[ome-users] LDAP issues with new 4.3.2 version - DNs don't match
Josh Moore
josh at glencoesoftware.com
Wed Sep 28 07:23:01 BST 2011
On Sep 28, 2011, at 8:00 AM, Leon Kolchinsky wrote:
> Thanks Josh,
Gladly.
> I just couldn't find in the docs that I need to login as admin user first...
> ;)
Again, sorry for the confusion. I'll look into making it clearer:
https://trac.openmicroscopy.org.uk/ome/ticket/6868
Did you look at "bin/omero ldap setdn -h" or anywhere else in particular?
~Josh.
> Cheers,
> Leon Kolchinsky
> Senior Software Specialist (Collaborative Applications)
> ITS Research Support Services
> Monash e-Research Centre (MeRC)
> Monash University
> tel: +61 3 99059560
>
>
>
> On Wed, Sep 28, 2011 at 15:54, Josh Moore <josh at glencoesoftware.com> wrote:
>
>> Hi Leon,
>>
>> sorry for the confusion, but the command is intended for administrators.
>> I.e. you're changing the value for afelcher, so you'd need to login as root
>> or similar:
>>
>> /srv/omeroserver/bin/omero login root at localhost
>>
>> /srv/omeroserver/bin/omero ldap setdn afulcher 'cn=Alex
>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
>> and Health Sciences,ou=Staff,o=Monash University,c=au'
>>
>>
>> But changing it in the DB is also just fine! Glad to hear it's working.
>>
>> ~Josh.
>>
>>
>> On Sep 28, 2011, at 2:15 AM, Leon Kolchinsky wrote:
>>
>>> Hello Josh,
>>>
>>> Thanks.
>>> I've tried your syntax but it didn't work (using a dummy password as I
>>> don't know users LDAP password):
>>>
>>> [omero at vera143 ~]$ /srv/omeroserver/bin/omero ldap setdn afulcher
>> 'cn=Alex
>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
>>> Server: [localhost]
>>> Username: [omero]afulcher
>>> Password:
>>> Internal error. Please contact your administrator:
>>> DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>> Fulcher,ou=School
>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au'
>>> Password:
>>> Internal error. Please contact your administrator:
>>> DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>> Fulcher,ou=School
>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au'
>>> Password:
>>> 3 incorrect password attempts
>>>
>>> So I just changed the dn in the DB like this:
>>>
>>> UPDATE password set dn = E'cn=Alex Fulcher,ou=School of Biomedical
>>> Sciences,ou=Faculty of Medicine\\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au' where experimenter_id=504;
>>>
>>> And confirmed the result:
>>> Select * from password where experimenter_id=504;
>>>
>>> The user was able to login then!!!!
>>>
>>> But I decided to try the syntax of the command line again:
>>> [omero at vera143 log]$ /srv/omeroserver/bin/omero ldap setdn afulcher
>> 'cn=Alex
>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
>>> Server: [localhost]
>>> Username: [omero]afulcher
>>> Password:
>>> Password check failed for 'afulcher': [id=504]
>>> Password:
>>> Password check failed for 'afulcher': [id=504]
>>> Password:
>>> 3 incorrect password attempts
>>>
>>> Am I doing something wrong on the command line here?
>>>
>>> Cheers,
>>> Leon Kolchinsky
>>> Senior Software Specialist (Collaborative Applications)
>>> ITS Research Support Services
>>> Monash e-Research Centre (MeRC)
>>> Monash University
>>> tel: +61 3 99059560
>>>
>>>
>>>
>>> On Tue, Sep 27, 2011 at 21:02, Josh Moore <josh at glencoesoftware.com>
>> wrote:
>>>
>>>> Hi Leon,
>>>>
>>>> the LDAP login code was indeed changed for 4.3.2 because of possible
>>>> security issues[#6248]. Part of this included disallowing differing DNs
>>>> between LDAP and OMERO:
>>>>
>>>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
>>>> Biology,ou=Faculty of Medicine\, Nursing and Health
>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>
>>>> 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
>> University,c=au'
>>>>
>>>> The first value is the current DN for afulcher in OMERO; the second is
>> the
>>>> current DN for the user in LDAP. It looks pretty clear that this is a
>> case
>>>> of a minor change in LDAP. You can update afulcher's DN by using setdn:
>>>>
>>>> bin/omero ldap setdn afulcher 'cn=Alex Fulcher,ou=School of Biomedical
>>>> Sciences,ou=Faculty of Medicine\, Nursing and Health
>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>
>>>> Cheers,
>>>> ~Josh
>>>>
>>>> [#6248] https://trac.openmicroscopy.org.uk/ome/ticket/6248
>>>>
>>>>
>>>> On Sep 27, 2011, at 7:34 AM, Leon Kolchinsky wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I've upgraded previous version of OMERO to 4.3.2 and got complaints
>> from
>>>> a
>>>>> user that he can't login to the server.
