[ome-users] LDAP issues with new 4.3.2 version - DNs don't match

Josh Moore josh at glencoesoftware.com
Wed Sep 28 06:54:05 BST 2011


Hi Leon,

sorry for the confusion, but the command is intended for administrators. I.e. you're changing the value for afelcher, so you'd need to login as root or similar:

  /srv/omeroserver/bin/omero login root at localhost

  /srv/omeroserver/bin/omero ldap setdn afulcher 'cn=Alex
Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
and Health Sciences,ou=Staff,o=Monash University,c=au'


But changing it in the DB is also just fine! Glad to hear it's working.

~Josh.


On Sep 28, 2011, at 2:15 AM, Leon Kolchinsky wrote:

> Hello Josh,
> 
> Thanks.
> I've tried your syntax but it didn't work (using a dummy password as I
> don't know users LDAP password):
> 
> [omero at vera143 ~]$ /srv/omeroserver/bin/omero ldap setdn afulcher 'cn=Alex
> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
> and Health Sciences,ou=Staff,o=Monash University,c=au'
> Server: [localhost]
> Username: [omero]afulcher
> Password:
> Internal error. Please contact your administrator:
> DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
> Sciences,ou=Faculty of Medicine, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School
> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au'
> Password:
> Internal error. Please contact your administrator:
> DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
> Sciences,ou=Faculty of Medicine, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex Fulcher,ou=School
> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au'
> Password:
> 3 incorrect password attempts
> 
> So I just changed the dn in the DB like this:
> 
> UPDATE password set dn = E'cn=Alex Fulcher,ou=School of Biomedical
> Sciences,ou=Faculty of Medicine\\, Nursing and Health
> Sciences,ou=Staff,o=Monash University,c=au' where experimenter_id=504;
> 
> And confirmed the result:
> Select * from password where experimenter_id=504;
> 
> The user was able to login then!!!!
> 
> But I decided to try the syntax of the command line again:
> [omero at vera143 log]$ /srv/omeroserver/bin/omero ldap setdn afulcher 'cn=Alex
> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
> and Health Sciences,ou=Staff,o=Monash University,c=au'
> Server: [localhost]
> Username: [omero]afulcher
> Password:
> Password check failed for 'afulcher': [id=504]
> Password:
> Password check failed for 'afulcher': [id=504]
> Password:
> 3 incorrect password attempts
> 
> Am I doing something wrong on the command line here?
> 
> Cheers,
> Leon Kolchinsky
> Senior Software Specialist (Collaborative Applications)
> ITS Research Support Services
> Monash e-Research Centre (MeRC)
> Monash University
> tel: +61 3 99059560
> 
> 
> 
> On Tue, Sep 27, 2011 at 21:02, Josh Moore <josh at glencoesoftware.com> wrote:
> 
>> Hi Leon,
>> 
>> the LDAP login code was indeed changed for 4.3.2 because of possible
>> security issues[#6248]. Part of this included disallowing differing DNs
>> between LDAP and OMERO:
>> 
>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
>> Biology,ou=Faculty of Medicine\, Nursing and Health
>> Sciences,ou=Staff,o=Monash University,c=au'
>> 
>>  'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
>> 
>> The first value is the current DN for afulcher in OMERO; the second is the
>> current DN for the user in LDAP. It looks pretty clear that this is a case
>> of a minor change in LDAP. You can update afulcher's DN by using setdn:
>> 
>> bin/omero ldap setdn afulcher 'cn=Alex Fulcher,ou=School of Biomedical
>> Sciences,ou=Faculty of Medicine\, Nursing and Health
>> Sciences,ou=Staff,o=Monash University,c=au'
>> 
>> Cheers,
>> ~Josh
>> 
>> [#6248] https://trac.openmicroscopy.org.uk/ome/ticket/6248
>> 
>> 
>> On Sep 27, 2011, at 7:34 AM, Leon Kolchinsky wrote:
>> 
>>> Hello,
>>> 
>>> I've upgraded previous version of OMERO to 4.3.2 and got complaints from
>> a
>>> user that he can't login to the server.
>>> That's what I can see through the logs:
>>> 
>>> 2011-09-27 09:42:52,813 INFO  [        ome.services.util.ServiceHandler]
>>> (l.Server-2)  Excp:    ome.conditions.ValidationException: DNs don't
>> match:
>>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
>>> Biology,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>> Fulcher,ou=School
>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au'
>>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
