<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
Hi Kenny,<br>
<br>
Thanks for the clarification wrt LDAP/local users. <br>
<br>
I agree with you that there is something messing up the secure LDAP query. For the time being, I've dropped back to ldap instead of ldaps and at least users can access their data.<br>
<br>
Best,<br>
<br>
Dave<br>
<br>
<br>
<div style="color: rgb(0, 0, 0);"><font size="2"><span style="font-size:10pt;">
<div class="PlainText">Date: Wed, 26 Jul 2017 15:17:27 +0000<br>
From: "Kenneth Gillen (Staff)" <k.h.gillen@dundee.ac.uk><br>
To: OME User Support List <ome-users@lists.openmicroscopy.org.uk><br>
Subject: Re: [ome-users] LDAP : Path does not chain with any of the<br>
trust anchors<br>
Message-ID: <D59E5885.86006%k.h.gillen@dundee.ac.uk><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi Dave,<br>
<br>
I?ll start, but I?m sure others in the community will be able to add more.<br>
<br>
>1) Any thoughts on why this might happen (my IT department say nothing<br>
>has changed on their side - and in fairness my other LDAP calls work - ie<br>
>on another server)<br>
<br>
I?d have guessed at some certificate expiry in the chain, but if they?re<br>
sure nothing changed, we?ll have to work through the certs anyway.<br>
<br>
The first thing I?d do would be to verify what certificate you need<br>
to install to communicate with the LDAP server, and make sure it?s added<br>
to a java keystore which OMERO can access. [1], [2].<br>
<br>
You can use `ldapsearch` on the command line to verify access to the<br>
directory, [3], [4]<br>
<br>
<br>
>2) I tried setting [omero.ldap.config=false] hoping that the logins would<br>
>fall back to the cached database but I get the same error on login. Is<br>
>this expected behaviour?<br>
<br>
Yes, this is expected. I would set `omero.ldap.config=false` when I wanted<br>
to disable LDAP auth for testing, and use local OMERO users instead. I use<br>
local OMERO credentials when that setting is false, for accounts which<br>
would otherwise be ldap accounts, rather than any cached credentials.<br>
<br>
[1]<br>
<a href="https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-ldap.html#ldap">https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-ldap.html#ldap</a><br>
-over-ssl<br>
[2]<br>
<a href="https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-security.html#">https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-security.html#</a><br>
java-key-and-truststores<br>
[3]<br>
<a href="https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and">https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and</a><br>
-sasl.html<br>
[4] <a href="https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=7348">https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=7348</a><br>
<br>
All the best,<br>
<br>
Kenny<br>
<br>
--<br>
<br>
Kenneth Gillen<br>
<br>
OME System Administrator<br>
<br>
Wellcome Trust Centre for Gene Regulation & Expression<br>
School of Life Sciences<br>
CTIR 2<br>
University of Dundee<br>
Dow Street<br>
Dundee DD1 5EH<br>
United Kingdom<br>
<br>
Tel: +44 (0) 1382 388797<br>
<br>
<br>
<a href="http://www.twitter.com/openmicroscopy">http://www.twitter.com/openmicroscopy</a><br>
<br>
<br>
<br>
<br>
<br>
From: ome-users <ome-users-bounces@lists.openmicroscopy.org.uk> on behalf<br>
of "Mason, David [dnmason]" <D.N.Mason@liverpool.ac.uk><br>
Reply-To: OME User Support List <ome-users@lists.openmicroscopy.org.uk><br>
Date: Wednesday, 26 July 2017 14:17<br>
To: "ome-users@lists.openmicroscopy.org.uk"<br>
<ome-users@lists.openmicroscopy.org.uk><br>
Subject: [ome-users] LDAP : Path does not chain with any of the trust<br>
anchors<br>
<br>
<br>
Hello List,<br>
<br>
I'm running OMERO 5.3.1-ice36-b61 on a Ubuntu 14.04LTS server<br>
authenticating with LDAP. Just last week, an LDAP user noticed that they<br>
couldn't log in (Error user-side is<br>
"Error: Connection not available, please check your user name and<br>
password.". I checked the logs and I'm getting the following bind failure:<br>
<br>
2017-07-24 10:56:38,787 ERROR [ o.s.blitz.fire.PermissionsVerifierI]<br>
(erver-2819) Exception thrown while checking password for:[myUserName]<br>
ome.conditions.InternalException: Wrapped Exception:<br>
(org.springframework.ldap.CommunicationException):<br>
<br>
simple bind failed: [myServer]:636; nested exception is<br>
javax.naming.CommunicationException: simple bind failed:<br>
[myServer]:636 [Root exception is javax.net.ssl.SSLHandshakeException:<br>
sun.security.validator.ValidatorException: PKIX path validation failed:<br>
java.security.cert.CertPathValidatorException: Path does not chain with<br>
any of the trust anchors]<br>
<br>
Local users can still log in (same with Public), but LDAP is failing for a<br>
reason unbeknown to me.<br>
<br>
Two questions:<br>
1) Any thoughts on why this might happen (my IT department say nothing has<br>
changed on their side - and in fairness my other LDAP calls work - ie on<br>
another server)<br>
2) I tried setting [omero.ldap.config=false] hoping that the logins would<br>
fall back to the cached database but I get the same error on login. Is<br>
this expected behaviour?<br>
<br>
Any thoughts appreciated,<br>
<br>
Dave<br>
<br>
<br>
The University of Dundee is a registered Scottish Charity, No: SC015096<br>
<br>
<br>
</div>
</span></font></div>
</div>
</body>
</html>