Open Microscopy Environment

[saleht]

My AD have group which has inside subgroups, and these subgroups have the users which allow to log in OMERO,
i am using ldap, and it works fine with minimal configuration.
the question now how can migrate the user with the groups, i mean how to let OMERO add every user when he log in to his correct group.
can i

my configuration here :

omero.ldap.base=ou=IDMUsers,DC=AD,DC=hhu,DC=de
omero.ldap.config=true
omero.ldap.password=********
omero.ldap.urls=ldap://XXXXXXXXXXXX.de:389
omero.ldap.user_filter=(memberof:1.2.840.113556.1.4.1941:=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de)
omero.ldap.user_mapping=omeName=sAMAccountName,firstName=givenName,lastName=sn,email=mail
omero.ldap.username=SVC_Omero

any idea ??
or i have to do everything manual

[atarkowska]

Hi,

Have you tried omero.ldap.sync_on_login http://www.openmicroscopy.org/site/supp ... user-login ?

Optionally you may wish to look at group properties http://www.openmicroscopy.org/site/supp ... oup-lookup

Ola

[saleht]

ok i saw, but to be honest i did not know how to configure it is not clear to me ill now
should i create the groups manually in omero then, or do not need to create the groups it will immigrate form ldap,

omero.ldap.sync_on_login
does this command do everything automatically ?

thx

[saleht]

i have a question, should i create the groups manually in OMERO or will migrated from my AD if my configuration right

[jmoore]

Assuming your configuration detects groups in LDAP, there should be no need to create them manually in OMERO.

~Josh.

[saleht]

my configuration are here :

omero.ldap.base=ou=IDMUsers,DC=AD,DC=hhu,DC=de
omero.ldap.config=true
omero.ldap.group_filter=(memberOf=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de)
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=member
omero.ldap.password=********
omero.ldap.urls=ldap://XXXXXXXXXXX.de:389
omero.ldap.user_filter=(memberof:1.2.840.113556.1.4.1941:=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de)
omero.ldap.user_mapping=omeName=sAMAccountName,firstName=givenName,lastName=sn,email=mail
omero.ldap.username=SVC_Omero

ldap users can log in
but i can not see my ldap groups in Omero

i have run the following query and got

ldapsearch -x -LLL -D "SVC_Omero" -p 389 -h SVR-HHU-DC-1.ad.hhu.de -b "OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de" -s sub "(&(objectCategory=group)(memberOf=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de))"

small snap from the results

dn:: Q049Q0FpX0FHX0Zpc2NoZXJfTWVkUGhhcm1ha28sT1U9RmlsZVNoYXJlcyxPVT1aZW50cnVtI
GbDvHIgSW5mb3JtYXRpb25zLSB1bmQgTWVkaWVudGVjaG5vbG9naWUsT1U9SGVpbnJpY2gtSGVpbm
UtVW5pdmVyc2l0w6R0LERDPUFELERDPWhodSxEQz1kZQ==
objectClass: top
objectClass: group
cn: CAi_AG_Fischer_MedPharmako
member: CN=Zobel\, Thomas (zobelt),OU=IDMUsers,DC=AD,DC=hhu,DC=de
member: CN=Zimmermann\, Annika (anzim002),OU=IDMUsers,DC=AD,DC=hhu,DC=de
member: CN=Weidtkamp-Peters\, Stefanie (stwei004),OU=IDMUsers,DC=AD,DC=hhu,DC=
de
member:: Q049SMOkbnNjaFwsIFNlYmFzdGlhbiAoc2VoYWUxMDApLE9VPUlETVVzZXJzLERDPUFEL
ERDPWhodSxEQz1kZQ==
distinguishedName:: Q049Q0FpX0FHX0Zpc2NoZXJfTWVkUGhhcm1ha28sT1U9RmlsZVNoYXJlcy
xPVT1aZW50cnVtIGbDvHIgSW5mb3JtYXRpb25zLSB1bmQgTWVkaWVudGVjaG5vbG9naWUsT1U9SGV
pbnJpY2gtSGVpbmUtVW5pdmVyc2l0w6R0LERDPUFELERDPWhodSxEQz1kZQ==
instanceType: 4
whenCreated: 20150827065450.0Z
whenChanged: 20160520075814.0Z
uSNCreated: 78095703
info: v=stwei004;
memberOf:: Q049Q0FpX0FsbGdlbWVpbixPVT1GaWxlU2hhcmVzLE9VPVplbnRydW0gZsO8ciBJbmZ
vcm1hdGlvbnMtIHVuZCBNZWRpZW50ZWNobm9sb2dpZSxPVT1IZWlucmljaC1IZWluZS1Vbml2ZXJz
aXTDpHQsREM9QUQsREM9aGh1LERDPWRl
uSNChanged: 107361393
name: CAi_AG_Fischer_MedPharmako
objectGUID:: jpMAsq6/GEi9ES884oPvTQ==
objectSid:: AQUAAAAAAAUVAAAAPWyx+z7TI1czsNEl6ysFAA==
sAMAccountName: CAi_AG_Fischer_MedPharmako
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=AD,DC=hhu,DC=de
dSCorePropagationData: 20160811085358.0Z
dSCorePropagationData: 16010101000001.0Z

