OMERO

Downloads
Feature List
Licensing

Page Contents

Previous topic

LoginAttemptListener

Next topic

OMERO roles

This Page

LDAP plugin design

Once configured, LDAP authentication allows sysadmins to control OMERO’s user and group creation via an external, locally-maintained LDAP server. Due to the flexibility of LDAP, each instance may have a number of requirements that cannot be supported out of the box. Below, we discuss the design of the LDAP plugin as well as how it can be extended for local use.

Simple walkthrough

The LDAP plugin follows these steps:

  1. Sysadmin configures properties mapping users and groups from LDAP to OMERO.
  2. Once LDAP is enabled, any OMERO user who has a non-null dn in the password table will have their password checked against LDAP and not against OMERO (changing the password via OMERO is not supported). This functionality is provided by the Password Provider.
  3. If there is no OMERO user for a given name, the LDAP plugin will use omero.ldap.user_filter and omero.ldap.user_mapping to look for a valid user:
    1. The user_mapping property is of the form: omeName=<ldap attribute>;firstName=<ldapAttribute>;…
    2. For looking up new users, the plugin will only use the omeName attribute. For example, if a user tries to login with “emma” and the user_mapping starts with omeName=cn; then the LDAP search will be for (cn=emma).
    3. The (cn=emma) LDAP filter is then added to the value of omero.ldap.user_filter. For example, if the user filter is (objectClass=inetOrgPerson), the full query for the new user will be: (&(objectClass=inetOrgPerson)(cn=emma))
  4. If the search returns a single LDAP user, then an OMERO user will be created with all properties mapped according to omero.ldap.user_mapping.
  5. Then the user will be placed in groups according to the value of omero.ldap.new_user_group, which are created if necessary. Details of the various options can be found under LDAP authentication. Each option is handled by a different NewUserGroupBean implementation.

NewUserGroupBean.java

The interface described for the ”:bean:” new_user_group prefix, is ome.security.auth.NewUserGroupBean. It defines a single method: groups(…, AttributeSet set) which returns a list of ExperimenterGroup ids (List<Long>) which the user should be added to.

Other prefix handlers also implement the interface as examples. In the same package are:

See also

OMERO.server installation
Instructions for installing OMERO.server on UNIX and UNIX-like platforms
OMERO.server installation
Instructions for installing OMERO.server on Windows platforms

Server security and firewalls