OMERO LDAP Authentication
LDAP is an open standard for querying and modifying directory services that is commonly used for authentication, authorization and accounting (AAA). OMERO.server supports the use of an LDAP server to query (but not modify) AAA information for the purposes of automatic user (an Experimenter or Scientist in OMERO parlance) creation.
LDAP Configuration
Like many pieces of OMERO.server configuration, LDAP specific configuration is done by specifying extra properties in the etc/omero.properties file inside your OMERO installation directory. The OMERO.server LDAP implementation is designed to handle three main use cases:
- Allow every inetOrgPerson under omero.ldap.base to login
- (1) but restrict access based upon membership in omero.ldap.groups
- (1) but restrict access based upon the entry's attributes matching omero.ldap.attributes and omero.ldap.values
Example
# Enable or disable LDAP (true/false) omero.ldap.config=true # LDAP server URL string omero.ldap.urls=ldap://ldap.example.com:389 # LDAP server bind DN (if required; can be empty) omero.ldap.username=cn=Manager,dc=example,dc=com # LDAP server bind password (if required; can be empty) omero.ldap.password=secret # LDAP server base search DN omero.ldap.base=dc=example,dc=com # The unique group CNs that the user must be a member of to be allowed access to OMERO (can be empty) omero.ldap.groups=OmeroUsers # Attributes, separated by ',', that users must have to be allowed access to OMERO (can be empty) omero.ldap.attributes=omeroUser,accountEnabled # Values, separated by ',', of the above 'omero.ldap.attributes' that must be fulfilled to be allowed access to OMERO (can be empty) omero.ldap.values=true,true
NOTE: Please remember that once a change has been made to etc/local.properties or etc/omero.properties you must follow the instructions on the OmeroInstall page under Reconfiguration and perform a server restart.
NOTE: Empty values above should look like this: omero.ldap.groups=
See also: OmeroInstall, OmeroSecurity
