[ome-users] LDAP issues with new 4.3.2 version - DNs don't match
Leon Kolchinsky
Leon.Kolchinsky at monash.edu
Wed Sep 28 07:00:18 BST 2011
Thanks Josh,
I just couldn't find in the docs that I need to login as admin user first...
;)
Cheers,
Leon Kolchinsky
Senior Software Specialist (Collaborative Applications)
ITS Research Support Services
Monash e-Research Centre (MeRC)
Monash University
tel: +61 3 99059560
On Wed, Sep 28, 2011 at 15:54, Josh Moore <josh at glencoesoftware.com> wrote:
> Hi Leon,
>
> sorry for the confusion, but the command is intended for administrators.
> I.e. you're changing the value for afelcher, so you'd need to login as root
> or similar:
>
> /srv/omeroserver/bin/omero login root at localhost
>
> /srv/omeroserver/bin/omero ldap setdn afulcher 'cn=Alex
> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
> and Health Sciences,ou=Staff,o=Monash University,c=au'
>
>
> But changing it in the DB is also just fine! Glad to hear it's working.
>
> ~Josh.
>
>
> On Sep 28, 2011, at 2:15 AM, Leon Kolchinsky wrote:
>
> > Hello Josh,
> >
> > Thanks.
> > I've tried your syntax but it didn't work (using a dummy password as I
> > don't know users LDAP password):
> >
> > [omero at vera143 ~]$ /srv/omeroserver/bin/omero ldap setdn afulcher
> 'cn=Alex
> > Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
> > and Health Sciences,ou=Staff,o=Monash University,c=au'
> > Server: [localhost]
> > Username: [omero]afulcher
> > Password:
> > Internal error. Please contact your administrator:
> > DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
> > Sciences,ou=Faculty of Medicine, Nursing and Health
> > Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> Fulcher,ou=School
> > of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> > Sciences,ou=Staff,o=Monash University,c=au'
> > Password:
> > Internal error. Please contact your administrator:
> > DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
> > Sciences,ou=Faculty of Medicine, Nursing and Health
> > Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> Fulcher,ou=School
> > of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> > Sciences,ou=Staff,o=Monash University,c=au'
> > Password:
> > 3 incorrect password attempts
> >
> > So I just changed the dn in the DB like this:
> >
> > UPDATE password set dn = E'cn=Alex Fulcher,ou=School of Biomedical
> > Sciences,ou=Faculty of Medicine\\, Nursing and Health
> > Sciences,ou=Staff,o=Monash University,c=au' where experimenter_id=504;
> >
> > And confirmed the result:
> > Select * from password where experimenter_id=504;
> >
> > The user was able to login then!!!!
> >
> > But I decided to try the syntax of the command line again:
> > [omero at vera143 log]$ /srv/omeroserver/bin/omero ldap setdn afulcher
> 'cn=Alex
> > Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\, Nursing
> > and Health Sciences,ou=Staff,o=Monash University,c=au'
> > Server: [localhost]
> > Username: [omero]afulcher
> > Password:
> > Password check failed for 'afulcher': [id=504]
> > Password:
> > Password check failed for 'afulcher': [id=504]
> > Password:
> > 3 incorrect password attempts
> >
> > Am I doing something wrong on the command line here?
> >
> > Cheers,
> > Leon Kolchinsky
> > Senior Software Specialist (Collaborative Applications)
> > ITS Research Support Services
> > Monash e-Research Centre (MeRC)
> > Monash University
> > tel: +61 3 99059560
> >
> >
> >
> > On Tue, Sep 27, 2011 at 21:02, Josh Moore <josh at glencoesoftware.com>
> wrote:
> >
> >> Hi Leon,
> >>
> >> the LDAP login code was indeed changed for 4.3.2 because of possible
> >> security issues[#6248]. Part of this included disallowing differing DNs
> >> between LDAP and OMERO:
> >>
> >> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
> >> Biology,ou=Faculty of Medicine\, Nursing and Health
> >> Sciences,ou=Staff,o=Monash University,c=au'
> >>
> >> 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
> >> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
> University,c=au'
> >>
> >> The first value is the current DN for afulcher in OMERO; the second is
> the
> >> current DN for the user in LDAP. It looks pretty clear that this is a
> case
> >> of a minor change in LDAP. You can update afulcher's DN by using setdn:
> >>
> >> bin/omero ldap setdn afulcher 'cn=Alex Fulcher,ou=School of Biomedical
> >> Sciences,ou=Faculty of Medicine\, Nursing and Health
> >> Sciences,ou=Staff,o=Monash University,c=au'
> >>
> >> Cheers,
> >> ~Josh
> >>
> >> [#6248] https://trac.openmicroscopy.org.uk/ome/ticket/6248
> >>
> >>
> >> On Sep 27, 2011, at 7:34 AM, Leon Kolchinsky wrote:
> >>
> >>> Hello,
> >>>
> >>> I've upgraded previous version of OMERO to 4.3.2 and got complaints
> from
> >> a
> >>> user that he can't login to the server.
