Example setting default group for ldap user

Hi,
I have my non secure ldap authentication now working and want to set the default group for the logged in ldap user. The username is transfered correctly. the groupname is stored in a field “departmentNumber” which should translate in the standard group of the omero user.
The documentation says on that issue:

omero.ldap.group_filter=(objectClass=groupOfNames)
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=default

I don’t know what to set for group_filter, because I don’t want to filter any users from the ldap. so leave that blank? the documentation suggests:
set config omero.ldap.group_filter “(objectClass=groupOfUniqueNames)”

set config omero.ldap.group_mapping “name=departmentNumber”

No Idea how to set the default group to “departmentNumber”
Best regards and thank you for your help
Heiko

:+1:

Interesting. This is an example that I’ve never seen before. (LDAP is always so exciting!) I believe you’re going to want one of the :attribute: settings. Assuming you don’t want to do any filtering (i.e. all groups are valid) and the field itself is just a name and not a DN, then:

omero.ldap.new_user_group=:attribute:departmentNumber

might do what you want. I very much suggest testing this on a non-production system first though.

See LDAP authentication — OMERO 5.6.3 documentation for more information. An excerpt:

  • If prefixed with :attribute: , then the rest of the string is taken to be an attribute all of whose values will be taken as group names. For example, omero.ldap.new_user_group=:attribute:memberOf would add a user to all the groups named by memberOf. You can prefix this value with filtered_ to have the group_filter applied to the attribute values, i.e. :filtered_attribute:memberOf will mean that only the values of memberOf which match group_filter will be considered. An example value of the memberOf attribute would be: CN=mygroup,OU=My Group,OU=LabUsers, DC=openmicroscopy,DC=org
  • If prefixed with :dn_attribute: , then the rest of the string is taken to be an attribute all of whose values will be taken as group distinguished names. For example, omero.ldap.new_user_group=:dn_attribute:memberOf would add a user to all the groups named by memberOf, where the name of the group is mapped via group_mapping . You can prefix this value with filtered_ to have the group_filter applied to the attribute values, i.e. :filtered_dn_attribute:memberOf will mean that only the values of memberOf which match group_filter will be considered. An example value of the memberOf attribute would be: CN=mygroup,OU=My Group,OU=LabUsers, DC=openmicroscopy,DC=org

~Josh

Hi Josh,
with this setup it seems to work without any Problems:
omero config set omero.ldap.group_mapping “name=:attribute:department”
omero config set omero.ldap.new_user_group “:attribute:department”
omero config set omero.ldap.sync_on_login “true”

Best regards,
Heiko

1 Like