search

OHDSI / Broadsea

Broadsea deploys the core OHDSI technology stack (Atlas & R Hades), using cross-platform Docker container technology.
http://ohdsi.github.io/Broadsea/
Apache License 2.0
71 stars 54 forks source link

how to add openldap users to atlasdb #88

Closed cha-uth closed 1 year ago

cha-uth commented 1 year ago

Got the develop branch running with openldap. Everything is working as expected.

But when a openldap user login, I get a 'user1', or 'user2' displayed although the ldap user names are something else. Also nothing can be accessed. So how do I add them to the atlasdb? Just need to know the related tables and schema (I assume it's webapi schema). I will need to add at last one user with a system level so that I can set things up.

Thanks.

alondhe commented 1 year ago

You'll need to use a tool like Apache Directory Studio to alter the display names of the users

alondhe commented 1 year ago

@cha-uth -- did that work?

cha-uth commented 1 year ago

I haven't tried it yet

From: Ajit Londhe @.> Sent: Tuesday, June 6, 2023 12:16 PM To: OHDSI/Broadsea @.> Cc: Ha, Cung M @.>; Mention @.> Subject: Re: [OHDSI/Broadsea] how to add openldap users to atlasdb (Issue #88)

External: Increase caution when handling links and attachments.

@cha-uthhttps://github.com/cha-uth -- did that work?

- Reply to this email directly, view it on GitHubhttps://github.com/OHDSI/Broadsea/issues/88#issuecomment-1579159800, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A7NOIDLAJAET2LPCKGN4433XJ5QWPANCNFSM6AAAAAAYYU3E54. You are receiving this because you were mentioned.Message ID: @.**@.>>

RomainTching commented 1 year ago

Hi! Following along, I'm also trying to make use of the openldap solution, but I'm not very familiar with it. Could you clarify what a tool like Apache Directory Studio would be needed for and what can be done from the .env file? From what I understand, you can define several users and their passwords from the .env file, and as mentioned here when logging in they will be named "user1", "user2"... unless renamed from Apache Directory Studio. I can't login to ATLAS with the admin credentials set in the .env so I assume that may only be used from Apache Directory Studio as well? I also saw here that there should be a wizard to map LDAP users to ATLAS role, but I can't find it when logged as simple user, so my guess is that I need to be logged in as an admin user, but then how do I set any user as admin?

cha-uth commented 1 year ago

Although I can log in with the LDAP users but I cannot assign Atlas role either.

Same issue as Romain

From: RomainTching @.> Sent: Wednesday, June 7, 2023 3:32 AM To: OHDSI/Broadsea @.> Cc: Ha, Cung M @.>; Mention @.> Subject: Re: [OHDSI/Broadsea] how to add openldap users to atlasdb (Issue #88)

External: Increase caution when handling links and attachments.

Hi! Following along, I'm also trying to make use of the openldap solution, but I'm not very familiar with it. Could you clarify what a tool like Apache Directory Studio would be needed for and what can be done from the .env file? From what I understand, you can define several users and their passwords from the .env file, and as mentioned here when logging in they will be named "user1", "user2"... unless renamed from Apache Directory Studio. I can't login to ATLAS with the admin credentials set in the .env so I assume that may only be used from Apache Directory Studio as well? I also saw here https://github.com/OHDSI/Broadsea/issues/82#issuecomment-1563490008 that there should be a wizard to map LDAP users to ATLAS role, but I can't find it when logged as simple user, so my guess is that I need to be logged in as an admin user, but then how do I set any user as admin?

- Reply to this email directly, view it on GitHubhttps://github.com/OHDSI/Broadsea/issues/88#issuecomment-1580196100, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A7NOIDKATIIA7LS2UNOTMD3XKA36VANCNFSM6AAAAAAYYU3E54. You are receiving this because you were mentioned.Message ID: @.**@.>>

alondhe commented 1 year ago

This is the approach:

  1. Deploy ohdsi-webapi container with the env file's SECURITY_AUTH_LDAP_ENABLED set to true, and all other env sections related to enabling webapi and atlas security established.
  2. Use Apache Directory Studio to connect to the openldap instance to change the user names, add attributes, even add new users if you'd like.
  3. WebAPI needs to know which user is the admin. Use this script to then anoint an admin: https://github.com/OHDSI/WebAPI/wiki/Atlas-Security#defining-an-administrator
  4. Then, once you have added the admin rights to a user, log in as that user
  5. Use the config page to set up scheduled ldap import jobs
  6. You can assign users directly to Atlas roles, or assign sec groups you have in your ldap to those roles
RomainTching commented 1 year ago

Sorry, I'm new to LDAP. What should be the Authentication Parameter credentials to use for Apache Directory Studio to connect to the openLDAP in the container? The admin credentials set in the .env? I get an authentication error so I'm not sure if I need to use one of the uid, ou or dc attributes...

cha-uth commented 1 year ago

Romain use this for the bind user

cn=ldapadmin, dc=Whatever-you-set-in your-env-file, dc=whatever-you-set-in-your-env-file

alondhe commented 1 year ago

Right, so if using the default items from the env file:

Bind DN or User: cn=ldapadmin,dc=example,dc=org Password: the default password

image image
RomainTching commented 1 year ago

That seems to work! We were able to proceed with all these steps up to the point of assigning ATLAS roles to new users. Thanks a lot for your patience and help. Now this process raised another issue for source JDBC strings that I opened separately here since I'm not sure if it's directly related to OpenLDAP configuration or some kind of difference between the main and develop branch.

alondhe commented 1 year ago

Great! I'll look to add this info to our readme for the next release. I'll check out the other issue in the other thread.