[ome-users] LDAP issues with new 4.3.2 version - DNs don't match

Josh Moore josh at glencoesoftware.com
Sun Oct 9 14:25:46 BST 2011


On Oct 3, 2011, at 1:52 AM, Leon Kolchinsky wrote:

> Hi Josh,

Hi Leon,

> Hmm, it seems that no one formed an opinion yet ;)

All the better for you! :)

> For an immediate fix in 4.3.3 I'd suggest to go back to 4.3.1 LDAP auth.
> scheme and plan ("omeName" as user ID in the DB) change for future versions.

Sounds sensible. I'm in the process of re-enabling the 4.3.1 logic for 4.3.3 now, and the primary question will be whether the 4.3.1 or the 4.3.2 logic is the default in 4.3.3. The 4.3.2 logic is 'safer' which is the only reason I don't feel completely comfortable with just rolling back to 4.3.1.

Either way you'll be able to choose the non-default logic at configuration time:

  bin/omero config set omero.security.password_provider chainedPasswordProvider431

or

  bin/omero config set omero.security.password_provider chainedPasswordProvider433

Which will be made clear in the release notes.

Thanks for all your feedback!
~Josh.

> Cheers,
> Leon Kolchinsky
> 
> On Fri, Sep 30, 2011 at 20:24, Josh Moore <josh at glencoesoftware.com> wrote:
> 
>> 
>> On Sep 30, 2011, at 2:43 AM, Leon Kolchinsky wrote:
>> 
>>> Hello Josh,
>> 
>> Hi Leon,
>> 
>>> Our LDAP managed by another team and they decide on the changes in LDAP
>>> using their own procedures.
>>> In my opinion there is no need to keep DN in the DB at all.
>>> Keeping "omeName" as user ID in the DB would suffice in most cases.
>> 
>> Agreed, but that unfortunately can't happen in 4.3.3, since it requires a
>> DB upgrade, etc. There is an older ticket for it:
>> 
>> https://trac.openmicroscopy.org.uk/ome/ticket/2587
>> 
>> and I've just updated the description to make the remaining tasks clearer.
>> For an immediate fix in 4.3.3, what would be your preference? Does anyone
>> else have an opinion?
>> 
>> Cheers,
>> ~Josh.
>> 
>> 
>> 
>>> That's what most LDAP enabled Apps do (like Confluence and JIRA etc.).
>>> Let the LDAP do what it's do best (provide directory services) and use
>> the
>>> data pulled from LDAP on the fly (during login stage).
>>> 
>>> 
>>> Cheers,
>>> Leon Kolchinsky
>>> Senior Software Specialist (Collaborative Applications)
>>> ITS Research Support Services
>>> Monash e-Research Centre (MeRC)
>>> Monash University
>>> tel: +61 3 99059560
>>> 
>>> 
>>> 
>>> On Thu, Sep 29, 2011 at 16:14, Josh Moore <josh at glencoesoftware.com>
>> wrote:
>>> 
>>>> Hi Leon,
>>>> 
>>>> On Sep 29, 2011, at 2:08 AM, Leon Kolchinsky wrote:
>>>> 
>>>>> Hi Josh,
>>>>> 
>>>>> 1) Yep, I've checked "bin/omero ldap setdn --help" and
>>>>> 
>>>> 
>> http://www.openmicroscopy.org/site/support/faq/omero/how-do-you-convert-a-non-ldap-user-to-using-ldap
>>>> 
>>>> Ok, thanks.
>>>> 
>>>>> and didn't see any mention of "bin/omero login root at localhost"
>>>> 
>>>> bin/omero login root at localhost
>>>> 
>>>> is the same as using the following:
>>>> 
>>>> Server: [localhost]
>>>> Username: [omero]root
>>>> Password:
>>>> 
>>>> but it definitely needs to be clearer that the bin/omero ldap setdn
>> command
>>>> is an admin tool for changing values for users.
>>>> 
>>>>> 2) Another thing that bothers me with this LDAP change is that we use
>>>> "uid"
>>>>> to identify user during login and DN of our users changes once in a
>>>> while.
>>>>> This way after every change in LDAP (causing DN change for the users)
>>>> I'll
>>>>> have to go and manually update users' DN's in OMERO DB.
>>>>> Why can't it just compare output of login name (during login)