> >>> That's what I can see through the logs:
> >>>
> >>> 2011-09-27 09:42:52,813 INFO [
> ome.services.util.ServiceHandler]
> >>> (l.Server-2) Excp: ome.conditions.ValidationException: DNs don't
> >> match:
> >>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
> >>> Biology,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >> Fulcher,ou=School
> >>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au'
> >>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
> >>> Fulcher,ou=Department of Biochemistry and Molecular Biology,ou=Faculty
> of
> >>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
> University,c=au'
> >>> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
> >>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
> University,c=au'
> >>> 2011-09-27 09:43:58,977 WARN [
> ome.security.auth.LdapPasswordProvider]
> >>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of
> >> Biochemistry
> >>> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >> Fulcher,ou=School
> >>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au'
> >>> 2011-09-27 09:44:02,046 WARN [
> ome.security.auth.LdapPasswordProvider]
> >>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=Department of
> >> Biochemistry
> >>> and Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >> Fulcher,ou=School
> >>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au'
> >>> 2011-09-27 09:44:05,060 INFO [
> ome.services.util.ServiceHandler]
> >>> (l.Server-7) Excp: ome.conditions.ValidationException: DNs don't
> >> match:
> >>> 'cn=Alex Fulcher,ou=Department of Biochemistry and Molecular
> >>> Biology,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >> Fulcher,ou=School
> >>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au'
> >>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
> >>> Fulcher,ou=Department of Biochemistry and Molecular Biology,ou=Faculty
> of
> >>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
> University,c=au'
> >>> and 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
> >>> Medicine\, Nursing and Health Sciences,ou=Staff,o=Monash
> University,c=au'
> >>> 2011-09-27 14:53:20,124 INFO [
> ome.services.util.ServiceHandler]
> >>> (l.Server-9) Rslt: cn=Alex Fulcher,ou=Department of Biochemistry
> and
> >>> Molecular Biology,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au
> >>>
> >>>
> >>> So, I've updated his DN (in the DB) to reflect what I can see in the
> LDAP
> >>> (without \):
> >>>
> >>> UPDATE password set dn = 'cn=Alex Fulcher,ou=School of Biomedical
> >>> Sciences,ou=Faculty of Medicine, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au' where experimenter_id=504;
> >>>
> >>> But he still can't connect, although in the webadmin panel I can see
> that
> >> DN
> >>> changed to 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty
> >> of
> >>> Medicine, Nursing and Health Sciences,ou=Staff,o=Monash
> University,c=au'.
> >>>
> >>> Here is what I see in the logs:
> >>>
> >>> 2011-09-27 15:21:47,476 INFO [
> ome.services.util.ServiceHandler]
> >>> (l.Server-7) Executor.doWork --
> >>>
> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO(afulcher)
> >>> 2011-09-27 15:21:47,477 INFO [
> ome.services.util.ServiceHandler]
> >>> (l.Server-7) Args: [null, InternalSF at 812610706]
> >>> 2011-09-27 15:21:47,478 INFO [
> ome.security.basic.EventHandler]
> >>> (l.Server-7) Auth:
> >>>
> >>
> user=0,group=0,event=null(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d
> >>> 2011-09-27 15:21:47,524 WARN [
> ome.security.auth.LdapPasswordProvider]
> >>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
> >>> Sciences,ou=Faculty of Medicine, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >> Fulcher,ou=School
> >>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au'
> >>> 2011-09-27 15:21:47,524 WARN [
> ome.security.auth.LoginAttemptListener]
> >>> (l.Server-7) 21 failed logins for afulcher. Throttling for 3000
> >>> 2011-09-27 15:21:50,530 INFO [
> org.perf4j.TimingLogger]
> >>> (l.Server-7) start[1317100907477] time[3053]
> >>>
> tag[omero.call.success.ome.services.sessions.SessionManagerImpl$8.doWork]
> >>> 2011-09-27 15:21:50,530 INFO [
> ome.services.util.ServiceHandler]
> >>> (l.Server-7) Rslt: null
> >>> 2011-09-27 15:21:50,531 INFO [
> ome.services.util.ServiceHandler]
> >>> (l.Server-7) Executor.doWork --
> >>>
> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(afulcher)
> >>> 2011-09-27 15:21:50,531 INFO [
> ome.services.util.ServiceHandler]
> >>> (l.Server-7) Args: [null, InternalSF at 812610706]
> >>> 2011-09-27 15:21:50,558 INFO [
> ome.security.basic.EventHandler]
> >>> (l.Server-7) Auth:
> >>>
> >>
> user=0,group=0,event=61003(Sessions),sess=95fa5807-9883-4ae1-9418-dbb1f7140b9d
> >>> 2011-09-27 15:21:50,599 WARN [
> ome.security.auth.LdapPasswordProvider]
> >>> (l.Server-7) DNs don't match: 'cn=Alex Fulcher,ou=School of Biomedical
> >>> Sciences,ou=Faculty of Medicine, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >> Fulcher,ou=School
> >>> of Biomedical Sciences,ou=Faculty of Medicine\, Nursing and Health
