[ome-users] LDAP issues with new 4.3.2 version - DNs don't match
Leon Kolchinsky
Leon.Kolchinsky at monash.edu
Thu Sep 29 01:08:52 BST 2011
Hi Josh,
1) Yep, I've checked "bin/omero ldap setdn --help" and
http://www.openmicroscopy.org/site/support/faq/omero/how-do-you-convert-a-non-ldap-user-to-using-ldap
and didn't see any mention of "bin/omero login root at localhost"
2) Another thing that bothers me with this LDAP change is that we use "uid"
to identify user during login and DN of our users changes once in a while.
This way after every change in LDAP (causing DN change for the users) I'll
have to go and manually update users' DN's in OMERO DB.
Why can't it just compare output of login name (during login)
and omero.ldap.user_filter result?
Configuration snap:
$ /srv/omeroserver/bin/omero config get
omero.ldap.base=o=Monash University,c=au
omero.ldap.config=true
omero.ldap.user_filter=(&(objectClass=inetOrgPerson)(uid=*))
omero.ldap.user_mapping=omeName=uid,firstName=givenName,lastName=sn,email=mail
Cheers,
Leon Kolchinsky
Senior Software Specialist (Collaborative Applications)
ITS Research Support Services
Monash e-Research Centre (MeRC)
Monash University
tel: +61 3 99059560
On Wed, Sep 28, 2011 at 16:23, Josh Moore <josh at glencoesoftware.com> wrote:
>
> On Sep 28, 2011, at 8:00 AM, Leon Kolchinsky wrote:
>
> > Thanks Josh,
>
> Gladly.
>
> > I just couldn't find in the docs that I need to login as admin user
> first...
> > ;)
>
> Again, sorry for the confusion. I'll look into making it clearer:
>
> https://trac.openmicroscopy.org.uk/ome/ticket/6868
>
> Did you look at "bin/omero ldap setdn -h" or anywhere else in particular?
>
> ~Josh.
>
>
> > Cheers,
> > Leon Kolchinsky
> > Senior Software Specialist (Collaborative Applications)
> > ITS Research Support Services
> > Monash e-Research Centre (MeRC)
> > Monash University
> > tel: +61 3 99059560
> >
> >
> >
> > On Wed, Sep 28, 2011 at 15:54, Josh Moore <josh at glencoesoftware.com>
> wrote:
> >
> >> Hi Leon,
> >>
> >> sorry for the confusion, but the command is intended for administrators.
> >> I.e. you're changing the value for afelcher, so you'd need to login as
> root
> >> or similar:
> >>
> >> /srv/omeroserver/bin/omero login root at localhost
> >>
> >> /srv/omeroserver/bin/omero ldap setdn afulcher 'cn=Alex
> >> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
> Nursing
> >> and Health Sciences,ou=Staff,o=Monash University,c=au'
> >>
> >>
> >> But changing it in the DB is also just fine! Glad to hear it's working.
> >>
> >> ~Josh.
> >>
> >>
> >> On Sep 28, 2011, at 2:15 AM, Leon Kolchinsky wrote:
> >>
> >>> Hello Josh,
> >>>
> >>> Thanks.
> >>> I've tried your syntax but it didn't work (using a dummy password as I
> >>> don't know users LDAP password):
> >>>
> >>> [omero at vera143 ~]$ /srv/omeroserver/bin/omero ldap setdn afulcher
> >> 'cn=Alex
> >>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
> Nursing
> >>> and Health Sciences,ou=Staff,o=Monash University,c=au'
> >>> Server: [localhost]
> >>> Username: [omero]afulcher
> >>> Password:
> >>> Internal error. Please contact your administrator:
> >>> DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
> >>> Sciences,ou=Faculty of Medicine, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >> Fulcher,ou=School
> >>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au'
> >>> Password:
> >>> Internal error. Please contact your administrator:
> >>> DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
> >>> Sciences,ou=Faculty of Medicine, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >> Fulcher,ou=School
> >>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au'
> >>> Password:
> >>> 3 incorrect password attempts
> >>>
> >>> So I just changed the dn in the DB like this:
> >>>
> >>> UPDATE password set dn = E'cn=Alex Fulcher,ou=School of Biomedical
> >>> Sciences,ou=Faculty of Medicine\\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au' where experimenter_id=504;
> >>>
> >>> And confirmed the result:
> >>> Select * from password where experimenter_id=504;
> >>>
> >>> The user was able to login then!!!!