dn:: Q049Q0FpX0FHX1JlaWNoZXJ0LE9VPUZpbGVTaGFyZXMsT1U9WmVudHJ1bSBmw7xyIEluZm9yb
WF0aW9ucy0gdW5kIE1lZGllbnRlY2hub2xvZ2llLE9VPUhlaW5yaWNoLUhlaW5lLVVuaXZlcnNpdM
OkdCxEQz1BRCxEQz1oaHUsREM9ZGU=
objectClass: top
objectClass: group
cn: CAi_AG_Reichert
member: CN=Kondadi\, Arun Kumar (kondadi),OU=IDMUsers,DC=AD,DC=hhu,DC=de
member: CN=Zobel\, Thomas (zobelt),OU=IDMUsers,DC=AD,DC=hhu,DC=de
member: CN=Weidtkamp-Peters\, Stefanie (stwei004),OU=IDMUsers,DC=AD,DC=hhu,DC=
de
member:: Q049SMOkbnNjaFwsIFNlYmFzdGlhbiAoc2VoYWUxMDApLE9VPUlETVVzZXJzLERDPUFEL
ERDPWhodSxEQz1kZQ==
distinguishedName:: Q049Q0FpX0FHX1JlaWNoZXJ0LE9VPUZpbGVTaGFyZXMsT1U9WmVudHJ1bS
Bmw7xyIEluZm9ybWF0aW9ucy0gdW5kIE1lZGllbnRlY2hub2xvZ2llLE9VPUhlaW5yaWNoLUhlaW5
lLVVuaXZlcnNpdMOkdCxEQz1BRCxEQz1oaHUsREM9ZGU=
instanceType: 4
whenCreated: 20150828053804.0Z
whenChanged: 20160701090719.0Z
uSNCreated: 78177213
info: v=stwei004;
memberOf:: Q049Q0FpX0FsbGdlbWVpbixPVT1GaWxlU2hhcmVzLE9VPVplbnRydW0gZsO8ciBJbmZ
vcm1hdGlvbnMtIHVuZCBNZWRpZW50ZWNobm9sb2dpZSxPVT1IZWlucmljaC1IZWluZS1Vbml2ZXJz
aXTDpHQsREM9QUQsREM9aGh1LERDPWRl
uSNChanged: 111797674
name: CAi_AG_Reichert
objectGUID:: NE9jxHNGeUC242JtNrReVA==
objectSid:: AQUAAAAAAAUVAAAAPWyx+z7TI1czsNElMDQFAA==
sAMAccountName: CAi_AG_Reichert
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=AD,DC=hhu,DC=de
dSCorePropagationData: 20160811085358.0Z
dSCorePropagationData: 16010101000001.0Z

i have big Group called CAi_Allgemein whcih has many groups and these many groups has the users
i want to see these many groups in my OMERO
can someone help me pls

[jmoore]

Code: Select all

omero.ldap.new_user_group=member

means to me that all users from LDAP will be put into a single group named "member". From LDAP authentication > Group lookup:

If not prefixed at all, then the value is simply the name of a group which all users from LDAP should be added to.

