDirectory: /home/microscope
loginShell: /bin/bash
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 134538308
shadowLastChange: 15635

However, omero can not find this user in our LDAP, it logs into Blitz.log:

2012-10-22 11:13:51,518 INFO [ ome.services.util.ServiceHandler] (l.Server-9) Executor.doWork -- ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO(microscope)
2012-10-22 11:13:51,518 INFO [ ome.services.util.ServiceHandler] (l.Server-9) Args: [null, InternalSF@433941539]
2012-10-22 11:13:51,521 INFO [ ome.security.basic.EventHandler] (l.Server-9) Auth: user=0,group=0,event=null(Sessions),sess=f4716944-a207-47db-87fc-27a520f96262
2012-10-22 11:13:51,523 INFO [ org.perf4j.TimingLogger] (l.Server-9) start[1350897231518] time[5] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$8.doWork]
2012-10-22 11:13:51,523 INFO [ ome.services.util.ServiceHandler] (l.Server-9) Rslt: null
2012-10-22 11:13:51,523 INFO [ ome.services.util.ServiceHandler] (l.Server-9) Executor.doWork -- ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(microscope)
2012-10-22 11:13:51,523 INFO [ ome.services.util.ServiceHandler] (l.Server-9) Args: [null, InternalSF@433941539]
2012-10-22 11:13:51,536 INFO [ ome.security.basic.EventHandler] (l.Server-9) Auth: user=0,group=0,event=21164(Sessions),sess=f4716944-a207-47db-87fc-27a520f96262
2012-10-22 11:13:52,424 INFO [ ome.security.auth.LdapPasswordProvider] (l.Server-9) Default choice on create user: microscope (ome.conditions.ApiUsageException: Cannot find unique DistinguishedName: found=0)
2012-10-22 11:13:52,428 INFO [ org.perf4j.TimingLogger] (l.Server-9) start[1350897231524] time[904] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$9.doWork]
2012-10-22 11:13:52,428 INFO [ ome.services.util.ServiceHandler] (l.Server-9) Rslt: false
2012-10-22 11:13:52,428 INFO [ ome.services.util.ServiceHandler] (l.Server-9) Executor.doWork -- java.lang.String.microscope
2012-10-22 11:13:52,428 INFO [ ome.services.util.ServiceHandler] (l.Server-9) Args: [null, InternalSF@433941539]
2012-10-22 11:13:52,431 INFO [ ome.security.basic.EventHandler] (l.Server-9) Auth: user=0,group=0,event=null(Internal),sess=f4716944-a207-47db-87fc-27a520f96262
2012-10-22 11:13:52,435 INFO [ org.perf4j.TimingLogger] (l.Server-9) start[1350897232429] time[6] tag[omero.call.success.ome.services.blitz.fire.PermissionsVerifierI$1.doWork]
2012-10-22 11:13:52,435 INFO [ ome.services.util.ServiceHandler] (l.Server-9) Rslt: null


The configuration concerning LDAP is

omero.ldap.base=dc=ccc,dc=loc
omero.ldap.config=true
omero.ldap.new_user_group=member=@{dn}
omero.ldap.password=****
omero.ldap.referral=follow
omero.ldap.sync_on_login=true
omero.ldap.urls=ldap://127.0.0.1:389
omero.ldap.user_filter=
omero.ldap.user_mapping=omeName=uid;email=gecos
omero.ldap.username=cn=admin,dc=ccc,dc=loc

I am not at all a LDAP expert and would appreciate any help in this matter.

Best,

Sebastian

Re: LDAP with omero 4.4.4 and Ubunut 12.04

PostPosted: Tue Oct 23, 2012 7:52 am
by cxallan
If you set omero.ldap.user_filter to an object class of your choice (objectClass=account) for instance rather than trying to null it out as you have there now (the default is (objectClass=person)) what happens when you try and login as microscope?

Re: LDAP with omero 4.4.4 and Ubunut 12.04

PostPosted: Tue Oct 23, 2012 6:05 pm
by frias
Thanks! Now I got one step further. However, I had to use this mapping to sucessfully login:

omero.ldap.user_mapping=omeName=uid,firstName=cn,lastName=cn,email=gecos

i.e. last and first name is set to the same LDAP property, since our LDAP does not have this separatley and otherwise omero crashes.

However, what statement do I need to add such that users get assigned to their respective groups? The example I found does not seem to work.

Thanks again for the support.

Re: LDAP with omero 4.4.4 and Ubunut 12.04

PostPosted: Wed Oct 24, 2012 7:55 am
by cxallan
Most LDAP directories are not purely posixAccount focused so we don't tend to try and address that particular use case. I would be particularly cautious about using gecos as e-mail, that field can basically contain anything.

What schema are you using for your groups?

Re: LDAP with omero 4.4.4 and Ubunut 12.04

PostPosted: Thu Oct 25, 2012 5:35 am
by frias
Hi!

Well, back then when I had to set up the cluster I did not bother to become an LDAP expert, instead I used the most straightforward approach to use the posix* schema which translates directly all information of passwd+groups to LDAP.

Hence groups are given by the posixGroup schema, i.e. I have cn=groupName entries of type posixGroup and within these I got multiple memberUid entries.

So one would like to have a search which finds all posixGroups which contain a memberuid=uid .

Thanks a lot for your help!

Best,

Sebastian

Re: LDAP with omero 4.4.4 and Ubunut 12.04

PostPosted: Thu Oct 25, 2012 8:14 am
by cxallan
Someone we helped with 4.3.x, should all still apply:

viewtopic.php?f=5&t=904

I would think the following configuration should work:

Code: Select all
omero.ldap.group_filter=(objectClass=posixGroup)
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=:query:(memberUid=@{uid})

Re: LDAP with omero 4.4.4 and Ubunut 12.04

PostPosted: Thu Oct 25, 2012 12:10 pm
by frias
Hmm, your steps brought me further, but now omero fails with

ome.conditions.ApiUsageException: Can't find default group for microscope

Where do I set the default group now?

We are getting close...

Re: LDAP with omero 4.4.4 and Ubunut 12.04

PostPosted: Fri Oct 26, 2012 11:06 am
by jmoore
Can you show us the ldapsearch output for one of the groups that uid=microscope is a member of? Thanks, ~Josh