>>>>> and omero.ldap.user_filter result?
>>>> 
>>>> It could. The issue as always with LDAP is the wide number of ways that
>>>> people can use it. In this case, we erred on the side of caution
>> assuming
>>>> that there could be a case of DN changes with unintended consequences.
>>>> 
>>>> But, in your opinion, if the DN changes but the user_filter still
>> matches,
>>>> the DN should be updated? Can you think of any exceptions? And for
>> everyone,
>>>> would there need to be a configuration option to prevent the DN
>>>> modification?
>>>> 
>>>> In the upcoming 4.3.3 bug fix release[1], there will be the opportunity
>> to
>>>> rollback to the previous LdapPasswordProvider logic[2]. This would solve
>>>> your situation. Though it would be good to know, in general, if the
>> strict
>>>> DN checking is actually not desired by LDAP-using administrators. If
>> not,
>>>> then it can be removed. If the vote is not clear, perhaps there does in
>> fact
>>>> need to be a configuration option.
>>>> 
>>>> Cheers,
>>>> ~Josh.
>>>> 
>>>> [1] https://trac.openmicroscopy.org.uk/ome/milestone/OMERO-Beta4.3.3
>>>> [2]
>>>> 
>> http://lists.openmicroscopy.org.uk/pipermail/ome-users/2011-September/002808.html
>>>> 
>>>> 
>>>>> Configuration snap:
>>>>> $ /srv/omeroserver/bin/omero config get
>>>>> omero.ldap.base=o=Monash University,c=au
>>>>> omero.ldap.config=true
>>>>> omero.ldap.user_filter=(&(objectClass=inetOrgPerson)(uid=*))
>>>>> 
>>>> 
>> omero.ldap.user_mapping=omeName=uid,firstName=givenName,lastName=sn,email=mail
>>>>> 
>>>>> 
>>>>> Cheers,
>>>>> Leon Kolchinsky
>>>>> Senior Software Specialist (Collaborative Applications)
>>>>> ITS Research Support Services
>>>>> Monash e-Research Centre (MeRC)
>>>>> Monash University
>>>>> tel: +61 3 99059560
>>>>> 
>>>>> 
>>>>> 
>>>>> On Wed, Sep 28, 2011 at 16:23, Josh Moore <josh at glencoesoftware.com>
>>>> wrote:
>>>>> 
>>>>>> 
>>>>>> On Sep 28, 2011, at 8:00 AM, Leon Kolchinsky wrote:
>>>>>> 
>>>>>>> Thanks Josh,
>>>>>> 
>>>>>> Gladly.
>>>>>> 
>>>>>>> I just couldn't find in the docs that I need to login as admin user
>>>>>> first...
>>>>>>> ;)
>>>>>> 
>>>>>> Again, sorry for the confusion. I'll look into making it clearer:
>>>>>> 
>>>>>> https://trac.openmicroscopy.org.uk/ome/ticket/6868
>>>>>> 
>>>>>> Did you look at "bin/omero ldap setdn -h" or anywhere else in
>>>> particular?
>>>>>> 
>>>>>> ~Josh.
>>>>>> 
>>>>>> 
>>>>>>> Cheers,
>>>>>>> Leon Kolchinsky
>>>>>>> Senior Software Specialist (Collaborative Applications)
>>>>>>> ITS Research Support Services
>>>>>>> Monash e-Research Centre (MeRC)
>>>>>>> Monash University
>>>>>>> tel: +61 3 99059560
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On Wed, Sep 28, 2011 at 15:54, Josh Moore <josh at glencoesoftware.com>
>>>>>> wrote:
>>>>>>> 
>>>>>>>> Hi Leon,
>>>>>>>> 
>>>>>>>> sorry for the confusion, but the command is intended for
>>>> administrators.
>>>>>>>> I.e. you're changing the value for afelcher, so you'd need to login
>> as
>>>>>> root
>>>>>>>> or similar:
>>>>>>>> 
>>>>>>>> /srv/omeroserver/bin/omero login root at localhost
>>>>>>>> 
>>>>>>>> /srv/omeroserver/bin/omero ldap setdn afulcher 'cn=Alex
>>>>>>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
>>>>>> Nursing
>>>>>>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>> 
>>>>>>>> 
>>>>>>>> But changing it in the DB is also just fine! Glad to hear it's
>>>> working.
>>>>>>>> 
>>>>>>>> ~Josh.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On Sep 28, 2011, at 2:15 AM, Leon Kolchinsky wrote:
>>>>>>>> 
>>>>>>>>> Hello Josh,
>>>>>>>>> 
>>>>>>>>> Thanks.
