[ome-users] LDAP problems

Josh Moore josh at glencoesoftware.com
Wed Jun 17 16:50:48 BST 2015 

On Wed, Jun 17, 2015 at 3:58 PM, Wood, Christopher <CJW at stowers.org> wrote:
> Hi,

Hi Chris,

> We just upgraded OMERO from 5.0.6 to 5.1.2 at the same time moving to
> different virtual hardware, and we are having some issues with LDAP
> accounts.

First off, sorry that we've done this to you yet again. I think we
need to get a LDIF file from you for our integration tests!


> As in the past, our account names are sometimes all uppercase, or all
> lowercase – but no one uses uppercase to login to anything. The work around
> has been to use:
>
> omero.security.password_provider=chainedPasswordProvider431
>
> and create user names with lowercase and use the omero command line/python
> script to set the ldap dn. It doesn’t seem that this option is available any
> more (api docs say it is deprecated).

Correct. Storing the DN in the database was leading to trouble
elsewhere since if the value changed, users were equally locked out.


> When I do:
> bin/omero ldap list
>
> the the users with “official" uppercase names give an error, others give the
> dn.
>
> The log files give errors such as:
>
> 1714:2015-06-16 14:52:27,966 INFO  [
> ome.services.util.ServiceHandler] (l.Server-3)  Excp:
> ome.conditions.ApiUsageException: Cannot find unique user DistinguishedName:
> found=1
>
> Does anyone know of a solution or workaround to this problem? I found some
> tickets for this issue, but they didn’t seem to be resolved.

I think you just (in)volunteered to be our first external tester for:
omero.security.ignore_case=true
See https://github.com/openmicroscopy/openmicroscopy/blob/v5.1.2/etc/omero.properties#L108

I would think if you drop your use of chainedPasswordProvider431 and
ignore case, i.e.:

  bin/omero config set omero.security.password_provider
  bin/omero config set omero.security.ignore_case true

Then logins should start working again. Please be sure to see the
warning at that location, and ask any questions if things are unclear.

Sorry again for the trouble.

Cheers,
~Josh.


> here are the LDAP settings
>
> omero.ldap.base=DC=sgc,DC=loc
> omero.ldap.config=true
> omero.ldap.password=*****
> omero.ldap.referral=follow
> omero.ldap.urls=ldap://directory.*.****
> omero.ldap.user_filter=(objectClass=person)
> omero.ldap.user_mapping=omeName=sAMAccountName,firstName=givenName,lastName=sn,email=mail
> omero.ldap.username=CN=*** ** ***,OU=Accounts-Infra,OU=AD
> Infrastructure,DC=sgc,DC=loc
>
> Thanks
> Chris

More information about the ome-users mailing list