<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<meta content="text/html; charset=UTF-8">
<style type="text/css" style="">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Hoping to make some time for it this week, as I've now been issued a new certificate.<br>
</p>
<p><br>
</p>
<p>Thanks for checking in, will post back with results.</p>
<p><br>
</p>
<p>Dave<br>
</p>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> ome-users <ome-users-bounces@lists.openmicroscopy.org.uk> on behalf of Josh Moore <josh@glencoesoftware.com><br>
<b>Sent:</b> 10 August 2017 14:08:23<br>
<b>To:</b> OME User Support List<br>
<b>Subject:</b> Re: [ome-users] LDAP : Path does not chain with any of the trust anchors</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">Hi Dave,<br>
<br>
On Mon, Jul 31, 2017 at 3:27 PM, Mason, David [dnmason]<br>
<D.N.Mason@liverpool.ac.uk> wrote:<br>
> Hi Kenny,<br>
><br>
> Thanks for the clarification wrt LDAP/local users.<br>
><br>
> I agree with you that there is something messing up the secure LDAP query.<br>
> For the time being, I've dropped back to ldap instead of ldaps and at least<br>
> users can access their data.<br>
<br>
Did you have success getting back to LDAPS?<br>
<br>
Cheers,<br>
~Josh.<br>
<br>
<br>
> Best,<br>
> Dave<br>
><br>
><br>
> Date: Wed, 26 Jul 2017 15:17:27 +0000<br>
> From: "Kenneth Gillen (Staff)" <k.h.gillen@dundee.ac.uk><br>
> To: OME User Support List <ome-users@lists.openmicroscopy.org.uk><br>
> Subject: Re: [ome-users] LDAP : Path does not chain with any of the<br>
> trust anchors<br>
> Message-ID: <D59E5885.86006%k.h.gillen@dundee.ac.uk><br>
> Content-Type: text/plain; charset="utf-8"<br>
><br>
> Hi Dave,<br>
><br>
> I?ll start, but I?m sure others in the community will be able to add more.<br>
><br>
>>1) Any thoughts on why this might happen (my IT department say nothing<br>
>>has changed on their side - and in fairness my other LDAP calls work - ie<br>
>>on another server)<br>
><br>
> I?d have guessed at some certificate expiry in the chain, but if they?re<br>
> sure nothing changed, we?ll have to work through the certs anyway.<br>
><br>
> The first thing I?d do would be to verify what certificate you need<br>
> to install to communicate with the LDAP server, and make sure it?s added<br>
><br>
> to a java keystore which OMERO can access. [1], [2].<br>
><br>
> You can use `ldapsearch` on the command line to verify access to the<br>
> directory, [3], [4]<br>
><br>
><br>
>>2) I tried setting [omero.ldap.config=false] hoping that the logins would<br>
>>fall back to the cached database but I get the same error on login. Is<br>
>>this expected behaviour?<br>
><br>
> Yes, this is expected. I would set `omero.ldap.config=false` when I wanted<br>
> to disable LDAP auth for testing, and use local OMERO users instead. I use<br>
> local OMERO credentials when that setting is false, for accounts which<br>
> would otherwise be ldap accounts, rather than any cached credentials.<br>
><br>
> [1]<br>
> <a href="https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-ldap.html#ldap">
https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-ldap.html#ldap</a><br>
> -over-ssl<br>
> [2]<br>
> <a href="https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-security.html#">
https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-security.html#</a><br>
> java-key-and-truststores<br>
> [3]<br>
> <a href="https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and">
https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and</a><br>
> -sasl.html<br>
> [4] <a href="https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=7348">
https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=7348</a><br>
><br>
> All the best,<br>
><br>
> Kenny<br>
><br>
> --<br>
><br>
> Kenneth Gillen<br>
><br>
> OME System Administrator<br>
><br>
> Wellcome Trust Centre for Gene Regulation & Expression<br>
> School of Life Sciences<br>
> CTIR 2<br>
> University of Dundee<br>
> Dow Street<br>
> Dundee DD1 5EH<br>
> United Kingdom<br>
><br>
> Tel: +44 (0) 1382 388797<br>
><br>
><br>
> <a href="http://www.twitter.com/openmicroscopy">http://www.twitter.com/openmicroscopy</a><br>
><br>
><br>
><br>
><br>
><br>
> From: ome-users <ome-users-bounces@lists.openmicroscopy.org.uk> on behalf<br>
> of "Mason, David [dnmason]" <D.N.Mason@liverpool.ac.uk><br>
> Reply-To: OME User Support List <ome-users@lists.openmicroscopy.org.uk><br>
> Date: Wednesday, 26 July 2017 14:17<br>
> To: "ome-users@lists.openmicroscopy.org.uk"<br>
> <ome-users@lists.openmicroscopy.org.uk><br>
> Subject: [ome-users] LDAP : Path does not chain with any of the trust<br>
> anchors<br>
><br>
><br>
> Hello List,<br>
><br>
> I'm running OMERO 5.3.1-ice36-b61 on a Ubuntu 14.04LTS server<br>
> authenticating with LDAP. Just last week, an LDAP user noticed that they<br>
> couldn't log in (Error user-side is<br>
> "Error: Connection not available, please check your user name and<br>
> password.". I checked the logs and I'm getting the following bind failure:<br>
><br>
> 2017-07-24 10:56:38,787 ERROR [ o.s.blitz.fire.PermissionsVerifierI]<br>
> (erver-2819) Exception thrown while checking password for:[myUserName]<br>
> ome.conditions.InternalException: Wrapped Exception:<br>
> (org.springframework.ldap.CommunicationException):<br>
><br>
> simple bind failed: [myServer]:636; nested exception is<br>
> javax.naming.CommunicationException: simple bind failed:<br>
> [myServer]:636 [Root exception is javax.net.ssl.SSLHandshakeException:<br>
> sun.security.validator.ValidatorException: PKIX path validation failed:<br>
> java.security.cert.CertPathValidatorException: Path does not chain with<br>
> any of the trust anchors]<br>
><br>
> Local users can still log in (same with Public), but LDAP is failing for a<br>
> reason unbeknown to me.<br>
><br>
> Two questions:<br>
> 1) Any thoughts on why this might happen (my IT department say nothing has<br>
> changed on their side - and in fairness my other LDAP calls work - ie on<br>
> another server)<br>
> 2) I tried setting [omero.ldap.config=false] hoping that the logins would<br>
> fall back to the cached database but I get the same error on login. Is<br>
> this expected behaviour?<br>
><br>
> Any thoughts appreciated,<br>
><br>
> Dave<br>
><br>
><br>
> The University of Dundee is a registered Scottish Charity, No: SC015096<br>
><br>
><br>
><br>
> _______________________________________________<br>
> ome-users mailing list<br>
> ome-users@lists.openmicroscopy.org.uk<br>
> <a href="http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users">http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users</a><br>
><br>
_______________________________________________<br>
ome-users mailing list<br>
ome-users@lists.openmicroscopy.org.uk<br>
<a href="http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users">http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users</a><br>
</div>
</span></font>
</body>
</html>