>>>>>>>>> I've tried your syntax but it didn't work (using a dummy password
>> as
>>>> I
>>>>>>>>> don't know users LDAP password):
>>>>>>>>> 
>>>>>>>>> [omero at vera143 ~]$ /srv/omeroserver/bin/omero ldap setdn afulcher
>>>>>>>> 'cn=Alex
>>>>>>>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
>>>>>> Nursing
>>>>>>>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>> Server: [localhost]
>>>>>>>>> Username: [omero]afulcher
>>>>>>>>> Password:
>>>>>>>>> Internal error. Please contact your administrator:
>>>>>>>>> DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
>>>>>>>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>>>>>> Fulcher,ou=School
>>>>>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>> Password:
>>>>>>>>> Internal error. Please contact your administrator:
>>>>>>>>> DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
>>>>>>>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>>>>>> Fulcher,ou=School
>>>>>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>> Password:
>>>>>>>>> 3 incorrect password attempts
>>>>>>>>> 
>>>>>>>>> So I just changed the dn in the DB like this:
>>>>>>>>> 
>>>>>>>>> UPDATE password set dn = E'cn=Alex Fulcher,ou=School of Biomedical
>>>>>>>>> Sciences,ou=Faculty of Medicine\\, Nursing and Health
>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au' where
>>>> experimenter_id=504;
>>>>>>>>> 
>>>>>>>>> And confirmed the result:
>>>>>>>>> Select * from password where experimenter_id=504;
>>>>>>>>> 
>>>>>>>>> The user was able to login then!!!!
>>>>>>>>> 
>>>>>>>>> But I decided to try the syntax of the command line again:
>>>>>>>>> [omero at vera143 log]$ /srv/omeroserver/bin/omero ldap setdn
>> afulcher
>>>>>>>> 'cn=Alex
>>>>>>>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
>>>>>> Nursing
>>>>>>>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>> Server: [localhost]
>>>>>>>>> Username: [omero]afulcher
>>>>>>>>> Password:
>>>>>>>>> Password check failed for 'afulcher': [id=504]
>>>>>>>>> Password:
>>>>>>>>> Password check failed for 'afulcher': [id=504]
>>>>>>>>> Password:
>>>>>>>>> 3 incorrect password attempts
>>>>>>>>> 
>>>>>>>>> Am I doing something wrong on the command line here?
>>>>>>>>> 
>>>>>>>>> Cheers,
>>>>>>>>> Leon Kolchinsky
>>>>>>>>> Senior Software Specialist (Collaborative Applications)
>>>>>>>>> ITS Research Support Services
>>>>>>>>> Monash e-Research Centre (MeRC)
>>>>>>>>> Monash University
>>>>>>>>> tel: +61 3 99059560
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On Tue, Sep 27, 2011 at 21:02, Josh Moore <
>> josh at glencoesoftware.com>
>>>>>>>> wrote:
>>>>>>>>> 
>>>>>>>>>> Hi Leon,
>>>>>>>>>> 
>>>>>>>>>> the LDAP login code was indeed changed for 4.3.2 because of
>> possible
>>>>>>>>>> security issues[#6248]. Part of this included disallowing
>> differing
>>>>>> DNs
>>>>>>>>>> between LDAP and OMERO:
>>>>>>>>>> 
>>>>>>>>>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
>>>>>>>>>> Biology,ou=Faculty of Medicine\, Nursing and Health
>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>>> 
>>>>>>>>>> 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
>>>>>>>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
>>>>>>>> University,c=au'
>>>>>>>>>> 
>>>>>>>>>> The first value is the current DN for afulcher in OMERO; the
>> second
>>>> is
>>>>>>>> the
>>>>>>>>>> current DN for the user in LDAP. It looks pretty clear that this
>> is
>>>> a
>>>>>>>> case
>>>>>>>>>> of a minor change in LDAP. You can update afulcher's DN by using
>>>>>> setdn:
>>>>>>>>>> 
>>>>>>>>>> bin/omero ldap setdn afulcher 'cn=Alex Fulcher,ou=School of
