[ome-users] LDAP : Path does not chain with any of the trust anchors

Mason, David [dnmason] D.N.Mason at liverpool.ac.uk
Mon Jul 31 14:27:18 BST 2017 

Hi Kenny,

Thanks for the clarification wrt LDAP/local users.

I agree with you that there is something messing up the secure LDAP query. For the time being, I've dropped back to ldap instead of ldaps and at least users can access their data.

Best,

Dave


Date: Wed, 26 Jul 2017 15:17:27 +0000
From: "Kenneth Gillen (Staff)" <k.h.gillen at dundee.ac.uk>
To: OME User Support List <ome-users at lists.openmicroscopy.org.uk>
Subject: Re: [ome-users] LDAP : Path does not chain with any of the
        trust anchors
Message-ID: <D59E5885.86006%k.h.gillen at dundee.ac.uk>
Content-Type: text/plain; charset="utf-8"

Hi Dave,

I?ll start, but I?m sure others in the community will be able to add more.

>1) Any thoughts on why this might happen (my IT department say nothing
>has changed on their side - and in fairness my other LDAP calls work - ie
>on another server)

I?d have guessed at some certificate expiry in the chain, but if they?re
sure nothing changed, we?ll have to work through the certs anyway.

The first thing I?d do would be to verify what certificate you need
to install to communicate with the LDAP server, and make sure it?s added
to a java keystore which OMERO can access. [1], [2].

You can use `ldapsearch` on the command line to verify access to the
directory, [3], [4]


>2) I tried setting [omero.ldap.config=false] hoping that the logins would
>fall back to the cached database but I get the same error on login. Is
>this expected behaviour?

Yes, this is expected. I would set `omero.ldap.config=false` when I wanted
to disable LDAP auth for testing, and use local OMERO users instead. I use
local OMERO credentials when that setting is false, for accounts which
would otherwise be ldap accounts, rather than any cached credentials.

[1]
https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-ldap.html#ldap
-over-ssl
[2]
https://docs.openmicroscopy.org/omero/5.3.3/sysadmins/server-security.html#
java-key-and-truststores
[3]
https://docs.oracle.com/cd/E22289_01/html/821-1273/testing-ssl-starttls-and
-sasl.html
[4] https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=7348

All the best,

Kenny

--

Kenneth Gillen

OME System Administrator

Wellcome Trust Centre for Gene Regulation & Expression
School of Life Sciences
CTIR 2
University of Dundee
Dow Street
Dundee  DD1 5EH
United Kingdom

Tel: +44 (0) 1382 388797


http://www.twitter.com/openmicroscopy





From:  ome-users <ome-users-bounces at lists.openmicroscopy.org.uk> on behalf
of "Mason, David [dnmason]" <D.N.Mason at liverpool.ac.uk>
Reply-To:  OME User Support List <ome-users at lists.openmicroscopy.org.uk>
Date:  Wednesday, 26 July 2017 14:17
To:  "ome-users at lists.openmicroscopy.org.uk"
<ome-users at lists.openmicroscopy.org.uk>
Subject:  [ome-users] LDAP : Path does not chain with any of the trust
anchors


Hello List,

I'm running OMERO 5.3.1-ice36-b61 on a Ubuntu 14.04LTS server
authenticating with LDAP. Just last week, an LDAP user noticed that they
couldn't log in (Error user-side is
"Error: Connection not available, please check your user name and
password.". I checked the logs and I'm getting the following bind failure:

2017-07-24 10:56:38,787 ERROR [     o.s.blitz.fire.PermissionsVerifierI]
(erver-2819) Exception thrown while checking password for:[myUserName]
ome.conditions.InternalException:  Wrapped Exception:
(org.springframework.ldap.CommunicationException):

simple bind failed: [myServer]:636; nested exception is
javax.naming.CommunicationException: simple bind failed:
[myServer]:636 [Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Path does not chain with
any of the trust anchors]

Local users can still log in (same with Public), but LDAP is failing for a
reason unbeknown to me.

Two questions:
1) Any thoughts on why this might happen (my IT department say nothing has
changed on their side - and in fairness my other LDAP calls work - ie on
another server)
2) I tried setting [omero.ldap.config=false] hoping that the logins would
fall back to the cached database but I get the same error on login. Is
this expected behaviour?

Any thoughts appreciated,

Dave


The University of Dundee is a registered Scottish Charity, No: SC015096


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20170731/802f35da/attachment.html>

More information about the ome-users mailing list