Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #12604 (new)

Opened 10 years ago

Last modified 8 years ago

RFE: make LDAP lookup attributes configurable

Reported by: bpindelski Owned by:
Priority: minor Milestone: Permissions
Component: Services Version: 5.1.0-m1
Keywords: n.a. Cc: jamoore, mtbcarroll, pwalczysko, jburel, atarkowska, dlindner, wmoore
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: n.a.

Description

This ticket is an RFE from a user (see https://trac.openmicroscopy.org.uk/ome/ticket/4821 and http://lists.openmicroscopy.org.uk/pipermail/ome-users/2014-June/004517.html).

The attributes used in the LDAP server user query should be configurable. Currently they are hard-coded to assume that the login string is the cn of the LDAP user. We would need to allow using other attributes too (e.g. email address or displayName).

Initial work has been started on https://github.com/bpindelski/openmicroscopy/tree/4821_lookup_attrs. This is blocked by the fact that too many places outside of LdapImpl? rely on the login string being the omeName (e.g. Principal). This might require a bigger refactoring of the login/session API.

Change History (9)

comment:1 Changed 9 years ago by jamoore

  • Milestone changed from 5.1.0 to 5.1.1

comment:2 Changed 9 years ago by jamoore

  • Milestone changed from 5.1.1 to 5.1.2

comment:3 Changed 9 years ago by jamoore

  • Cc jburel atarkowska dlindner wmoore added

Looking at Felix's email:

The following two parameter would be nice to have:
omero.ldap.user_lookup_attributes=cn,displayName
omero.ldap.ignore_case=true

As long as the "user_lookup_attributes" are considered "also look in" properties, then this might work. So basically:

  • user logins in with name josh@example.com
  • omeName is mapped to uid
  • the uid lookup fails
  • user_lookup_attributes is set to email
  • a single value is returned for the email user
  • OMERO forgets about the fact that the user logged in with the email address and carries on as if everything is normal.

This may or may not have adverse effects on insight & web, depending on their assumptions. Unless anyone sees this as critical, I'd likely push and roll into the next round of LDAP changes.

comment:4 Changed 9 years ago by jamoore

  • Milestone changed from 5.1.4 to OMERO-5.1.4

Splitting 5.1.4 due to milestone decoupling

comment:5 Changed 9 years ago by jburel

  • Milestone changed from OMERO-5.1.4 to OMERO-5.2.0

Pushing to 5.2 and linked to https://trello.com/c/NdKek7Ag/303-ldap

comment:6 Changed 9 years ago by jamoore

  • Milestone changed from OMERO-5.2.0 to OMERO-5.2.1

comment:7 Changed 8 years ago by jburel

  • Milestone changed from OMERO-5.2.1 to OMERO-5.2.2

Milestone OMERO-5.2.1 deleted

comment:8 Changed 8 years ago by jburel

  • Milestone changed from OMERO-5.2.2 to OMERO-5.2.1

Milestone OMERO-5.2.2 deleted

comment:9 Changed 8 years ago by jburel

  • Milestone changed from OMERO-5.2.2 to Permissions
Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.73222 sec.)

© 2000-2014 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 3.0 Unported License
OME source code is available under the GNU General public license or through commercial license from Glencoe Software

We're Hiring!