>>>> Biomedical
>>>>>>>>>> Sciences,ou=Faculty of Medicine\, Nursing and Health
>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>>> 
>>>>>>>>>> Cheers,
>>>>>>>>>> ~Josh
>>>>>>>>>> 
>>>>>>>>>> [#6248] https://trac.openmicroscopy.org.uk/ome/ticket/6248
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> On Sep 27, 2011, at 7:34 AM, Leon Kolchinsky wrote:
>>>>>>>>>> 
>>>>>>>>>>> Hello,
>>>>>>>>>>> 
>>>>>>>>>>> I've upgraded previous version of OMERO to 4.3.2 and got
>> complaints
>>>>>>>> from
>>>>>>>>>> a
>>>>>>>>>>> user that he can't login to the server.
>>>>>>>>>>> That's what I can see through the logs:
>>>>>>>>>>> 
>>>>>>>>>>> 2011-09-27 09:42:52,813 INFO  [
>>>>>>>> ome.services.util.ServiceHandler]
>>>>>>>>>>> (l.Server-2)  Excp:    ome.conditions.ValidationException: DNs
>>>> don't
>>>>>>>>>> match:
>>>>>>>>>>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
>>>>>>>>>>> Biology,ou=Faculty of Medicine\, Nursing and Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>>>>>>>> Fulcher,ou=School
>>>>>>>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and
>> Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>>>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
>>>>>>>>>>> Fulcher,ou=Department of Biochemistry and Molecular
>>>>>> Biology,ou=Faculty
>>>>>>>> of
>>>>>>>>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
>>>>>>>> University,c=au'
>>>>>>>>>>> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty
>> of
>>>>>>>>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
>>>>>>>> University,c=au'
>>>>>>>>>>> 2011-09-27 09:43:58,977 WARN  [
>>>>>>>> ome.security.auth.LdapPasswordProvider]
>>>>>>>>>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of
>>>>>>>>>> Biochemistry
>>>>>>>>>>> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>>>>>>>> Fulcher,ou=School
>>>>>>>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and
>> Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>>>> 2011-09-27 09:44:02,046 WARN  [
>>>>>>>> ome.security.auth.LdapPasswordProvider]
>>>>>>>>>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of
>>>>>>>>>> Biochemistry
>>>>>>>>>>> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>>>>>>>> Fulcher,ou=School
>>>>>>>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and
>> Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>>>> 2011-09-27 09:44:05,060 INFO  [
>>>>>>>> ome.services.util.ServiceHandler]
>>>>>>>>>>> (l.Server-7)  Excp:    ome.conditions.ValidationException: DNs
>>>> don't
>>>>>>>>>> match:
>>>>>>>>>>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
>>>>>>>>>>> Biology,ou=Faculty of Medicine\, Nursing and Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>>>>>>>> Fulcher,ou=School
>>>>>>>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and
>> Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>>>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
>>>>>>>>>>> Fulcher,ou=Department of Biochemistry and Molecular
>>>>>> Biology,ou=Faculty
>>>>>>>> of
>>>>>>>>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
>>>>>>>> University,c=au'
>>>>>>>>>>> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty
>> of
>>>>>>>>>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
>>>>>>>> University,c=au'
>>>>>>>>>>> 2011-09-27 14:53:20,124 INFO  [
>>>>>>>> ome.services.util.ServiceHandler]
>>>>>>>>>>> (l.Server-9)  Rslt:    cn=Alex Fulcher,ou=Department of
>>>> Biochemistry
>>>>>>>> and
>>>>>>>>>>> Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> So, I've updated his DN (in the DB) to reflect what I can see in
