
<div dir="ltr"><div>Hello Josh,</div><div><br></div><div>Thanks.</div><div>I've tried your syntax but it didn't work (using a dummy password as I  don't know users LDAP password):</div><div><br></div>[omero@vera143 ~]$ /srv/omeroserver/bin/omero ldap setdn afulcher 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'<br>


Server: [localhost]<br>Username: [omero]afulcher<br>Password:<br>Internal error. Please contact your administrator:<br>DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'<br>


Password:<br>Internal error. Please contact your administrator:<br>DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'<br>


Password:<br>3 incorrect password attempts<br><br>So I just changed the dn in the DB like this:<br><br>UPDATE password set dn = E'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au' where experimenter_id=504;<br>


<br>And confirmed the result:<div>Select * from password where experimenter_id=504;</div><div><br></div><div>The user was able to login then!!!!<br><br>But I decided to try the syntax of the command line again:<br>[omero@vera143 log]$ /srv/omeroserver/bin/omero ldap setdn afulcher 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'<br>


Server: [localhost]<br>Username: [omero]afulcher<br>Password:<br>Password check failed for 'afulcher': [id=504]<br>Password:<br>Password check failed for 'afulcher': [id=504]<br>Password:<br>3 incorrect password attempts</div>


<div><br></div><div>Am I doing something wrong on the command line here?<br>

<br clear="all"><div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse;color:rgb(80, 0, 80)"><div>Cheers,</div><div>Leon Kolchinsky</div><div>Senior Software Specialist (Collaborative Applications)<br>


ITS Research Support Services<br>Monash e-Research Centre (MeRC)<br></div>Monash University</span><div><font color="#500050" face="arial, sans-serif"><span style="border-collapse:collapse">tel: <a href="tel:%2B61%203%2099059560" value="+61399059560" target="_blank">+61 3 99059560</a></span></font></div>


</div><br>

<br><br><div class="gmail_quote">On Tue, Sep 27, 2011 at 21:02, Josh Moore <span dir="ltr"><<a href="mailto:josh@glencoesoftware.com" target="_blank">josh@glencoesoftware.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">


Hi Leon,<br>

<br>

the LDAP login code was indeed changed for 4.3.2 because of possible security issues[#6248]. Part of this included disallowing differing DNs between LDAP and OMERO:<br>

<div><br>

  'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'<br>

<br>

</div><div>  'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'<br>

<br>

</div>The first value is the current DN for afulcher in OMERO; the second is the current DN for the user in LDAP. It looks pretty clear that this is a case of a minor change in LDAP. You can update afulcher's DN by using setdn:<br>


<br>

  bin/omero ldap setdn afulcher 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'<br>

<br>

Cheers,<br>

~Josh<br>

<br>

[#6248] <a href="https://trac.openmicroscopy.org.uk/ome/ticket/6248" target="_blank">https://trac.openmicroscopy.org.uk/ome/ticket/6248</a><br>

<div><div></div><div><br>

<br>

On Sep 27, 2011, at 7:34 AM, Leon Kolchinsky wrote:<br>

<br>

> Hello,<br>

><br>

> I've upgraded previous version of OMERO to 4.3.2 and got complaints from a<br>

> user that he can't login to the server.<br>

> That's what I can see through the logs:<br>

><br>

> 2011-09-27 09:42:52,813 INFO  [        ome.services.util.ServiceHandler]<br>

> (l.Server-2)  Excp:    ome.conditions.ValidationException: DNs don't match:<br>

> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular<br>

> Biology,ou=Faculty of Medicine\, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School<br>

> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au'<br>

> ome.conditions.ValidationException: DNs don't match: 'cn=Alex<br>

> Fulcher,ou=Department of Biochemistry and Molecular Biology,ou=Faculty of<br>

> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'<br>

> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of<br>

> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'<br>

> 2011-09-27 09:43:58,977 WARN  [  ome.security.auth.LdapPasswordProvider]<br>

> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of Biochemistry<br>

> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School<br>

> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au'<br>

> 2011-09-27 09:44:02,046 WARN  [  ome.security.auth.LdapPasswordProvider]<br>

> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of Biochemistry<br>

> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School<br>

> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au'<br>

> 2011-09-27 09:44:05,060 INFO  [        ome.services.util.ServiceHandler]<br>

> (l.Server-7)  Excp:    ome.conditions.ValidationException: DNs don't match:<br>

> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular<br>

> Biology,ou=Faculty of Medicine\, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School<br>

> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au'<br>

> ome.conditions.ValidationException: DNs don't match: 'cn=Alex<br>

> Fulcher,ou=Department of Biochemistry and Molecular Biology,ou=Faculty of<br>

> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'<br>

> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of<br>

> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'<br>

> 2011-09-27 14:53:20,124 INFO  [        ome.services.util.ServiceHandler]<br>

> (l.Server-9)  Rslt:    cn=Alex Fulcher,ou=Department of Biochemistry and<br>

> Molecular Biology,ou=Faculty of Medicine\, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au<br>

><br>

><br>

> So, I've updated his DN (in the DB) to reflect what I can see in the LDAP<br>

> (without \):<br>

><br>

> UPDATE password set dn = 'cn=Alex Fulcher,ou=School of Biomedical<br>

> Sciences,ou=Faculty of Medicine, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au' where experimenter_id=504;<br>

><br>

> But he still can't connect, although in the webadmin panel I can see that DN<br>

> changed to 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of<br>

> Medicine, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'.<br>

><br>

> Here is what I see in the logs:<br>

><br>

> 2011-09-27 15:21:47,476 INFO  [        ome.services.util.ServiceHandler]<br>

> (l.Server-7)  Executor.doWork --<br>

> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO(afulcher)<br>

> 2011-09-27 15:21:47,477 INFO  [        ome.services.util.ServiceHandler]<br>

> (l.Server-7)  Args:    [null, InternalSF@812610706]<br>

> 2011-09-27 15:21:47,478 INFO  [         ome.security.basic.EventHandler]<br>

> (l.Server-7)  Auth:<br>

> user=0,group=0,event=null(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d<br>

> 2011-09-27 15:21:47,524 WARN  [  ome.security.auth.LdapPasswordProvider]<br>

> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical<br>

> Sciences,ou=Faculty of Medicine, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School<br>

> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au'<br>

> 2011-09-27 15:21:47,524 WARN  [  ome.security.auth.LoginAttemptListener]<br>

> (l.Server-7) 21 failed logins for afulcher. Throttling for 3000<br>

> 2011-09-27 15:21:50,530 INFO  [                 org.perf4j.TimingLogger]<br>

> (l.Server-7) start[1317100907477] time[3053]<br>

> tag[omero.call.success.ome.services.sessions.SessionManagerImpl$8.doWork]<br>

> 2011-09-27 15:21:50,530 INFO  [        ome.services.util.ServiceHandler]<br>

> (l.Server-7)  Rslt:    null<br>

> 2011-09-27 15:21:50,531 INFO  [        ome.services.util.ServiceHandler]<br>

> (l.Server-7)  Executor.doWork --<br>

> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(afulcher)<br>

> 2011-09-27 15:21:50,531 INFO  [        ome.services.util.ServiceHandler]<br>

> (l.Server-7)  Args:    [null, InternalSF@812610706]<br>

> 2011-09-27 15:21:50,558 INFO  [         ome.security.basic.EventHandler]<br>

> (l.Server-7)  Auth:<br>

> user=0,group=0,event=61003(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d<br>

> 2011-09-27 15:21:50,599 WARN  [  ome.security.auth.LdapPasswordProvider]<br>

> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical<br>

> Sciences,ou=Faculty of Medicine, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School<br>

> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health<br>

> Sciences,ou=Staff,o=Monash University,c=au'<br>

> 2011-09-27 15:21:50,599 WARN  [  ome.security.auth.LoginAttemptListener]<br>

> (l.Server-7) 22 failed logins for afulcher. Throttling for 3000<br>

> 2011-09-27 15:21:53,613 INFO  [                 org.perf4j.TimingLogger]<br>

> (l.Server-7) start[1317100910531] time[3082] tag[omero.call.exception]<br>

> 2011-09-27 15:21:53,613 INFO  [        ome.services.util.ServiceHandler]<br>

> (l.Server-7)  Excp:    ome.conditions.ValidationException: DNs don't match:<br>

