Open Microscopy Environment

The OME community
https://www.openmicroscopy.org/community/

Deactivating LDAP users upon first login

https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=7541

Page 1 of 1

Deactivating LDAP users upon first login

PostPosted: Mon Jun 16, 2014 9:07 am
by davemason
I have a 5.0.2 OMERO build running on Ubuntu. I'm set up with LDAP authentication, with "omero.ldap.new_user_group" set so new users are placed into a "NewUsers" group.

I know it sounds a bit daft, but I want to deactivate the user account until I have assigned them to their correct working groups. Something like:
Code: Select all
omero.ldap.new_user_status=Disabled

The reason for this is that in the Binary Repository (ASIDE: my "omero.fs.repo.path" is %groupId%/%group%/%user%_%userId%//%year%-%month%%day%/%time%), my users uploads may be in:
Code: Select all
3/NewUsers/%user%_%userId%//%year%-%month%%day%/%time%

Instead of
Code: Select all
5/MyLabGroup/%user%_%userId%//%year%-%month%%day%/%time%

(For an explaination of why I use this omero.fs.repo.path, see http://www.openmicroscopy.org/community/viewtopic.php?f=4&t=7485)

Is there a way to do this or do i just need to wrangle my users better?

Cheers,

Dave

Re: Deactivating LDAP users upon first login

PostPosted: Mon Jun 16, 2014 12:21 pm
by jmoore
Hi Dave,

I don't think there's a way to do what you want at the moment. In fact, it's something of a surprise, since mostly what we hear in the way of LDAP requests is to make the user accounts accessible earlier rather than later.

The LDAP plugin explicitly allows plugging in your own Java bean. If that's something you'd like to dig into, let us know.

Otherwise, probably the easiest way to add support for this is to explicitly allow
Code: Select all
new_user_group=:nogroup:
which would in fact prevent them from logging in. Sound reasonable?

Cheers,
~Josh.

Re: Deactivating LDAP users upon first login

PostPosted: Mon Jun 16, 2014 3:12 pm
by davemason
Hi Josh,

As this is not a major issue, I would be happy with the latter solution. As long as a user is created (so I can change group allocation), it doesn't matter if they can't login on first try. In fact, for me this would also act as a (thin) layer of security.

Qs:
- What sort of message/error would the end-user receive under these circumstances?
- Is there some way to implement the :nogroup: solution in 5.0.2 ?

Cheers,

Dave

Re: Deactivating LDAP users upon first login

PostPosted: Tue Jun 17, 2014 3:58 pm
by jmoore
davemason wrote:- What sort of message/error would the end-user receive under these circumstances?


Probably only that login is not allowed.

Is there some way to implement the :nogroup: solution in 5.0.2 ?


Only be implementing your own "ome.security.auth.NewUserGroupBean" and defining it as a bean in the context.

~Josh.
All times are UTC
Page 1 of 1
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/