>>>> the
>>>>>>>> LDAP
>>>>>>>>>>> (without \):
>>>>>>>>>>> 
>>>>>>>>>>> UPDATE password set dn = 'cn=Alex Fulcher,ou=School of Biomedical
>>>>>>>>>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au' where
>>>>>> experimenter_id=504;
>>>>>>>>>>> 
>>>>>>>>>>> But he still can't connect, although in the webadmin panel I can
>>>> see
>>>>>>>> that
>>>>>>>>>> DN
>>>>>>>>>>> changed to 'cn=Alex Fulcher,ou=School of Biomedical
>>>>>> Sciences,ou=Faculty
>>>>>>>>>> of
>>>>>>>>>>> Medicine, Nursing and Health Sciences,ou=Staff,o=Monash
>>>>>>>> University,c=au'.
>>>>>>>>>>> 
>>>>>>>>>>> Here is what I see in the logs:
>>>>>>>>>>> 
>>>>>>>>>>> 2011-09-27 15:21:47,476 INFO  [
>>>>>>>> ome.services.util.ServiceHandler]
>>>>>>>>>>> (l.Server-7)  Executor.doWork --
>>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO(afulcher)
>>>>>>>>>>> 2011-09-27 15:21:47,477 INFO  [
>>>>>>>> ome.services.util.ServiceHandler]
>>>>>>>>>>> (l.Server-7)  Args:    [null, InternalSF at 812610706]
>>>>>>>>>>> 2011-09-27 15:21:47,478 INFO  [
>>>>>>>> ome.security.basic.EventHandler]
>>>>>>>>>>> (l.Server-7)  Auth:
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> user=0,group=0,event=null(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d
>>>>>>>>>>> 2011-09-27 15:21:47,524 WARN  [
>>>>>>>> ome.security.auth.LdapPasswordProvider]
>>>>>>>>>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of
>>>>>> Biomedical
>>>>>>>>>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>>>>>>>> Fulcher,ou=School
>>>>>>>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and
>> Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>>>> 2011-09-27 15:21:47,524 WARN  [
>>>>>>>> ome.security.auth.LoginAttemptListener]
>>>>>>>>>>> (l.Server-7) 21 failed logins for afulcher. Throttling for 3000
>>>>>>>>>>> 2011-09-27 15:21:50,530 INFO  [
>>>>>>>> org.perf4j.TimingLogger]
>>>>>>>>>>> (l.Server-7) start[1317100907477] time[3053]
>>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> tag[omero.call.success.ome.services.sessions.SessionManagerImpl$8.doWork]
>>>>>>>>>>> 2011-09-27 15:21:50,530 INFO  [
>>>>>>>> ome.services.util.ServiceHandler]
>>>>>>>>>>> (l.Server-7)  Rslt:    null
>>>>>>>>>>> 2011-09-27 15:21:50,531 INFO  [
>>>>>>>> ome.services.util.ServiceHandler]
>>>>>>>>>>> (l.Server-7)  Executor.doWork --
>>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(afulcher)
>>>>>>>>>>> 2011-09-27 15:21:50,531 INFO  [
>>>>>>>> ome.services.util.ServiceHandler]
>>>>>>>>>>> (l.Server-7)  Args:    [null, InternalSF at 812610706]
>>>>>>>>>>> 2011-09-27 15:21:50,558 INFO  [
>>>>>>>> ome.security.basic.EventHandler]
>>>>>>>>>>> (l.Server-7)  Auth:
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> user=0,group=0,event=61003(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d
>>>>>>>>>>> 2011-09-27 15:21:50,599 WARN  [
>>>>>>>> ome.security.auth.LdapPasswordProvider]
>>>>>>>>>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of
>>>>>> Biomedical
>>>>>>>>>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>>>>>>>> Fulcher,ou=School
>>>>>>>>>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and
>> Health
>>>>>>>>>>> Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>>>> 2011-09-27 15:21:50,599 WARN  [
>>>>>>>> ome.security.auth.LoginAttemptListener]
>>>>>>>>>>> (l.Server-7) 22 failed logins for afulcher. Throttling for 3000
>>>>>>>>>>> 2011-09-27 15:21:53,613 INFO  [
>>>>>>>> org.perf4j.TimingLogger]
>>>>>>>>>>> (l.Server-7) start[1317100910531] time[3082]
>>>>>> tag[omero.call.exception]
>>>>>>>>>>> 2011-09-27 15:21:53,613 INFO  [