You likely want the same value as the example given at the top:

Code: Select all

omero.ldap.new_user_group=:query:(member=@{dn})


i.e. "Add this user to groups which have an attribute member which contains the DN of the user"

Cheers,
~Josh.

[saleht]

it was like this, but still not working
omero.ldap.new_user_group=:query:(member=@{dn})

can you pls check my groups conf, is all correct, i will re config new_user_group agian like you said

one more question, now there are 2 ldap users already loged in and they are listed in omero user table,
if i success to configure, they will be automatically moved to thier correct groups which they are in in ldap Server

[saleht]

my latest config is like this, any help, i am still not albe to see my AD group in OMERO


[omero@localhost OMERO.server]$ bin/omero config get --hide-password
omero.data.dir=/mnt/data/OMERO
omero.db.name=omero_database
omero.db.pass=********
omero.db.user=omero_user
omero.ldap.base=ou=IDMUsers,DC=AD,DC=hhu,DC=de
omero.ldap.config=true
omero.ldap.group_filter=(memberOf=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de)
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=:query:(&(OU=CAi_Allgemein)(member=@{dn}))
omero.ldap.password=********
omero.ldap.urls=ldap://XXXXXXXXX.de:389
omero.ldap.user_filter=(memberof:1.2.840.113556.1.4.1941:=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de)
omero.ldap.user_mapping=omeName=sAMAccountName,firstName=givenName,lastName=sn,email=mail
omero.ldap.username=SVC_Omero
omero.web.application_server=wsgi-tcp
omero.web.debug=True

pay attention that the group CAi_Allgemein has many groups and these groups has the users which allow to use OMERO

i dont know if this will help, i have run this command

ldapsearch -x -LLL -D "SVC_Omero" -w ******************* -p 389 -h XXXXXXXX.de -b "OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de" -s sub "(&(objectCategory=group)(memberOf=cn=CAi_Allgemein,OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de))

this is a snap what i get , in Brwon color is the groups which i want to be showed in OMERO

dn:: Q049Q0FpX0FHX0hhcnRtYW5uLE9VPUZpbGVTaGFyZXMsT1U9WmVudHJ1bSBmw7xyIEluZm9yb
WF0aW9ucy0gdW5kIE1lZGllbnRlY2hub2xvZ2llLE9VPUhlaW5yaWNoLUhlaW5lLVVuaXZlcnNpdM
OkdCxEQz1BRCxEQz1oaHUsREM9ZGU=
objectClass: top
objectClass: group
cn: CAi_AG_Hartmann
member: CN=Zobel\, Thomas (zobelt),OU=IDMUsers,DC=AD,DC=hhu,DC=de
member: CN=Weidtkamp-Peters\, Stefanie (stwei004),OU=IDMUsers,DC=AD,DC=hhu,DC=
de
member:: Q049SMOkbnNjaFwsIFNlYmFzdGlhbiAoc2VoYWUxMDApLE9VPUlETVVzZXJzLERDPUFEL
ERDPWhodSxEQz1kZQ==
distinguishedName:: Q049Q0FpX0FHX0hhcnRtYW5uLE9VPUZpbGVTaGFyZXMsT1U9WmVudHJ1bS
Bmw7xyIEluZm9ybWF0aW9ucy0gdW5kIE1lZGllbnRlY2hub2xvZ2llLE9VPUhlaW5yaWNoLUhlaW5
lLVVuaXZlcnNpdMOkdCxEQz1BRCxEQz1oaHUsREM9ZGU=
instanceType: 4
whenCreated: 20150813080529.0Z
whenChanged: 20160520080031.0Z
uSNCreated: 76768050
info: v=stwei004;
memberOf:: Q049Q0FpX0FsbGdlbWVpbixPVT1GaWxlU2hhcmVzLE9VPVplbnRydW0gZsO8ciBJbmZ
vcm1hdGlvbnMtIHVuZCBNZWRpZW50ZWNobm9sb2dpZSxPVT1IZWlucmljaC1IZWluZS1Vbml2ZXJz
aXTDpHQsREM9QUQsREM9aGh1LERDPWRl
uSNChanged: 107361677
name: CAi_AG_Hartmann
objectGUID:: OAPVNL0I5keheg1667mHVQ==
objectSid:: AQUAAAAAAAUVAAAAPWyx+z7TI1czsNEl57UEAA==
sAMAccountName: CAi_AG_Hartmann
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=AD,DC=hhu,DC=de
dSCorePropagationData: 20160811085358.0Z
dSCorePropagationData: 16010101000001.0Z

