[ome-users] LDAP : Path does not chain with any of the trust anchors

Josh Moore josh at glencoesoftware.com
Thu Aug 10 14:08:23 BST 2017 

Hi Dave,

On Mon, Jul 31, 2017 at 3:27 PM, Mason, David [dnmason]
<D.N.Mason at liverpool.ac.uk> wrote:
> Hi Kenny,
>
> Thanks for the clarification wrt LDAP/local users.
>
> I agree with you that there is something messing up the secure LDAP query.
> For the time being, I've dropped back to ldap instead of ldaps and at least
> users can access their data.

Did you have success getting back to LDAPS?

Cheers,
~Josh.


> Best,
> Dave
>
>
> Date: Wed, 26 Jul 2017 15:17:27 +0000
> From: "Kenneth Gillen (Staff)" <k.h.gillen at dundee.ac.uk>
> To: OME User Support List <ome-users at lists.openmicroscopy.org.uk>
> Subject: Re: [ome-users] LDAP : Path does not chain with any of the
>         trust anchors
> Message-ID: <D59E5885.86006%k.h.gillen at dundee.ac.uk>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Dave,
>
> I?ll start, but I?m sure others in the community will be able to add more.
>
>>1) Any thoughts on why this might happen (my IT department say nothing
>>has changed on their side - and in fairness my other LDAP calls work - ie
>>on another server)
>
> I?d have guessed at some certificate expiry in the chain, but if they?re
> sure nothing changed, we?ll have to work through the certs anyway.
>
> The first thing I?d do would be to verify what certificate you need
> to install to communicate with the LDAP server, and make sure it?s added
>
> to a java keystore which OMERO can access. [1], [2].
>
> You can use `ldapsearch` on the command line to verify access to the
> directory, [3], [4]
>
>
>>2) I tried setting [omero.ldap.config=false] hoping that the logins would
>>fall back to the cached database but I get the same error on login. Is
>>this expected behaviour?
>
> Yes, this is expected. I would set `omero.ldap.config=false` when I wanted
> to disable LDAP auth for testing, and use local OMERO users instead. I use
> local OMERO credentials when that setting is false, for accounts which
> would otherwise be ldap accounts, rather than any cached credentials.
>
> [1]
> https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-ldap.html#ldap
> -over-ssl
> [2]
> https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-security.html#
> java-key-and-truststores
> [3]
> https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and
> -sasl.html
> [4] https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=7348
>
> All the best,
>
> Kenny
>
> --
>
> Kenneth Gillen
>
> OME System Administrator
>
> Wellcome Trust Centre for Gene Regulation & Expression
> School of Life Sciences
> CTIR 2
> University of Dundee
> Dow Street
> Dundee  DD1 5EH
> United Kingdom
>
> Tel: +44 (0) 1382 388797
>
>
> http://www.twitter.com/openmicroscopy
>
>
>
>
>
> From:  ome-users <ome-users-bounces at lists.openmicroscopy.org.uk> on behalf
> of "Mason, David [dnmason]" <D.N.Mason at liverpool.ac.uk>
> Reply-To:  OME User Support List <ome-users at lists.openmicroscopy.org.uk>
> Date:  Wednesday, 26 July 2017 14:17
> To:  "ome-users at lists.openmicroscopy.org.uk"
> <ome-users at lists.openmicroscopy.org.uk>
> Subject:  [ome-users] LDAP : Path does not chain with any of the trust
> anchors
>
>
> Hello List,
>
> I'm running OMERO 5.3.1-ice36-b61 on a Ubuntu 14.04LTS server
> authenticating with LDAP. Just last week, an LDAP user noticed that they
> couldn't log in (Error user-side is
> "Error: Connection not available, please check your user name and
> password.". I checked the logs and I'm getting the following bind failure:
>
> 2017-07-24 10:56:38,787 ERROR [     o.s.blitz.fire.PermissionsVerifierI]
> (erver-2819) Exception thrown while checking password for:[myUserName]
> ome.conditions.InternalException:  Wrapped Exception:
> (org.springframework.ldap.CommunicationException):
>
> simple bind failed: [myServer]:636; nested exception is
> javax.naming.CommunicationException: simple bind failed:
> [myServer]:636 [Root exception is javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: Path does not chain with
> any of the trust anchors]
>
> Local users can still log in (same with Public), but LDAP is failing for a
> reason unbeknown to me.
>
> Two questions:
> 1) Any thoughts on why this might happen (my IT department say nothing has
> changed on their side - and in fairness my other LDAP calls work - ie on
> another server)
> 2) I tried setting [omero.ldap.config=false] hoping that the logins would
> fall back to the cached database but I get the same error on login. Is
> this expected behaviour?
>
> Any thoughts appreciated,
>
> Dave
>
>
> The University of Dundee is a registered Scottish Charity, No: SC015096
>
>
>
> _______________________________________________
> ome-users mailing list
> ome-users at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
>

More information about the ome-users mailing list