>>>>>>>> ome.services.util.ServiceHandler]
>>>>>>>>>>> (l.Server-7)  Excp:    ome.conditions.ValidationException: DNs
>>>> don't
>>>>>>>>>> match:
>>>>>>>>>>> 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
>>>>>>>> Medicine,
>>>>>>>>>>> Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
>> and
>>>>>>>>>> 'cn=Alex
>>>>>>>>>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
>>>>>>>> Nursing
>>>>>>>>>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>>>> 2011-09-27 15:21:53,614 ERROR
>>>>>>>> [services.blitz.fire.PermissionsVerifierI]
>>>>>>>>>>> (l.Server-7) Exception thrown while checking password
>> for:afulcher
>>>>>>>>>>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
>>>>>>>>>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine,
>>>>>>>> Nursing
>>>>>>>>>> and
>>>>>>>>>>> Health Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>>>>>>>>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
>>>>>>>> Nursing
>>>>>>>>>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> ome.security.auth.LdapPasswordProvider.checkPassword(LdapPasswordProvider.java:126)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> ome.security.auth.PasswordProviders.checkPassword(PasswordProviders.java:42)
>>>>>>>>>>>   at ome.logic.AdminImpl.checkPassword(AdminImpl.java:1194)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> ome.services.sessions.SessionManagerImpl$9.doWork(SessionManagerImpl.java:978)
>>>>>>>>>>>   at sun.reflect.GeneratedMethodAccessor250.invoke(Unknown
>>>> Source)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>>>>>>>>   at java.lang.reflect.Method.invoke(Method.java:597)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>> ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:440)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>>>>>>>>   at
>>>> ome.security.basic.EventHandler.invoke(EventHandler.java:150)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>>>>>>>>   at
>>>>>>>>>> ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
>>>>>>>>>>>   at $Proxy64.doWork(Unknown Source)
>>>>>>>>>>>   at ome.services.util.Executor$Impl.execute(Executor.java:371)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(SessionManagerImpl.java:973)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> ome.services.sessions.SessionManagerImpl.executeCheckPassword(SessionManagerImpl.java:945)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> ome.services.sessions.SessionManagerImpl.executePasswordCheck(SessionManagerImpl.java:920)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> ome.services.blitz.fire.PermissionsVerifierI.checkPermissions(PermissionsVerifierI.java:135)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> Glacier2._PermissionsVerifierDisp.___checkPermissions(_PermissionsVerifierDisp.java:90)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>> 
>> Glacier2._PermissionsVerifierDisp.__dispatch(_PermissionsVerifierDisp.java:118)
>>>>>>>>>>>   at IceInternal.Incoming.invoke(Incoming.java:159)
>>>>>>>>>>>   at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
>>>>>>>>>>>   at Ice.ConnectionI.message(ConnectionI.java:972)
>>>>>>>>>>>   at IceInternal.ThreadPool.run(ThreadPool.java:577)
>>>>>>>>>>>   at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
>>>>>>>>>>>   at
>>>>>>>>>>> 
>> IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)
>>>>>>>>>>> 
>>>>>>>>>>> Any advise/solution?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 243 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20111009/5fbdd750/attachment.sig>


More information about the ome-users mailing list