>>>>> That's what I can see through the logs:
>>>>>
>>>>> 2011-09-27 09:42:52,813 INFO [
>> ome.services.util.ServiceHandler]
>>>>> (l.Server-2) Excp: ome.conditions.ValidationException: DNs don't
>>>> match:
>>>>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
>>>>> Biology,ou=Faculty of Medicine\, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>> Fulcher,ou=School
>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
>>>>> Fulcher,ou=Department of Biochemistry and Molecular Biology,ou=Faculty
>> of
>>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
>> University,c=au'
>>>>> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
>>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
>> University,c=au'
>>>>> 2011-09-27 09:43:58,977 WARN [
>> ome.security.auth.LdapPasswordProvider]
>>>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of
>>>> Biochemistry
>>>>> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>> Fulcher,ou=School
>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>> 2011-09-27 09:44:02,046 WARN [
>> ome.security.auth.LdapPasswordProvider]
>>>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of
>>>> Biochemistry
>>>>> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>> Fulcher,ou=School
>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>> 2011-09-27 09:44:05,060 INFO [
>> ome.services.util.ServiceHandler]
>>>>> (l.Server-7) Excp: ome.conditions.ValidationException: DNs don't
>>>> match:
>>>>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
>>>>> Biology,ou=Faculty of Medicine\, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>> Fulcher,ou=School
>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
>>>>> Fulcher,ou=Department of Biochemistry and Molecular Biology,ou=Faculty
>> of
>>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
>> University,c=au'
>>>>> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
>>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
>> University,c=au'
>>>>> 2011-09-27 14:53:20,124 INFO [
>> ome.services.util.ServiceHandler]
>>>>> (l.Server-9) Rslt: cn=Alex Fulcher,ou=Department of Biochemistry
>> and
>>>>> Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au
>>>>>
>>>>>
>>>>> So, I've updated his DN (in the DB) to reflect what I can see in the
>> LDAP
>>>>> (without \):
>>>>>
>>>>> UPDATE password set dn = 'cn=Alex Fulcher,ou=School of Biomedical
>>>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au' where experimenter_id=504;
>>>>>
>>>>> But he still can't connect, although in the webadmin panel I can see
>> that
>>>> DN
>>>>> changed to 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty
>>>> of
>>>>> Medicine, Nursing and Health Sciences,ou=Staff,o=Monash
>> University,c=au'.
>>>>>
>>>>> Here is what I see in the logs:
>>>>>
>>>>> 2011-09-27 15:21:47,476 INFO [
>> ome.services.util.ServiceHandler]
>>>>> (l.Server-7) Executor.doWork --
>>>>>
>> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO(afulcher)
>>>>> 2011-09-27 15:21:47,477 INFO [
>> ome.services.util.ServiceHandler]
>>>>> (l.Server-7) Args: [null, InternalSF at 812610706]
>>>>> 2011-09-27 15:21:47,478 INFO [
>> ome.security.basic.EventHandler]
>>>>> (l.Server-7) Auth:
>>>>>
>>>>
>> user=0,group=0,event=null(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d
>>>>> 2011-09-27 15:21:47,524 WARN [
>> ome.security.auth.LdapPasswordProvider]
>>>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
>>>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>> Fulcher,ou=School
>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>> 2011-09-27 15:21:47,524 WARN [
>> ome.security.auth.LoginAttemptListener]
>>>>> (l.Server-7) 21 failed logins for afulcher. Throttling for 3000
>>>>> 2011-09-27 15:21:50,530 INFO [
>> org.perf4j.TimingLogger]
>>>>> (l.Server-7) start[1317100907477] time[3053]
>>>>>
>> tag[omero.call.success.ome.services.sessions.SessionManagerImpl$8.doWork]
>>>>> 2011-09-27 15:21:50,530 INFO [
>> ome.services.util.ServiceHandler]
>>>>> (l.Server-7) Rslt: null
>>>>> 2011-09-27 15:21:50,531 INFO [
>> ome.services.util.ServiceHandler]
>>>>> (l.Server-7) Executor.doWork --
>>>>>
>> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(afulcher)
>>>>> 2011-09-27 15:21:50,531 INFO [
>> ome.services.util.ServiceHandler]
>>>>> (l.Server-7) Args: [null, InternalSF at 812610706]
>>>>> 2011-09-27 15:21:50,558 INFO [
>> ome.security.basic.EventHandler]
>>>>> (l.Server-7) Auth:
>>>>>
