We're Hiring!

Deactivating LDAP users upon first login

Having a problem deploying OMERO? Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

The OMERO.server installation documentation begins here and you can find OMERO.web deployment documentation here.

Deactivating LDAP users upon first login

Postby davemason » Mon Jun 16, 2014 9:07 am

I have a 5.0.2 OMERO build running on Ubuntu. I'm set up with LDAP authentication, with "omero.ldap.new_user_group" set so new users are placed into a "NewUsers" group.

I know it sounds a bit daft, but I want to deactivate the user account until I have assigned them to their correct working groups. Something like:
Code: Select all
omero.ldap.new_user_status=Disabled

The reason for this is that in the Binary Repository (ASIDE: my "omero.fs.repo.path" is %groupId%/%group%/%user%_%userId%//%year%-%month%%day%/%time%), my users uploads may be in:
Code: Select all
3/NewUsers/%user%_%userId%//%year%-%month%%day%/%time%

Instead of
Code: Select all
5/MyLabGroup/%user%_%userId%//%year%-%month%%day%/%time%

(For an explaination of why I use this omero.fs.repo.path, see http://www.openmicroscopy.org/community/viewtopic.php?f=4&t=7485)

Is there a way to do this or do i just need to wrangle my users better?

Cheers,

Dave
davemason
 
Posts: 47
Joined: Thu Mar 06, 2014 3:00 pm
Location: Liverpool, UK

Re: Deactivating LDAP users upon first login

Postby jmoore » Mon Jun 16, 2014 12:21 pm

Hi Dave,

I don't think there's a way to do what you want at the moment. In fact, it's something of a surprise, since mostly what we hear in the way of LDAP requests is to make the user accounts accessible earlier rather than later.

The LDAP plugin explicitly allows plugging in your own Java bean. If that's something you'd like to dig into, let us know.

Otherwise, probably the easiest way to add support for this is to explicitly allow
Code: Select all
new_user_group=:nogroup:
which would in fact prevent them from logging in. Sound reasonable?

Cheers,
~Josh.
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: Deactivating LDAP users upon first login

Postby davemason » Mon Jun 16, 2014 3:12 pm

Hi Josh,

As this is not a major issue, I would be happy with the latter solution. As long as a user is created (so I can change group allocation), it doesn't matter if they can't login on first try. In fact, for me this would also act as a (thin) layer of security.

Qs:
- What sort of message/error would the end-user receive under these circumstances?
- Is there some way to implement the :nogroup: solution in 5.0.2 ?

Cheers,

Dave
davemason
 
Posts: 47
Joined: Thu Mar 06, 2014 3:00 pm
Location: Liverpool, UK

Re: Deactivating LDAP users upon first login

Postby jmoore » Tue Jun 17, 2014 3:58 pm

davemason wrote:- What sort of message/error would the end-user receive under these circumstances?


Probably only that login is not allowed.

Is there some way to implement the :nogroup: solution in 5.0.2 ?


Only be implementing your own "ome.security.auth.NewUserGroupBean" and defining it as a bean in the context.

~Josh.
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany


Return to Installation and Deployment

Who is online

Users browsing this forum: No registered users and 1 guest