> >>>
> >>> But I decided to try the syntax of the command line again:
> >>> [omero at vera143 log]$ /srv/omeroserver/bin/omero ldap setdn afulcher
> >> 'cn=Alex
> >>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
> Nursing
> >>> and Health Sciences,ou=Staff,o=Monash University,c=au'
> >>> Server: [localhost]
> >>> Username: [omero]afulcher
> >>> Password:
> >>> Password check failed for 'afulcher': [id=504]
> >>> Password:
> >>> Password check failed for 'afulcher': [id=504]
> >>> Password:
> >>> 3 incorrect password attempts
> >>>
> >>> Am I doing something wrong on the command line here?
> >>>
> >>> Cheers,
> >>> Leon Kolchinsky
> >>> Senior Software Specialist (Collaborative Applications)
> >>> ITS Research Support Services
> >>> Monash e-Research Centre (MeRC)
> >>> Monash University
> >>> tel: +61 3 99059560
> >>>
> >>>
> >>>
> >>> On Tue, Sep 27, 2011 at 21:02, Josh Moore <josh at glencoesoftware.com>
> >> wrote:
> >>>
> >>>> Hi Leon,
> >>>>
> >>>> the LDAP login code was indeed changed for 4.3.2 because of possible
> >>>> security issues[#6248]. Part of this included disallowing differing
> DNs
> >>>> between LDAP and OMERO:
> >>>>
> >>>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
> >>>> Biology,ou=Faculty of Medicine\, Nursing and Health
> >>>> Sciences,ou=Staff,o=Monash University,c=au'
> >>>>
> >>>> 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
> >>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
> >> University,c=au'
> >>>>
> >>>> The first value is the current DN for afulcher in OMERO; the second is
> >> the
> >>>> current DN for the user in LDAP. It looks pretty clear that this is a
> >> case
> >>>> of a minor change in LDAP. You can update afulcher's DN by using
> setdn:
> >>>>
> >>>> bin/omero ldap setdn afulcher 'cn=Alex Fulcher,ou=School of Biomedical
> >>>> Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>>> Sciences,ou=Staff,o=Monash University,c=au'
> >>>>
> >>>> Cheers,
> >>>> ~Josh
> >>>>
> >>>> [#6248] https://trac.openmicroscopy.org.uk/ome/ticket/6248
> >>>>
> >>>>
> >>>> On Sep 27, 2011, at 7:34 AM, Leon Kolchinsky wrote:
> >>>>
> >>>>> Hello,
> >>>>>
> >>>>> I've upgraded previous version of OMERO to 4.3.2 and got complaints
> >> from
> >>>> a
> >>>>> user that he can't login to the server.
> >>>>> That's what I can see through the logs:
> >>>>>
> >>>>> 2011-09-27 09:42:52,813 INFO [
> >> ome.services.util.ServiceHandler]
> >>>>> (l.Server-2) Excp: ome.conditions.ValidationException: DNs don't
> >>>> match:
> >>>>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
> >>>>> Biology,ou=Faculty of Medicine\, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >>>> Fulcher,ou=School
> >>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au'
> >>>>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
> >>>>> Fulcher,ou=Department of Biochemistry and Molecular
> Biology,ou=Faculty
> >> of
> >>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
> >> University,c=au'
> >>>>> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
> >>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
> >> University,c=au'
> >>>>> 2011-09-27 09:43:58,977 WARN [
> >> ome.security.auth.LdapPasswordProvider]
> >>>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of
> >>>> Biochemistry
> >>>>> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >>>> Fulcher,ou=School
> >>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au'
> >>>>> 2011-09-27 09:44:02,046 WARN [
> >> ome.security.auth.LdapPasswordProvider]
> >>>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of
> >>>> Biochemistry
> >>>>> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >>>> Fulcher,ou=School
> >>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au'
> >>>>> 2011-09-27 09:44:05,060 INFO [
> >> ome.services.util.ServiceHandler]
> >>>>> (l.Server-7) Excp: ome.conditions.ValidationException: DNs don't
> >>>> match:
> >>>>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
> >>>>> Biology,ou=Faculty of Medicine\, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >>>> Fulcher,ou=School
> >>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au'
> >>>>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
> >>>>> Fulcher,ou=Department of Biochemistry and Molecular
> Biology,ou=Faculty
> >> of
> >>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
> >> University,c=au'
> >>>>> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
> >>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
> >> University,c=au'
> >>>>> 2011-09-27 14:53:20,124 INFO [
> >> ome.services.util.ServiceHandler]
> >>>>> (l.Server-9) Rslt: cn=Alex Fulcher,ou=Department of Biochemistry
> >> and
> >>>>> Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au
> >>>>>
> >>>>>
> >>>>> So, I've updated his DN (in the DB) to reflect what I can see in the
> >> LDAP
> >>>>> (without \):
> >>>>>
> >>>>> UPDATE password set dn = 'cn=Alex Fulcher,ou=School of Biomedical
> >>>>> Sciences,ou=Faculty of Medicine, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au' where
> experimenter_id=504;
> >>>>>
> >>>>> But he still can't connect, although in the webadmin panel I can see
> >> that
> >>>> DN
> >>>>> changed to 'cn=Alex Fulcher,ou=School of Biomedical
> Sciences,ou=Faculty
> >>>> of
> >>>>> Medicine, Nursing and Health Sciences,ou=Staff,o=Monash
> >> University,c=au'.
