We're Hiring!

Open Microscopy Environment

The OME community

Skip to content

LDAP Group Creation Based on Security Groups

Having a problem deploying OMERO? Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

The OMERO.server installation documentation begins here and you can find OMERO.web deployment documentation here.
Post a reply

Re: LDAP Group Creation Based on Security Groups

Postby jmoore » Thu May 24, 2012 2:43 pm

jlbryants wrote:If I turn it off and the users LDAP password is changed, will the new password sync properly in Omero with sync_on_login set to false?


Definitely. The LDAP plugin in OMERO never stores the password so there's no synchronization needed. We do, however, sync the email, user name, and groups. Without sync_on_login, these can become stale, but with it turned on, groups can be removed which is likely the problem that you are experiencing.

Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany
Top

Re: LDAP Group Creation Based on Security Groups

Postby jlbryants » Thu May 24, 2012 2:53 pm

I read over the LDAP configuration again and I believe I have answered my own question. It looks to me that password checking is handled by the chainedPasswordProvider, so LDAP will be checked for current password.

Joe
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm
Top

Re: LDAP Group Creation Based on Security Groups

Postby jmoore » Thu May 24, 2012 3:06 pm

Exactly. Cheers, ~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany
Top

Re: LDAP Group Creation Based on Security Groups

Postby ehrenfeu » Wed May 30, 2012 1:46 pm

Hi Joe,

jlbryants wrote:[...]
When that user logs in again, they do not show as being in anything other than the default group.It removes the association with the other groups and shows them in the default group only. In other words, if I log back in as root and look under the administrative tab, I no longer see that person in any group other than default. Where am I going wrong.


that doesn't happen for me, sounds strange. Of course, after the first login a user is just in the "default" group, but when I change the group membership using an administrative account, the assignment doesn't disappear when the user logs on for the next time.

If I understood your postings correctly, you disabled the sync flag now. Did this fix the weird group behavior?

Cheers,
~Niko
User avatar
ehrenfeu
 
Posts: 90
Joined: Fri May 11, 2012 8:21 am
Location: Basel, Switzerland
Top

Re: LDAP Group Creation Based on Security Groups

Postby jmoore » Mon Jun 04, 2012 7:03 am

Niko,

have you tried the sync_on_login flag yourself? The warning from etc/omero.properties describes just this behavior:
Code: Select all
# Whether or not values from LDAP will be
# sychronized to OMERO on each login. This includes
# not just the user name, email, etc, but also the
# groups that the user is a member of.
#
# WARNING:
# -------------------------------------------------
#   Currently setting this to true the user will be
#   removed from any groups to which they have been
#   added outside of LDAP! Please use carefully.
#


We had hoped to be able to remove this restriction for 4.4.0, but it's unclear whether or not we'll make it.

Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany
Top
Previous
Post a reply

Return to Installation and Deployment

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group