Page Contents

OMERO

Downloads
Feature List
Licensing

Previous topic

LoginAttemptListener

Next topic

OMERO roles

This Page

Note

This documentation is for the new OMERO 5.2 version. See the latest OMERO 5.1.x version or the previous versions page to find documentation for the OMERO version you are using if you have not upgraded yet.

LDAP plugin design

Once configured, LDAP authentication allows sysadmins to control OMERO’s user and group creation via an external, locally-maintained LDAP server. Due to the flexibility of LDAP, each instance may have a number of requirements that cannot be supported out of the box. Below, we discuss the design of the LDAP plugin as well as how it can be extended for local use.

Simple walkthrough

The LDAP plugin follows these steps:

  1. Sysadmin configures properties mapping users and groups from LDAP to OMERO.
  2. Once LDAP is enabled, any OMERO user who has a value of true in the ldap column of the experimenter table will have their password checked against LDAP and not against OMERO (changing the password via OMERO is not supported). This functionality is provided by the Password Provider. The DN is not stored in the OMERO DB and is retrieved from the LDAP server on each user login.
  3. If there is no OMERO user for a given name, the LDAP plugin will use omero.ldap.user_filter and omero.ldap.user_mapping to look for a valid user:
    1. The user_mapping property is of the form: omeName=<ldap attribute>;firstName=<ldapAttribute>;…
    2. For looking up new users, the plugin will only use the omeName attribute. For example, if a user tries to login with “emma” and the user_mapping starts with omeName=cn; then the LDAP search will be for (cn=emma).
    3. The (cn=emma) LDAP filter is then added to the value of omero.ldap.user_filter. For example, if the user filter is (objectClass=inetOrgPerson), the full query for the new user will be: (&(objectClass=inetOrgPerson)(cn=emma))
  4. If the search returns a single LDAP user, then an OMERO user will be created with all properties mapped according to omero.ldap.user_mapping and the ldap property set to true.
  5. Then the user will be placed in groups according to the value of omero.ldap.new_user_group, which are created if necessary. Details of the various options can be found under LDAP authentication. Each option is handled by a different NewUserGroupBean implementation.

NewUserGroupBean.java

The interface described for the ”:bean:” new_user_group prefix, is ome.security.auth.NewUserGroupBean. It defines a single method: groups(…, AttributeSet set) which returns a list of ExperimenterGroup ids (List<Long>) which the user should be added to.

Other prefix handlers also implement the interface as examples. In the same package are:

See also

OMERO.server installation
Instructions for installing OMERO.server on UNIX and UNIX-like platforms
OMERO.server installation
Instructions for installing OMERO.server on Windows platforms
Server security and firewalls
General instructions on server security