dn:: Q049Q0FpX0FHX0Zpc2NoZXJfTWVkUGhhcm1ha28sT1U9RmlsZVNoYXJlcyxPVT1aZW50cnVtI
GbDvHIgSW5mb3JtYXRpb25zLSB1bmQgTWVkaWVudGVjaG5vbG9naWUsT1U9SGVpbnJpY2gtSGVpbm
UtVW5pdmVyc2l0w6R0LERDPUFELERDPWhodSxEQz1kZQ==
objectClass: top
objectClass: group
cn: CAi_AG_Fischer_MedPharmako
member: CN=Zobel\, Thomas (zobelt),OU=IDMUsers,DC=AD,DC=hhu,DC=de
member: CN=Zimmermann\, Annika (anzim002),OU=IDMUsers,DC=AD,DC=hhu,DC=de
member: CN=Weidtkamp-Peters\, Stefanie (stwei004),OU=IDMUsers,DC=AD,DC=hhu,DC=
de
member:: Q049SMOkbnNjaFwsIFNlYmFzdGlhbiAoc2VoYWUxMDApLE9VPUlETVVzZXJzLERDPUFEL
ERDPWhodSxEQz1kZQ==
distinguishedName:: Q049Q0FpX0FHX0Zpc2NoZXJfTWVkUGhhcm1ha28sT1U9RmlsZVNoYXJlcy
xPVT1aZW50cnVtIGbDvHIgSW5mb3JtYXRpb25zLSB1bmQgTWVkaWVudGVjaG5vbG9naWUsT1U9SGV
pbnJpY2gtSGVpbmUtVW5pdmVyc2l0w6R0LERDPUFELERDPWhodSxEQz1kZQ==
instanceType: 4
whenCreated: 20150827065450.0Z
whenChanged: 20160520075814.0Z
uSNCreated: 78095703
info: v=stwei004;
memberOf:: Q049Q0FpX0FsbGdlbWVpbixPVT1GaWxlU2hhcmVzLE9VPVplbnRydW0gZsO8ciBJbmZ
vcm1hdGlvbnMtIHVuZCBNZWRpZW50ZWNobm9sb2dpZSxPVT1IZWlucmljaC1IZWluZS1Vbml2ZXJz
aXTDpHQsREM9QUQsREM9aGh1LERDPWRl
uSNChanged: 107361393
name: CAi_AG_Fischer_MedPharmako
objectGUID:: jpMAsq6/GEi9ES884oPvTQ==
objectSid:: AQUAAAAAAAUVAAAAPWyx+z7TI1czsNEl6ysFAA==
sAMAccountName: CAi_AG_Fischer_MedPharmako
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=AD,DC=hhu,DC=de
dSCorePropagationData: 20160811085358.0Z
dSCorePropagationData: 16010101000001.0Z