> >>> Sciences,ou=Staff,o=Monash University,c=au'
> >>> 2011-09-27 15:21:50,599 WARN [
> ome.security.auth.LoginAttemptListener]
> >>> (l.Server-7) 22 failed logins for afulcher. Throttling for 3000
> >>> 2011-09-27 15:21:53,613 INFO [
> org.perf4j.TimingLogger]
> >>> (l.Server-7) start[1317100910531] time[3082] tag[omero.call.exception]
> >>> 2011-09-27 15:21:53,613 INFO [
> ome.services.util.ServiceHandler]
> >>> (l.Server-7) Excp: ome.conditions.ValidationException: DNs don't
> >> match:
> >>> 'cn=Alex Fulcher,ou=School of Biomedical Sciences,ou=Faculty of
> Medicine,
> >>> Nursing and Health Sciences,ou=Staff,o=Monash University,c=au' and
> >> 'cn=Alex
> >>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
> Nursing
> >>> and Health Sciences,ou=Staff,o=Monash University,c=au'
> >>> 2011-09-27 15:21:53,614 ERROR
> [services.blitz.fire.PermissionsVerifierI]
> >>> (l.Server-7) Exception thrown while checking password for:afulcher
> >>> ome.conditions.ValidationException: DNs don't match: 'cn=Alex
> >>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine,
> Nursing
> >> and
> >>> Health Sciences,ou=Staff,o=Monash University,c=au' and 'cn=Alex
> >>> Fulcher,ou=School of Biomedical Sciences,ou=Faculty of Medicine\,
> Nursing
> >>> and Health Sciences,ou=Staff,o=Monash University,c=au'
> >>> at
> >>>
> >>
> ome.security.auth.LdapPasswordProvider.checkPassword(LdapPasswordProvider.java:126)
> >>> at
> >>>
> >>
> ome.security.auth.PasswordProviders.checkPassword(PasswordProviders.java:42)
> >>> at ome.logic.AdminImpl.checkPassword(AdminImpl.java:1194)
> >>> at
> >>>
> >>
> ome.services.sessions.SessionManagerImpl$9.doWork(SessionManagerImpl.java:978)
> >>> at sun.reflect.GeneratedMethodAccessor250.invoke(Unknown Source)
> >>> at
> >>>
> >>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> >>> at java.lang.reflect.Method.invoke(Method.java:597)
> >>> at
> >>>
> >>
> org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
> >>> at
> >>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
> >>> at
> >>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
> >>> at
> >>> ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:440)
> >>> at
> >>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> >>> at ome.security.basic.EventHandler.invoke(EventHandler.java:150)
> >>> at
> >>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> >>> at
> >>>
> >>
> org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
> >>> at
> >>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> >>> at
> >>>
> >>
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
> >>> at
> >>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> >>> at
> >>>
> >>
> ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231)
> >>> at
> >>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> >>> at
> >> ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116)
> >>> at
> >>>
> >>
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
> >>> at
> >>>
> >>
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
> >>> at $Proxy64.doWork(Unknown Source)
> >>> at ome.services.util.Executor$Impl.execute(Executor.java:371)
> >>> at
> >>>
> >>
> ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(SessionManagerImpl.java:973)
> >>> at
> >>>
> >>
> ome.services.sessions.SessionManagerImpl.executeCheckPassword(SessionManagerImpl.java:945)
> >>> at
> >>>
> >>
> ome.services.sessions.SessionManagerImpl.executePasswordCheck(SessionManagerImpl.java:920)
> >>> at
> >>>
> >>
> ome.services.blitz.fire.PermissionsVerifierI.checkPermissions(PermissionsVerifierI.java:135)
> >>> at
> >>>
> >>
> Glacier2._PermissionsVerifierDisp.___checkPermissions(_PermissionsVerifierDisp.java:90)
> >>> at
> >>>
> >>
> Glacier2._PermissionsVerifierDisp.__dispatch(_PermissionsVerifierDisp.java:118)
> >>> at IceInternal.Incoming.invoke(Incoming.java:159)
> >>> at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
> >>> at Ice.ConnectionI.message(ConnectionI.java:972)
> >>> at IceInternal.ThreadPool.run(ThreadPool.java:577)
> >>> at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
> >>> at
> >>> IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)
> >>>
> >>> Any advise/solution?
> >>>
> >>> Cheers,
> >>> Leon Kolchinsky
> >>> Senior Software Specialist (Collaborative Applications)
> >>> ITS Research Support Services
> >>> Monash e-Research Centre (MeRC)
> >>> Monash University
> >>> tel: +61 3 99059560
> >>> _______________________________________________
> >>> ome-users mailing list
> >>> ome-users at lists.openmicroscopy.org.uk
> >>> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
> >>
> >>
> >> _______________________________________________
> >> ome-users mailing list
> >> ome-users at lists.openmicroscopy.org.uk
> >> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
> >>
> >>
>
>
> _______________________________________________
> ome-users mailing list
> ome-users at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20110928/a7f9aabf/attachment.html>
More information about the ome-users
mailing list