>>> Fulcher,ou=Department of Biochemistry and Molecular Biology,ou=Faculty of
>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
>>> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
>>> 2011-09-27 09:43:58,977 WARN  [  ome.security.auth.LdapPasswordProvider]
>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of
>> Biochemistry
>>> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>> Fulcher,ou=School
>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au'
>>> 2011-09-27 09:44:02,046 WARN  [  ome.security.auth.LdapPasswordProvider]
>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of
>> Biochemistry
>>> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>> Fulcher,ou=School
>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au'
>>> 2011-09-27 09:44:05,060 INFO  [        ome.services.util.ServiceHandler]
>>> (l.Server-7)  Excp:    ome.conditions.ValidationException: DNs don't
>> match:
>>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
>>> Biology,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>> Fulcher,ou=School
>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au'
>>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
>>> Fulcher,ou=Department of Biochemistry and Molecular Biology,ou=Faculty of
>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
>>> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
>>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'
>>> 2011-09-27 14:53:20,124 INFO  [        ome.services.util.ServiceHandler]
>>> (l.Server-9)  Rslt:    cn=Alex Fulcher,ou=Department of Biochemistry and
>>> Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au
>>> 
>>> 
>>> So, I've updated his DN (in the DB) to reflect what I can see in the LDAP
>>> (without \):
>>> 
>>> UPDATE password set dn = 'cn=Alex Fulcher,ou=School of Biomedical
>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au' where experimenter_id=504;
>>> 
>>> But he still can't connect, although in the webadmin panel I can see that
>> DN
>>> changed to 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty
>> of
>>> Medicine, Nursing and Health Sciences,ou=Staff,o=Monash University,c=au'.
>>> 
>>> Here is what I see in the logs:
>>> 
>>> 2011-09-27 15:21:47,476 INFO  [        ome.services.util.ServiceHandler]
>>> (l.Server-7)  Executor.doWork --
>>> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO(afulcher)
>>> 2011-09-27 15:21:47,477 INFO  [        ome.services.util.ServiceHandler]
>>> (l.Server-7)  Args:    [null, InternalSF at 812610706]
>>> 2011-09-27 15:21:47,478 INFO  [         ome.security.basic.EventHandler]
>>> (l.Server-7)  Auth:
>>> 
>> user=0,group=0,event=null(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d
>>> 2011-09-27 15:21:47,524 WARN  [  ome.security.auth.LdapPasswordProvider]
>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>> Fulcher,ou=School
>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au'
>>> 2011-09-27 15:21:47,524 WARN  [  ome.security.auth.LoginAttemptListener]
>>> (l.Server-7) 21 failed logins for afulcher. Throttling for 3000
>>> 2011-09-27 15:21:50,530 INFO  [                 org.perf4j.TimingLogger]
>>> (l.Server-7) start[1317100907477] time[3053]
>>> tag[omero.call.success.ome.services.sessions.SessionManagerImpl$8.doWork]
>>> 2011-09-27 15:21:50,530 INFO  [        ome.services.util.ServiceHandler]
>>> (l.Server-7)  Rslt:    null
>>> 2011-09-27 15:21:50,531 INFO  [        ome.services.util.ServiceHandler]
>>> (l.Server-7)  Executor.doWork --
>>> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(afulcher)
>>> 2011-09-27 15:21:50,531 INFO  [        ome.services.util.ServiceHandler]
>>> (l.Server-7)  Args:    [null, InternalSF at 812610706]
>>> 2011-09-27 15:21:50,558 INFO  [         ome.security.basic.EventHandler]
>>> (l.Server-7)  Auth:
>>> 
>> user=0,group=0,event=61003(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d
>>> 2011-09-27 15:21:50,599 WARN  [  ome.security.auth.LdapPasswordProvider]
>>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
>>> Sciences,ou=Faculty of Medicine, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>> Fulcher,ou=School
>>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
>>> Sciences,ou=Staff,o=Monash University,c=au'
>>> 2011-09-27 15:21:50,599 WARN  [  ome.security.auth.LoginAttemptListener]
>>> (l.Server-7) 22 failed logins for afulcher. Throttling for 3000
>>> 2011-09-27 15:21:53,613 INFO  [                 org.perf4j.TimingLogger]
>>> (l.Server-7) start[1317100910531] time[3082] tag[omero.call.exception]