dn:: Q049Q0FpX0FHX1JlaWNoZXJ0LE9VPUZpbGVTaGFyZXMsT1U9WmVudHJ1bSBmw7xyIEluZm9yb
WF0aW9ucy0gdW5kIE1lZGllbnRlY2hub2xvZ2llLE9VPUhlaW5yaWNoLUhlaW5lLVVuaXZlcnNpdM
OkdCxEQz1BRCxEQz1oaHUsREM9ZGU=
objectClass: top
objectClass: group
cn: CAi_AG_Reichert
member: CN=Kondadi\, Arun Kumar (kondadi),OU=IDMUsers,DC=AD,DC=hhu,DC=de
member: CN=Zobel\, Thomas (zobelt),OU=IDMUsers,DC=AD,DC=hhu,DC=de
member: CN=Weidtkamp-Peters\, Stefanie (stwei004),OU=IDMUsers,DC=AD,DC=hhu,DC=
de
member:: Q049SMOkbnNjaFwsIFNlYmFzdGlhbiAoc2VoYWUxMDApLE9VPUlETVVzZXJzLERDPUFEL
ERDPWhodSxEQz1kZQ==
distinguishedName:: Q049Q0FpX0FHX1JlaWNoZXJ0LE9VPUZpbGVTaGFyZXMsT1U9WmVudHJ1bS
Bmw7xyIEluZm9ybWF0aW9ucy0gdW5kIE1lZGllbnRlY2hub2xvZ2llLE9VPUhlaW5yaWNoLUhlaW5
lLVVuaXZlcnNpdMOkdCxEQz1BRCxEQz1oaHUsREM9ZGU=
instanceType: 4
whenCreated: 20150828053804.0Z
whenChanged: 20160701090719.0Z
uSNCreated: 78177213
info: v=stwei004;
memberOf:: Q049Q0FpX0FsbGdlbWVpbixPVT1GaWxlU2hhcmVzLE9VPVplbnRydW0gZsO8ciBJbmZ
vcm1hdGlvbnMtIHVuZCBNZWRpZW50ZWNobm9sb2dpZSxPVT1IZWlucmljaC1IZWluZS1Vbml2ZXJz
aXTDpHQsREM9QUQsREM9aGh1LERDPWRl
uSNChanged: 111797674
name: CAi_AG_Reichert
objectGUID:: NE9jxHNGeUC242JtNrReVA==
objectSid:: AQUAAAAAAAUVAAAAPWyx+z7TI1czsNElMDQFAA==
sAMAccountName: CAi_AG_Reichert
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=AD,DC=hhu,DC=de
dSCorePropagationData: 20160811085358.0Z
dSCorePropagationData: 16010101000001.0Z

[jmoore]

Hi Saleh,

there are a number of things going on here. I'm going to try to summarize them, but this is likely going to take a good deal of back-and-forth since we don't have any particular insight into your LDAP configuration.

• "omero.ldap.sync_on_login does this command do everything automatically ?" -- what it does is that makes sure a user's entry (including groups) are up-to-date with regard to LDAP on every login. You should have it turned on.
• "one more question, now there are 2 ldap users already loged in and they are listed in omero user table,
  if i success to configure, they will be automatically moved to thier correct groups which they are in in ldap Server" -- with sync_on_login, yes.
• You have listed your base as "ou=IDMUsers,DC=AD,DC=hhu,DC=de" in OMERO. This doesn't match the base you are using in ldapsearch: ""OU=FileShares,OU=Zentrum für Informations- und Medientechnologie,OU=Heinrich-Heine-Universität,dc=ad,dc=hhu,dc=de"" -- perhaps try "dc=ad,dc=hhu,dc=de"?
• Your DNs are being printed base64 encoded due to unicode characters. This may or may not be impacting things.
• Your user_filter has "(memberof:1.2.840.113556.1.4.1941:=..." -- I haven't tested this syntax myself with the Java libraries that OMERO uses. If we eliminate all the issues above and there are still problems, we might need to come back to this.

Cheers,
~Josh