> 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine,<br>

> Nursing and Health Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex<br>

> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing<br>

> and Health Sciences,ou=Staff,o=Monash University,c=au'<br>

> 2011-09-27 15:21:53,614 ERROR [services.blitz.fire.PermissionsVerifierI]<br>

> (l.Server-7) Exception thrown while checking password for:afulcher<br>

> ome.conditions.ValidationException: DNs don't match: 'cn=Alex<br>

> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine, Nursing and<br>

> Health Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex<br>

> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing<br>

> and Health Sciences,ou=Staff,o=Monash University,c=au'<br>

>        at<br>

> ome.security.auth.LdapPasswordProvider.checkPassword(LdapPasswordProvider.java:126)<br>

>        at<br>

> ome.security.auth.PasswordProviders.checkPassword(PasswordProviders.java:42)<br>

>        at ome.logic.AdminImpl.checkPassword(AdminImpl.java:1194)<br>

>        at<br>

> ome.services.sessions.SessionManagerImpl$9.doWork(SessionManagerImpl.java:978)<br>

>        at sun.reflect.GeneratedMethodAccessor250.invoke(Unknown Source)<br>

>        at<br>

> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)<br>

>        at java.lang.reflect.Method.invoke(Method.java:597)<br>

>        at<br>

> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)<br>

>        at<br>

> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)<br>

>        at<br>

> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)<br>

>        at<br>

> ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:440)<br>

>        at<br>

> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)<br>

>        at ome.security.basic.EventHandler.invoke(EventHandler.java:150)<br>

>        at<br>

> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)<br>

>        at<br>

> org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)<br>

>        at<br>

> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)<br>

>        at<br>

> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)<br>

>        at<br>

> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)<br>

>        at<br>

> ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231)<br>

>        at<br>

> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)<br>

>        at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116)<br>

>        at<br>

> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)<br>

>        at<br>

> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)<br>

>        at $Proxy64.doWork(Unknown Source)<br>

>        at ome.services.util.Executor$Impl.execute(Executor.java:371)<br>

>        at<br>

> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(SessionManagerImpl.java:973)<br>

>        at<br>

> ome.services.sessions.SessionManagerImpl.executeCheckPassword(SessionManagerImpl.java:945)<br>

>        at<br>

> ome.services.sessions.SessionManagerImpl.executePasswordCheck(SessionManagerImpl.java:920)<br>

>        at<br>

> ome.services.blitz.fire.PermissionsVerifierI.checkPermissions(PermissionsVerifierI.java:135)<br>

>        at<br>

> Glacier2._PermissionsVerifierDisp.___checkPermissions(_PermissionsVerifierDisp.java:90)<br>

>        at<br>

> Glacier2._PermissionsVerifierDisp.__dispatch(_PermissionsVerifierDisp.java:118)<br>

>        at IceInternal.Incoming.invoke(Incoming.java:159)<br>

>        at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)<br>

>        at Ice.ConnectionI.message(ConnectionI.java:972)<br>

>        at IceInternal.ThreadPool.run(ThreadPool.java:577)<br>

>        at IceInternal.ThreadPool.access$100(ThreadPool.java:12)<br>

>        at<br>

> IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)<br>

><br>

> Any advise/solution?<br>

><br>

> Cheers,<br>

> Leon Kolchinsky<br>

> Senior Software Specialist (Collaborative Applications)<br>

> ITS Research Support Services<br>

> Monash e-Research Centre (MeRC)<br>

> Monash University<br>

> tel: <a href="tel:%2B61%203%2099059560" value="+61399059560" target="_blank">+61 3 99059560</a><br>

</div></div>> _______________________________________________<br>

> ome-users mailing list<br>

> <a href="mailto:ome-users@lists.openmicroscopy.org.uk" target="_blank">ome-users@lists.openmicroscopy.org.uk</a><br>

> <a href="http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users" target="_blank">http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users</a><br>

<br>

<br>_______________________________________________<br>

ome-users mailing list<br>

<a href="mailto:ome-users@lists.openmicroscopy.org.uk" target="_blank">ome-users@lists.openmicroscopy.org.uk</a><br>

<a href="http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users" target="_blank">http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users</a><br>

<br></blockquote></div><br></div></div>