> >>>>>
> >>>>> Here is what I see in the logs:
> >>>>>
> >>>>> 2011-09-27 15:21:47,476 INFO [
> >> ome.services.util.ServiceHandler]
> >>>>> (l.Server-7) Executor.doWork --
> >>>>>
> >>
> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO(afulcher)
> >>>>> 2011-09-27 15:21:47,477 INFO [
> >> ome.services.util.ServiceHandler]
> >>>>> (l.Server-7) Args: [null, InternalSF at 812610706]
> >>>>> 2011-09-27 15:21:47,478 INFO [
> >> ome.security.basic.EventHandler]
> >>>>> (l.Server-7) Auth:
> >>>>>
> >>>>
> >>
> user=0,group=0,event=null(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d
> >>>>> 2011-09-27 15:21:47,524 WARN [
> >> ome.security.auth.LdapPasswordProvider]
> >>>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of
> Biomedical
> >>>>> Sciences,ou=Faculty of Medicine, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >>>> Fulcher,ou=School
> >>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au'
> >>>>> 2011-09-27 15:21:47,524 WARN [
> >> ome.security.auth.LoginAttemptListener]
> >>>>> (l.Server-7) 21 failed logins for afulcher. Throttling for 3000
> >>>>> 2011-09-27 15:21:50,530 INFO [
> >> org.perf4j.TimingLogger]
> >>>>> (l.Server-7) start[1317100907477] time[3053]
> >>>>>
> >>
> tag[omero.call.success.ome.services.sessions.SessionManagerImpl$8.doWork]
> >>>>> 2011-09-27 15:21:50,530 INFO [
> >> ome.services.util.ServiceHandler]
> >>>>> (l.Server-7) Rslt: null
> >>>>> 2011-09-27 15:21:50,531 INFO [
> >> ome.services.util.ServiceHandler]
> >>>>> (l.Server-7) Executor.doWork --
> >>>>>
> >>
> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(afulcher)
> >>>>> 2011-09-27 15:21:50,531 INFO [
> >> ome.services.util.ServiceHandler]
> >>>>> (l.Server-7) Args: [null, InternalSF at 812610706]
> >>>>> 2011-09-27 15:21:50,558 INFO [
> >> ome.security.basic.EventHandler]
> >>>>> (l.Server-7) Auth:
> >>>>>
> >>>>
> >>
> user=0,group=0,event=61003(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d
> >>>>> 2011-09-27 15:21:50,599 WARN [
> >> ome.security.auth.LdapPasswordProvider]
> >>>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of
> Biomedical
> >>>>> Sciences,ou=Faculty of Medicine, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >>>> Fulcher,ou=School
> >>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>>>> Sciences,ou=Staff,o=Monash University,c=au'
> >>>>> 2011-09-27 15:21:50,599 WARN [
> >> ome.security.auth.LoginAttemptListener]
> >>>>> (l.Server-7) 22 failed logins for afulcher. Throttling for 3000
> >>>>> 2011-09-27 15:21:53,613 INFO [
> >> org.perf4j.TimingLogger]
> >>>>> (l.Server-7) start[1317100910531] time[3082]
> tag[omero.call.exception]
> >>>>> 2011-09-27 15:21:53,613 INFO [
> >> ome.services.util.ServiceHandler]
> >>>>> (l.Server-7) Excp: ome.conditions.ValidationException: DNs don't
> >>>> match:
> >>>>> 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
> >> Medicine,
> >>>>> Nursing and Health Sciences,ou=Staff,o=Monash University,c=au' and
> >>>> 'cn=Alex
> >>>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
> >> Nursing
> >>>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
> >>>>> 2011-09-27 15:21:53,614 ERROR
> >> [services.blitz.fire.PermissionsVerifierI]
> >>>>> (l.Server-7) Exception thrown while checking password for:afulcher
> >>>>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
> >>>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine,
> >> Nursing
> >>>> and
> >>>>> Health Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >>>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
