[ome-users] LDAP DNs don't match issue

Blazej Pindelski b.pindelski at dundee.ac.uk
Wed Feb 13 12:19:20 GMT 2013 

> Hi,

Hi Christopher,

> Omero 4.4.5
> CentOs 6
> Ice 3.4
> Java 1.6.0_35
> Python 2.6.6
>
> Our IT department is doing a major domain upgrade, so we have been doing
> some tests to make sure Omero can use ldap with the new domain (Active
> Directory). The referral option is set to follow:
> omero.ldap.referral=follow
>
> A test account called omero_test was created in the new domain, and when
> doing a query on that account, the DN is returned as:
>
> 'distinguishedName': ['CN=Omero Test Account,OU=Members,OU=215-Test
> Group,OU=AAA,DC=bbb,DC=loc'],
> 'sAMAccountName': ['omero_test'],
>
>
> I created the omero_test account, and:
> omero ldap setdn 'CN=Omero Test Account,OU=Members,OU=215-Test
> Group,OU=AAA,DC=bbb,DC=loc'
>
> Trying to login via the web admin gives log entries such as:
>
> 2013-02-11 16:53:33,308 WARN [ ome.security.auth.LdapPasswordProvider]
> (l.Server-7) DNs don't match: 'CN=Omero Test
> Account,OU=Members,OU=215-Test Group,OU=AAA,DC=bbb,DC=loc' and 'cn=Omero
> Test Account,ou=Members,ou=215-Test Group,ou=AAA,dc=bbb,dc=loc'
> 2013-02-11 16:53:33,359 WARN [ ome.security.auth.LdapPasswordProvider]
> (l.Server-7) DNs don't match: 'CN=Omero Test
> Account,OU=Members,OU=215-Test Group,OU=AAA,DC=bbb,DC=loc' and 'cn=Omero
> Test Account,ou=Members,ou=215-Test Group,ou=AAA,dc=bbb,dc=loc'
> 2013-02-11 16:53:36,362 INFO [ ome.services.util.ServiceHandler]
> (l.Server-7) Excp: ome.conditions.ValidationException: DNs don't match:
> 'CN=Omero Test Account,OU=Members,OU=215-Test Group,OU=AAA,DC=bbb,DC=loc'
> and 'cn=Omero Test Account,ou=Members,ou=215-Test
> Group,ou=AAA,dc=bbb,dc=loc'
> ome.conditions.ValidationException: DNs don't match: 'CN=Omero Test
> Account,OU=Members,OU=215-Test Group,OU=AAA,DC=bbb,DC=loc' and 'cn=Omero
> Test Account,ou=Members,ou=215-Test Group,ou=AAA,dc=bbb,dc=loc'
>
> When the distinguished name is changed (just changing the CN/OU/DC to
> lower case) using setdn to:
> 'cn=Omero Test Account,ou=Members,ou=215-Test Group,ou=AAA,dc=bbb,dc=loc'
>
>
> and the login is successful.
>
> Any ideas why this happens?

This is a know issue in OMERO (http://trac.openmicroscopy.org/ome/ticket/4821). The DN comparison is done on a case-sensitive basis when checking the user password. We are working on fixing it in the next major release. We don't know yet if it will be backported to the 4.4 line (there is certainly possibility to do it).

> And ideas about migrating existing omero users DNs to the new domain?

One possibility would be a script invoking bin/omero ldap getdn and setdn for each user. Another option is using the LDAP services directly through the Python API provided by OMERO.

> Thanks
> Chris

Regards,
Blazej

The University of Dundee is a registered Scottish Charity, No: SC015096

More information about the ome-users mailing list