>>> 2011-09-27 15:21:53,613 INFO  [        ome.services.util.ServiceHandler]
>>> (l.Server-7)  Excp:    ome.conditions.ValidationException: DNs don't
>> match:
>>> 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine,
>>> Nursing and Health Sciences,ou=Staff,o=Monash University,c=au' and
>> 'cn=Alex
>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
>>> 2011-09-27 15:21:53,614 ERROR [services.blitz.fire.PermissionsVerifierI]
>>> (l.Server-7) Exception thrown while checking password for:afulcher
>>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine, Nursing
>> and
>>> Health Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
>>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
>>> and Health Sciences,ou=Staff,o=Monash University,c=au'
>>>       at
>>> 
>> ome.security.auth.LdapPasswordProvider.checkPassword(LdapPasswordProvider.java:126)
>>>       at
>>> 
>> ome.security.auth.PasswordProviders.checkPassword(PasswordProviders.java:42)
>>>       at ome.logic.AdminImpl.checkPassword(AdminImpl.java:1194)
>>>       at
>>> 
>> ome.services.sessions.SessionManagerImpl$9.doWork(SessionManagerImpl.java:978)
>>>       at sun.reflect.GeneratedMethodAccessor250.invoke(Unknown Source)
>>>       at
>>> 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>       at java.lang.reflect.Method.invoke(Method.java:597)
>>>       at
>>> 
>> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
>>>       at
>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
>>>       at
>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
>>>       at
>>> ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:440)
>>>       at
>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>       at ome.security.basic.EventHandler.invoke(EventHandler.java:150)
>>>       at
>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>       at
>>> 
>> org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
>>>       at
>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>       at
>>> 
>> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
>>>       at
>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>       at
>>> 
>> ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231)
>>>       at
>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>       at
>> ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116)
>>>       at
>>> 
>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
>>>       at
>>> 
>> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
>>>       at $Proxy64.doWork(Unknown Source)
>>>       at ome.services.util.Executor$Impl.execute(Executor.java:371)
>>>       at
>>> 
>> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(SessionManagerImpl.java:973)
>>>       at
>>> 
>> ome.services.sessions.SessionManagerImpl.executeCheckPassword(SessionManagerImpl.java:945)
>>>       at
>>> 
>> ome.services.sessions.SessionManagerImpl.executePasswordCheck(SessionManagerImpl.java:920)
>>>       at
>>> 
>> ome.services.blitz.fire.PermissionsVerifierI.checkPermissions(PermissionsVerifierI.java:135)
>>>       at
>>> 
>> Glacier2._PermissionsVerifierDisp.___checkPermissions(_PermissionsVerifierDisp.java:90)
>>>       at
>>> 
>> Glacier2._PermissionsVerifierDisp.__dispatch(_PermissionsVerifierDisp.java:118)
>>>       at IceInternal.Incoming.invoke(Incoming.java:159)
>>>       at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
>>>       at Ice.ConnectionI.message(ConnectionI.java:972)
>>>       at IceInternal.ThreadPool.run(ThreadPool.java:577)
>>>       at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
>>>       at
>>> IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)
>>> 
>>> Any advise/solution?
>>> 
>>> Cheers,
>>> Leon Kolchinsky
>>> Senior Software Specialist (Collaborative Applications)
>>> ITS Research Support Services
>>> Monash e-Research Centre (MeRC)
>>> Monash University
>>> tel: +61 3 99059560
>>> _______________________________________________
>>> ome-users mailing list
>>> ome-users at lists.openmicroscopy.org.uk
>>> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
>> 
>> 
>> _______________________________________________
>> ome-users mailing list
>> ome-users at lists.openmicroscopy.org.uk
>> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
>> 
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 243 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20110928/4996b862/attachment.sig>


More information about the ome-users mailing list