[ome-users] LDAP Config for PosixGroups

Andreas Mueller Andreas.Mueller at Biologie.Uni-Osnabrueck.DE
Thu Jan 31 15:10:15 GMT 2019 


> Also could you first try minimum config please
> https://docs.openmicroscopy.org/omero/5.4.10/sysadmins/server-ldap.html#minimum-configuration
> It should help to narrow down where the problem is
> 
> 


  Hi Ola,

  [omero at omero3 OMERO.server]$ bin/omero config get | grep ldap
  omero.ldap.base=ou=people,dc=uni-osnabrueck,dc=de
  omero.ldap.config=true
  omero.ldap.urls=ldaps://ldap.uni-osnabrueck.de

  after:
  $ bin/omero ldap create andrmuel

  I got a lot of error's ... see  error_ldap.txt  (attached)

 _____________


  [omero at omero3 OMERO.server]$ bin/omero config get | grep ldap
  omero.ldap.base=ou=people,dc=uni-osnabrueck,dc=de
  omero.ldap.config=true
  omero.ldap.urls=ldaps://ldap.uni-osnabrueck.de
  omero.ldap.user_mapping=omeName=uid

  after:
  $ bin/omero ldap create andrmuel

  I got only a few lines, ..you see all here:

   > not-null property references a null or transient value:
   > ome.model.meta.Experimenter.firstName; nested exception is
   > org.hibernate.PropertyValueException: not-null property references a
   > null or transient value: ome.model.meta.Experimenter.firstName


  It seem's that the login process can not read the hidden attributes
  givenName and sn

  I've tried this:
  bin/omero config set omero.ldap.user_mapping omeName=uid,firstName=gecos,lastName=gidNumber

  ok, that makes no sense .. but - only for a test (gecos und gidNumber
  are not hidden)

  And - HURRAR - I can log in !!!

  But: with the wrong firstName, the wrong lastName and everyone can
  login to the system .. I've no restrictions.
 ____

  I think omero has to login to the ldap-system with the dn of the user
  and read *then* the private (hidden) attributes, because only the user
  can read the own attributes.  
  
   > Can you fix that ????
 ___

  Next step:  how can I restrict the access ?


  --- Thanks A Lot For Your Help !!! ---

  Andreas


-------------- next part --------------

tmero3 OMERO.server]$ bin/omero ldap create andrmuel
Using session for root at localhost:4064. Idle timeout: 10 min. Current group: system
Traceback (most recent call last):
  File "bin/omero", line 130, in <module>
    rv = omero.cli.argv()
  File "/home/omero/OMERO.server-5.4.9-ice36-b101/lib/python/omero/cli.py", line 1620, in argv
    cli.invoke(args[1:])
  File "/home/omero/OMERO.server-5.4.9-ice36-b101/lib/python/omero/cli.py", line 1095, in invoke
    stop = self.onecmd(line, previous_args)
  File "/home/omero/OMERO.server-5.4.9-ice36-b101/lib/python/omero/cli.py", line 1172, in onecmd
    self.execute(line, previous_args)
  File "/home/omero/OMERO.server-5.4.9-ice36-b101/lib/python/omero/cli.py", line 1254, in execute
    args.func(args)
  File "/home/omero/OMERO.server-5.4.9-ice36-b101/lib/python/omero/cli.py", line 644, in _check_admin
    return func(*args, **kwargs)
  File "/home/omero/OMERO.server-5.4.9-ice36-b101/lib/python/omero/plugins/ldap.py", line 249, in create
    exp = ildap.createUser(args.username)
  File "/home/omero/OMERO.server-5.4.9-ice36-b101/lib/python/omero_api_ILdap_ice.py", line 741, in createUser
    return _M_omero.api.ILdap._op_createUser.invoke(self, ((username, ), _ctx))
omero.ApiUsageException: exception ::omero::ApiUsageException
{
    serverStackTrace = ome.conditions.ApiUsageException: Cannot find unique user DistinguishedName: found=0
        at ome.logic.LdapImpl.mapUserName(LdapImpl.java:213)
        at ome.logic.LdapImpl.findExperimenter(LdapImpl.java:174)
        at ome.logic.LdapImpl.createUser(LdapImpl.java:477)
        at ome.logic.LdapImpl.createUser(LdapImpl.java:439)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
        at ome.security.basic.EventHandler.invoke(EventHandler.java:154)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:249)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:121)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
        at com.sun.proxy.$Proxy93.createUser(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
        at ome.security.basic.BasicSecurityWiring.invoke(BasicSecurityWiring.java:93)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at ome.services.blitz.fire.AopContextInitializer.invoke(AopContextInitializer.java:43)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
        at com.sun.proxy.$Proxy93.createUser(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at ome.services.blitz.util.IceMethodInvoker.invoke(IceMethodInvoker.java:172)
        at ome.services.throttling.Callback.run(Callback.java:56)
        at ome.services.throttling.InThreadThrottlingStrategy.callInvokerOnRawArgs(InThreadThrottlingStrategy.java:56)
        at ome.services.blitz.impl.AbstractAmdServant.callInvokerOnRawArgs(AbstractAmdServant.java:140)
        at ome.services.blitz.impl.LdapI.createUser_async(LdapI.java:116)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
        at omero.cmd.CallContext.invoke(CallContext.java:85)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
        at com.sun.proxy.$Proxy94.createUser_async(Unknown Source)
        at omero.api._ILdapTie.createUser_async(_ILdapTie.java:66)
        at omero.api._ILdapDisp.___createUser(_ILdapDisp.java:587)
        at omero.api._ILdapDisp.__dispatch(_ILdapDisp.java:635)
        at IceInternal.Incoming.invoke(Incoming.java:221)
        at Ice.ConnectionI.invokeAll(ConnectionI.java:2536)
        at Ice.ConnectionI.dispatch(ConnectionI.java:1145)
        at Ice.ConnectionI.message(ConnectionI.java:1056)
        at IceInternal.ThreadPool.run(ThreadPool.java:395)
        at IceInternal.ThreadPool.access$300(ThreadPool.java:12)
        at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:832)
        at java.lang.Thread.run(Thread.java:748)

    serverExceptionClass = ome.conditions.ApiUsageException
    message = Cannot find unique user DistinguishedName: found=0
}

More information about the ome-users mailing list