> >> Nursing
> >>>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
> >>>>> at
> >>>>>
> >>>>
> >>
> ome.security.auth.LdapPasswordProvider.checkPassword(LdapPasswordProvider.java:126)
> >>>>> at
> >>>>>
> >>>>
> >>
> ome.security.auth.PasswordProviders.checkPassword(PasswordProviders.java:42)
> >>>>> at ome.logic.AdminImpl.checkPassword(AdminImpl.java:1194)
> >>>>> at
> >>>>>
> >>>>
> >>
> ome.services.sessions.SessionManagerImpl$9.doWork(SessionManagerImpl.java:978)
> >>>>> at sun.reflect.GeneratedMethodAccessor250.invoke(Unknown Source)
> >>>>> at
> >>>>>
> >>>>
> >>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> >>>>> at java.lang.reflect.Method.invoke(Method.java:597)
> >>>>> at
> >>>>>
> >>>>
> >>
> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
> >>>>> at
> >>>>>
> >>>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
> >>>>> at
> >>>>>
> >>>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
> >>>>> at
> >>>>> ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:440)
> >>>>> at
> >>>>>
> >>>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> >>>>> at ome.security.basic.EventHandler.invoke(EventHandler.java:150)
> >>>>> at
> >>>>>
> >>>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> >>>>> at
> >>>>>
> >>>>
> >>
> org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
> >>>>> at
> >>>>>
> >>>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> >>>>> at
> >>>>>
> >>>>
> >>
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
> >>>>> at
> >>>>>
> >>>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> >>>>> at
> >>>>>
> >>>>
> >>
> ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231)
> >>>>> at
> >>>>>
> >>>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> >>>>> at
> >>>> ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116)
> >>>>> at
> >>>>>
> >>>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> >>>>> at
> >>>>>
> >>>>
> >>
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
> >>>>> at $Proxy64.doWork(Unknown Source)
> >>>>> at ome.services.util.Executor$Impl.execute(Executor.java:371)
> >>>>> at
> >>>>>
> >>>>
> >>
> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(SessionManagerImpl.java:973)
> >>>>> at
> >>>>>
> >>>>
> >>
> ome.services.sessions.SessionManagerImpl.executeCheckPassword(SessionManagerImpl.java:945)
> >>>>> at
> >>>>>
> >>>>
> >>
> ome.services.sessions.SessionManagerImpl.executePasswordCheck(SessionManagerImpl.java:920)
> >>>>> at
> >>>>>
> >>>>
> >>
> ome.services.blitz.fire.PermissionsVerifierI.checkPermissions(PermissionsVerifierI.java:135)
> >>>>> at
> >>>>>
> >>>>
> >>
> Glacier2._PermissionsVerifierDisp.___checkPermissions(_PermissionsVerifierDisp.java:90)
> >>>>> at
> >>>>>
> >>>>
> >>
> Glacier2._PermissionsVerifierDisp.__dispatch(_PermissionsVerifierDisp.java:118)
> >>>>> at IceInternal.Incoming.invoke(Incoming.java:159)
> >>>>> at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
> >>>>> at Ice.ConnectionI.message(ConnectionI.java:972)
> >>>>> at IceInternal.ThreadPool.run(ThreadPool.java:577)
> >>>>> at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
> >>>>> at
> >>>>> IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)
> >>>>>
> >>>>> Any advise/solution?
>
> _______________________________________________
> ome-users mailing list
> ome-users at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20110929/f71737c0/attachment.html>
More information about the ome-users
mailing list