>>>>
>> user=0,group=0,event=61003(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d
>>>>> 2011-09-27 15:21:50,599 WARN [
>> ome.security.auth.LdapPasswordProvider]
>>>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
>>>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>> Fulcher,ou=School
>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>> 2011-09-27 15:21:50,599 WARN [
>> ome.security.auth.LoginAttemptListener]
>>>>> (l.Server-7) 22 failed logins for afulcher. Throttling for 3000
>>>>> 2011-09-27 15:21:53,613 INFO [
>> org.perf4j.TimingLogger]
>>>>> (l.Server-7) start[1317100910531] time[3082] tag[omero.call.exception]
>>>>> 2011-09-27 15:21:53,613 INFO [
>> ome.services.util.ServiceHandler]
>>>>> (l.Server-7) Excp: ome.conditions.ValidationException: DNs don't
>>>> match:
>>>>> 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
>> Medicine,
>>>>> Nursing and Health Sciences,ou=Staff,o=Monash University,c=au' and
>>>> 'cn=Alex
>>>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
>> Nursing
>>>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
>>>>> 2011-09-27 15:21:53,614 ERROR
>> [services.blitz.fire.PermissionsVerifierI]
>>>>> (l.Server-7) Exception thrown while checking password for:afulcher
>>>>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
>>>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine,
>> Nursing
>>>> and
>>>>> Health Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
>> Nursing
>>>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
>>>>> at
>>>>>
>>>>
>> ome.security.auth.LdapPasswordProvider.checkPassword(LdapPasswordProvider.java:126)
>>>>> at
>>>>>
>>>>
>> ome.security.auth.PasswordProviders.checkPassword(PasswordProviders.java:42)
>>>>> at ome.logic.AdminImpl.checkPassword(AdminImpl.java:1194)
>>>>> at
>>>>>
>>>>
>> ome.services.sessions.SessionManagerImpl$9.doWork(SessionManagerImpl.java:978)
>>>>> at sun.reflect.GeneratedMethodAccessor250.invoke(Unknown Source)
>>>>> at
>>>>>
>>>>
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>>> at
>>>>>
>>>>
>> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
>>>>> at
>>>>>
>>>>
>> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
>>>>> at
>>>>>
>>>>
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
>>>>> at
>>>>> ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:440)
>>>>> at
>>>>>
>>>>
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>> at ome.security.basic.EventHandler.invoke(EventHandler.java:150)
>>>>> at
>>>>>
>>>>
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>> at
>>>>>
>>>>
>> org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
>>>>> at
>>>>>
>>>>
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>> at
>>>>>
>>>>
>> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
>>>>> at
>>>>>
>>>>
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>> at
>>>>>
>>>>
>> ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231)
>>>>> at
>>>>>
>>>>
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>> at
>>>> ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116)
>>>>> at
>>>>>
>>>>
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>> at
>>>>>
>>>>
>> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
>>>>> at $Proxy64.doWork(Unknown Source)
>>>>> at ome.services.util.Executor$Impl.execute(Executor.java:371)
>>>>> at
>>>>>
>>>>
>> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(SessionManagerImpl.java:973)
>>>>> at
>>>>>
>>>>
>> ome.services.sessions.SessionManagerImpl.executeCheckPassword(SessionManagerImpl.java:945)
>>>>> at
>>>>>
>>>>
>> ome.services.sessions.SessionManagerImpl.executePasswordCheck(SessionManagerImpl.java:920)
>>>>> at
>>>>>
>>>>
>> ome.services.blitz.fire.PermissionsVerifierI.checkPermissions(PermissionsVerifierI.java:135)
>>>>> at
>>>>>
>>>>
>> Glacier2._PermissionsVerifierDisp.___checkPermissions(_PermissionsVerifierDisp.java:90)
>>>>> at
>>>>>
>>>>
>> Glacier2._PermissionsVerifierDisp.__dispatch(_PermissionsVerifierDisp.java:118)
>>>>> at IceInternal.Incoming.invoke(Incoming.java:159)
>>>>> at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
>>>>> at Ice.ConnectionI.message(ConnectionI.java:972)
>>>>> at IceInternal.ThreadPool.run(ThreadPool.java:577)
>>>>> at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
>>>>> at
>>>>> IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)
>>>>>
>>>>> Any advise/solution?
More information about the ome-users
mailing list