[ome-users] LDAP issues with new 4.3.2 version - DNs don't match
Josh Moore
josh at glencoesoftware.com
Tue Sep 27 12:02:35 BST 2011
Hi Leon,
the LDAP login code was indeed changed for 4.3.2 because of possible security issues[#6248]. Part of this included disallowing differing DNs between LDAP and OMERO:
'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
The first value is the current DN for afulcher in OMERO; the second is the current DN for the user in LDAP. It looks pretty clear that this is a case of a minor change in LDAP. You can update afulcher's DN by using setdn:
bin/omero ldap setdn afulcher 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
Cheers,
~Josh
[#6248] https://trac.openmicroscopy.org.uk/ome/ticket/6248
On Sep 27, 2011, at 7:34 AM, Leon Kolchinsky wrote:
> Hello,
>
> I've upgraded previous version of OMERO to 4.3.2 and got complaints from a
> user that he can't login to the server.
> That's what I can see through the logs:
>
> 2011-09-27 09:42:52,813 INFO [ ome.services.util.ServiceHandler]
> (l.Server-2) Excp: ome.conditions.ValidationException: DNs don't match:
> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
> Biology,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School
> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au'
> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
> Fulcher,ou=Department of Biochemistry and Molecular Biology,ou=Faculty of
> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
> 2011-09-27 09:43:58,977 WARN [ ome.security.auth.LdapPasswordProvider]
> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of Biochemistry
> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School
> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au'
> 2011-09-27 09:44:02,046 WARN [ ome.security.auth.LdapPasswordProvider]
> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of Biochemistry
> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School
> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au'
> 2011-09-27 09:44:05,060 INFO [ ome.services.util.ServiceHandler]
> (l.Server-7) Excp: ome.conditions.ValidationException: DNs don't match:
> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
> Biology,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School
> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au'
> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
> Fulcher,ou=Department of Biochemistry and Molecular Biology,ou=Faculty of
> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
> 2011-09-27 14:53:20,124 INFO [ ome.services.util.ServiceHandler]
> (l.Server-9) Rslt: cn=Alex Fulcher,ou=Department of Biochemistry and
> Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au
>
>
> So, I've updated his DN (in the DB) to reflect what I can see in the LDAP
> (without \):
>
> UPDATE password set dn = 'cn=Alex Fulcher,ou=School of Biomedical
> Sciences,ou=Faculty of Medicine, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au' where experimenter_id=504;
>
> But he still can't connect, although in the webadmin panel I can see that DN
> changed to 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
> Medicine, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'.
>
> Here is what I see in the logs:
>
> 2011-09-27 15:21:47,476 INFO [ ome.services.util.ServiceHandler]
> (l.Server-7) Executor.doWork --
> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO(afulcher)
> 2011-09-27 15:21:47,477 INFO [ ome.services.util.ServiceHandler]
> (l.Server-7) Args: [null, InternalSF at 812610706]
> 2011-09-27 15:21:47,478 INFO [ ome.security.basic.EventHandler]
> (l.Server-7) Auth:
> user=0,group=0,event=null(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d
> 2011-09-27 15:21:47,524 WARN [ ome.security.auth.LdapPasswordProvider]
> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
> Sciences,ou=Faculty of Medicine, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School
> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au'
> 2011-09-27 15:21:47,524 WARN [ ome.security.auth.LoginAttemptListener]
> (l.Server-7) 21 failed logins for afulcher. Throttling for 3000
> 2011-09-27 15:21:50,530 INFO [ org.perf4j.TimingLogger]
> (l.Server-7) start[1317100907477] time[3053]
> tag[omero.call.success.ome.services.sessions.SessionManagerImpl$8.doWork]
> 2011-09-27 15:21:50,530 INFO [ ome.services.util.ServiceHandler]
> (l.Server-7) Rslt: null
> 2011-09-27 15:21:50,531 INFO [ ome.services.util.ServiceHandler]
> (l.Server-7) Executor.doWork --
> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(afulcher)
> 2011-09-27 15:21:50,531 INFO [ ome.services.util.ServiceHandler]
> (l.Server-7) Args: [null, InternalSF at 812610706]
> 2011-09-27 15:21:50,558 INFO [ ome.security.basic.EventHandler]
> (l.Server-7) Auth:
> user=0,group=0,event=61003(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d
> 2011-09-27 15:21:50,599 WARN [ ome.security.auth.LdapPasswordProvider]
> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
> Sciences,ou=Faculty of Medicine, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School
> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au'
> 2011-09-27 15:21:50,599 WARN [ ome.security.auth.LoginAttemptListener]
> (l.Server-7) 22 failed logins for afulcher. Throttling for 3000
> 2011-09-27 15:21:53,613 INFO [ org.perf4j.TimingLogger]
> (l.Server-7) start[1317100910531] time[3082] tag[omero.call.exception]
> 2011-09-27 15:21:53,613 INFO [ ome.services.util.ServiceHandler]
> (l.Server-7) Excp: ome.conditions.ValidationException: DNs don't match:
> 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine,
> Nursing and Health Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
> and Health Sciences,ou=Staff,o=Monash University,c=au'
> 2011-09-27 15:21:53,614 ERROR [services.blitz.fire.PermissionsVerifierI]
> (l.Server-7) Exception thrown while checking password for:afulcher
> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine, Nursing and
> Health Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
> and Health Sciences,ou=Staff,o=Monash University,c=au'
> at
> ome.security.auth.LdapPasswordProvider.checkPassword(LdapPasswordProvider.java:126)
> at
> ome.security.auth.PasswordProviders.checkPassword(PasswordProviders.java:42)
> at ome.logic.AdminImpl.checkPassword(AdminImpl.java:1194)
> at
> ome.services.sessions.SessionManagerImpl$9.doWork(SessionManagerImpl.java:978)
> at sun.reflect.GeneratedMethodAccessor250.invoke(Unknown Source)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
> at
> ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:440)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> at ome.security.basic.EventHandler.invoke(EventHandler.java:150)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> at
> org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> at
> ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> at
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
> at $Proxy64.doWork(Unknown Source)
> at ome.services.util.Executor$Impl.execute(Executor.java:371)
> at
> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(SessionManagerImpl.java:973)
> at
> ome.services.sessions.SessionManagerImpl.executeCheckPassword(SessionManagerImpl.java:945)
> at
> ome.services.sessions.SessionManagerImpl.executePasswordCheck(SessionManagerImpl.java:920)
> at
> ome.services.blitz.fire.PermissionsVerifierI.checkPermissions(PermissionsVerifierI.java:135)
> at
> Glacier2._PermissionsVerifierDisp.___checkPermissions(_PermissionsVerifierDisp.java:90)
> at
> Glacier2._PermissionsVerifierDisp.__dispatch(_PermissionsVerifierDisp.java:118)
> at IceInternal.Incoming.invoke(Incoming.java:159)
> at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
> at Ice.ConnectionI.message(ConnectionI.java:972)
> at IceInternal.ThreadPool.run(ThreadPool.java:577)
> at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
> at
> IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)
>
> Any advise/solution?
>
> Cheers,
> Leon Kolchinsky
> Senior Software Specialist (Collaborative Applications)
> ITS Research Support Services
> Monash e-Research Centre (MeRC)
> Monash University
> tel: +61 3 99059560
> _______________________________________________
> ome-users mailing list
> ome-users at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 243 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20110927/7248e128/attachment.sig>
More information about the ome-users
mailing list