[ome-users] LDAP : Path does not chain with any of the trust anchors

Wed Jul 26 16:17:27 BST 2017

Hi Dave,

I’ll start, but I’m sure others in the community will be able to add more.

>1) Any thoughts on why this might happen (my IT department say nothing
>has changed on their side - and in fairness my other LDAP calls work - ie
>on another server)

I’d have guessed at some certificate expiry in the chain, but if they’re
sure nothing changed, we’ll have to work through the certs anyway.

The first thing I’d do would be to verify what certificate you need
to install to communicate with the LDAP server, and make sure it’s added
to a java keystore which OMERO can access. [1], [2].

You can use `ldapsearch` on the command line to verify access to the
directory, [3], [4]

>2) I tried setting [omero.ldap.config=false] hoping that the logins would
>fall back to the cached database but I get the same error on login. Is
>this expected behaviour?

Yes, this is expected. I would set `omero.ldap.config=false` when I wanted
to disable LDAP auth for testing, and use local OMERO users instead. I use
local OMERO credentials when that setting is false, for accounts which
would otherwise be ldap accounts, rather than any cached credentials.

[1]
https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-ldap.html#ldap
-over-ssl
[2]
https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-security.html#
java-key-and-truststores
[3]
https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and
-sasl.html
[4] https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=7348

All the best,

Kenny

--

Kenneth Gillen

OME System Administrator

Wellcome Trust Centre for Gene Regulation & Expression
School of Life Sciences
CTIR 2
University of Dundee
Dow Street
Dundee  DD1 5EH
United Kingdom

Tel: +44 (0) 1382 388797

http://www.twitter.com/openmicroscopy

From:  ome-users <ome-users-bounces at lists.openmicroscopy.org.uk> on behalf
of "Mason, David [dnmason]" <D.N.Mason at liverpool.ac.uk>
Reply-To:  OME User Support List <ome-users at lists.openmicroscopy.org.uk>
Date:  Wednesday, 26 July 2017 14:17
To:  "ome-users at lists.openmicroscopy.org.uk"
<ome-users at lists.openmicroscopy.org.uk>
Subject:  [ome-users] LDAP : Path does not chain with any of the trust
anchors

Hello List,

I'm running OMERO 5.3.1-ice36-b61 on a Ubuntu 14.04LTS server
authenticating with LDAP. Just last week, an LDAP user noticed that they
couldn't log in (Error user-side is
"Error: Connection not available, please check your user name and
password.". I checked the logs and I'm getting the following bind failure:

2017-07-24 10:56:38,787 ERROR [     o.s.blitz.fire.PermissionsVerifierI]
(erver-2819) Exception thrown while checking password for:[myUserName]
ome.conditions.InternalException:  Wrapped Exception:
(org.springframework.ldap.CommunicationException):

simple bind failed: [myServer]:636; nested exception is
javax.naming.CommunicationException: simple bind failed:
[myServer]:636 [Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not chain with
any of the trust anchors]

Local users can still log in (same with Public), but LDAP is failing for a
reason unbeknown to me.

Two questions:
1) Any thoughts on why this might happen (my IT department say nothing has
changed on their side - and in fairness my other LDAP calls work - ie on
another server)
2) I tried setting [omero.ldap.config=false] hoping that the logins would
fall back to the cached database but I get the same error on login. Is
this expected behaviour?

Any thoughts appreciated,

Dave

The University of Dundee is a registered Scottish Charity, No: SC015096