[ome-users] LDAP DNs don't match issue

Wood, Christopher CJW at stowers.org
Tue Feb 12 15:44:31 GMT 2013 

Hi,

Omero 4.4.5
CentOs 6
Ice 3.4
Java 1.6.0_35
Python 2.6.6

Our IT department is doing a major domain upgrade, so we have been doing
some tests to make sure Omero can use ldap with the new domain (Active
Directory). The referral option is set to follow:
omero.ldap.referral=follow

A test account called omero_test was created in the new domain, and when
doing a query on that account, the DN is returned as:

'distinguishedName': ['CN=Omero Test Account,OU=Members,OU=215-Test
Group,OU=AAA,DC=bbb,DC=loc'],
'sAMAccountName': ['omero_test'],


I created the omero_test account, and:
omero ldap setdn 'CN=Omero Test Account,OU=Members,OU=215-Test
Group,OU=AAA,DC=bbb,DC=loc'

Trying to login via the web admin gives log entries such as:

2013-02-11 16:53:33,308 WARN [ ome.security.auth.LdapPasswordProvider]
(l.Server-7) DNs don't match: 'CN=Omero Test
Account,OU=Members,OU=215-Test Group,OU=AAA,DC=bbb,DC=loc' and 'cn=Omero
Test Account,ou=Members,ou=215-Test Group,ou=AAA,dc=bbb,dc=loc'
2013-02-11 16:53:33,359 WARN [ ome.security.auth.LdapPasswordProvider]
(l.Server-7) DNs don't match: 'CN=Omero Test
Account,OU=Members,OU=215-Test Group,OU=AAA,DC=bbb,DC=loc' and 'cn=Omero
Test Account,ou=Members,ou=215-Test Group,ou=AAA,dc=bbb,dc=loc'
2013-02-11 16:53:36,362 INFO [ ome.services.util.ServiceHandler]
(l.Server-7) Excp: ome.conditions.ValidationException: DNs don't match:
'CN=Omero Test Account,OU=Members,OU=215-Test Group,OU=AAA,DC=bbb,DC=loc'
and 'cn=Omero Test Account,ou=Members,ou=215-Test
Group,ou=AAA,dc=bbb,dc=loc'
ome.conditions.ValidationException: DNs don't match: 'CN=Omero Test
Account,OU=Members,OU=215-Test Group,OU=AAA,DC=bbb,DC=loc' and 'cn=Omero
Test Account,ou=Members,ou=215-Test Group,ou=AAA,dc=bbb,dc=loc'

When the distinguished name is changed (just changing the CN/OU/DC to
lower case) using setdn to:
'cn=Omero Test Account,ou=Members,ou=215-Test Group,ou=AAA,dc=bbb,dc=loc'


and the login is successful.

Any ideas why this happens?

And ideas about migrating existing omero users DNs to the new domain?

Thanks
Chris

More information about the ome-users mailing list