[ome-devel] LDAP error logging
Josh Moore
josh at glencoesoftware.com
Mon Jan 17 19:30:36 GMT 2011
On Jan 17, 2011, at 7:44 PM, McCaughey, Michael J wrote:
> Hello-
Hi Mike,
> I'm trying to configure ldap support on 4.2.2 (platform is fedora 12). Our local ldap service is functional, and my test server can at least ping it. I can execute ldapsearch from a command line using the same credentials I provide in omero.properties, so I think that's correct. Using ldapsearch with known good username and the exisitng filter as specified in omero.properties (i.e. (&(objectClass=person)(uid=cisr1))) returns a single result.
> Java truststore has the CA of the provider (all that is required to reach our ldap box) plus local; keystore is set up as well.
>
> When I try to logon with users known to ldap from the insight client, I either get an logon failure or the client hangs forever. I the case of the logon error, I can see from the log file that it's trying to vet the password:
>
> 2011-01-14 11:57:40,917 INFO [ ome.services.util.ServiceHandler] (l.Server-8) Executor.doWork -- ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO(cisr1)
> 2011-01-14 11:57:40,917 INFO [ ome.services.util.ServiceHandler] (l.Server-8) Args: [null, ome.tools.spring.InternalServiceFactory at 3486a602]
> 2011-01-14 11:57:40,924 INFO [ ome.security.basic.EventHandler] (l.Server-8) Auth: user=0,group=0,event=null(Sessions),sess=32696c27-5b72-4a39-b86c-8b6fcb71440d
> 2011-01-14 11:57:40,928 INFO [ org.perf4j.TimingLogger] (l.Server-8) start[1295027860917] time[11] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$7.doWork]
> 2011-01-14 11:57:40,928 INFO [ ome.services.util.ServiceHandler] (l.Server-8) Rslt: false
>
> However, this doesn't really tell me *where* it's trying to check the credentials. The hung login logs nothing at all.
> Pre-creating the experimenter account does not help.
>
> Is there a way to turn on more extensive logging so I can determine what's gone off in the process?
There is some minimal logging that will be added by modifying the line:
<category name="org.springframework"> <priority value="WARN"/> </category>
in etc/log4j.xml to say "DEBUG" rather than "WARN". (This doesn't require a restart).
You can then grep your logs for "ldap". This will only make sure that you are using the right URL and similar, though I expected there to be much more logging from the Spring libraries. I'll keep looking for a better method. At the same time, could you possibly show us your configuration, i.e. the output of bin/omero config get? E.g.
~/code/git/dist $ bin/omero config get | grep ldap | grep -v pass
omero.ldap.base=ou=lifesci,o=dundee
omero.ldap.config=true
omero.ldap.urls=ldap://localhost:1389
Be sure, of course, to change any sensitive information.
Cheers,
~Josh
> Thanks,
> Mike
More information about the ome-devel
mailing list