Page 1 of 1

help with LDAP setup

PostPosted: Mon Jul 04, 2016 10:26 pm
by SteveO
Hi OMERO team-

Successfully deployed omero 5.2.4 and am trying to configure LDAP authentication to our institutional AD.
I'm partially successful - at least I think OMERO is querying the AD, because the error I get in the Blitz log when I try to authenticate using my ldap credentials from the web interface is:
Code: Select all
Default choice on create user: stephenogg (ome.conditions.ApiUsageException: Cannot find unique user DistinguishedName: found=1)

I'm not sure how to diagnose this further-
Here are my config settings:
Code: Select all
omero@med-omero:~/OMERO.server$ bin/omero config get --hide-password
omero.data.dir=/OMERO
omero.db.name=omero_database
omero.db.pass=********
omero.db.user=omero_pg_user
omero.ldap.base=ou=Core Research Facilities,ou=Research,dc=med,dc=ualberta,dc=ca
omero.ldap.config=true
omero.ldap.password=********
omero.ldap.urls=ldap://med-dc1.med.ualberta.ca:3268
omero.ldap.user_mapping=omeName=sAMAccountName,firstName=givenName,lastName=sn,email=mail,institution=department,middleName=middleName
omero.ldap.username=MED\omero_ldap
omero.web.appliation_server=wsgi
omero.web.application_server=wsgi


and here is what I think the query would be using ldapsearch:
Code: Select all
omero@med-omero:~/OMERO.server$ ldapsearch -x -H ldap://med-dc1.med.ualberta.ca:3268 -b 'ou=Core Research Facilities,ou=Research,dc=med,dc=ualberta,dc=ca' -D 'MED\omero_ldap' -W '(&(objectClass=person)(SAMAccountName=stephenogg))' dn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=Core Research Facilities,ou=Research,dc=med,dc=ualberta,dc=ca> with scope subtree
# filter: (&(objectClass=person)(SAMAccountName=stephenogg))
# requesting: dn
#

# Stephen Ogg, Cell Imaging, Core Research Facilities, Research, med.ualberta
.ca
dn: CN=Stephen Ogg,OU=Cell Imaging,OU=Core Research Facilities,OU=Research,DC=
med,DC=ualberta,DC=ca

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Any help appreciated.

Thanks

In addition, once authentication is sorted, I would like to put users into groups based on an entry in their Active Directory attributes. I have retrieved the "memberOf" from a typical user below and you can see that one of the groups she is a member of is the "Evans Lab". I'm wondering how to configure correctly the group mapping, group filter and new user group properties to set groups for people who will all be in different "Labs" as in "Evans lab", "Touret Lab", etc.? I'm not an LDAP user and the "Group Lookup" section of the LDAP Authentication page suggests I need new user group prefixed with :filtered_attribute:memberOf and then construct a group filter that matches the memberOf I want to use- but how?

Again, Any help would be greatly appreciated.

Code: Select all
omero@med-omero:~/OMERO.server$ ldapsearch -x -H ldap://med-dc1.med.ualberta.ca:3268 -b 'ou=Core Research Facilities,ou=Research,dc=med,dc=ualberta,dc=ca' -D 'MED\omero_ldap' -W 'sAMAccountName=MeganDesaulniers' memberOf
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=Core Research Facilities,ou=Research,dc=med,dc=ualberta,dc=ca> with scope subtree
# filter: sAMAccountName=MeganDesaulniers
# requesting: memberOf
#

# Megan Desaulniers, Cell Imaging, Core Research Facilities, Research, med.ua
lberta.ca
dn: CN=Megan Desaulniers,OU=Cell Imaging,OU=Core Research Facilities,OU=Resear
ch,DC=med,DC=ualberta,DC=ca
memberOf: CN=Evans Lab,OU=Cell Imaging,OU=Core Research Facilities,OU=Research
,DC=med,DC=ualberta,DC=ca
memberOf: CN=Cell Imaging Centre - Security,OU=Cell Imaging,OU=Core Research F
acilities,OU=Research,DC=med,DC=ualberta,DC=ca

# search result
search: 2
result: 0 Success


# numResponses: 2
# numEntries: 1

Re: help with LDAP setup

PostPosted: Tue Jul 05, 2016 8:35 am
by atarkowska
Hi Steve,

Did you have a chance to read https://www.openmicroscopy.org/site/sup ... -ldap.html?

Ola

Re: help with LDAP setup

PostPosted: Tue Jul 05, 2016 11:28 pm
by SteveO
Hi Ola-
Thanks for pointing me to the LDAP Authentication page. I re-read it and finally something in my brain clicked about case sensitivity. ldapsearch must not be case sensitive, because it returns my details when the filter is 'sAMAccountname=stephenogg' even though the sAMAccountName is actually StephenOgg. The omero web client, of course, is case sensitive, so wasn't able to find me until I entered 'StephenOgg' in the username field. Then it was able to authenticate me perfectly, and it put me into the "default" group. :D
Because I was successful with authentication, I tried to set the group properties to allow group mapping from my AD. I am not successful yet. :cry:

Here are my ldap properties:

mero.ldap.base=ou=Core Research Facilities,ou=Research,dc=med,dc=ualberta,dc=ca
omero.ldap.config=true
omero.ldap.group_filter=(&(objectClass=group)(CN=*Lab))
omero.ldap.group_mapping=name=CN
omero.ldap.new_user_group=:filtered_dn_attribute:memberOf
omero.ldap.password=*****
omero.ldap.sync_on_login=true
omero.ldap.urls=ldap://med-dc1.med.ualberta.ca:3268
omero.ldap.user_mapping=omeName=sAMAccountName,firstName=givenName,lastName=sn,email=mail,institution=department,middleName=middleName
omero.ldap.username=MED\omero_ldap


and so you can see what I'm trying to do - here is what my group membership section looks like when retrieved using ldapsearch:
memberOf: CN=CIC Lab,OU=Cell Imaging,OU=Core Research Facilities,OU=Research,D
C=med,DC=ualberta,DC=ca
memberOf: CN=VirtualComputerServices,OU=Citrix,OU=Service Accounts,DC=med,DC=u
alberta,DC=ca
memberOf: CN=XD-Win7_GRID,OU=Citrix,OU=Service Accounts,DC=med,DC=ualberta,DC=
ca
memberOf: CN=TAGC - Full Access,OU=TAGC,OU=Core Research Facilities,OU=Researc
h,DC=med,DC=ualberta,DC=ca
memberOf: CN=Flow - Full Access,OU=Flow Cytometry,OU=Core Research Facilities,
OU=Research,DC=med,DC=ualberta,DC=ca
memberOf: CN=Cell Imaging Centre - Full Access,OU=Cell Imaging,OU=Core Researc
h Facilities,OU=Research,DC=med,DC=ualberta,DC=ca
memberOf: CN=Farm-FSO,OU=FARM,OU=Distribution Groups,OU=Service Accounts,DC=me
d,DC=ualberta,DC=ca


I'm trying to match only the group where the cn has the word "Lab" in it. For me this should match where cn=CIC Lab.

Bit When I try to authenticate, I get this in the Blitz log:
Code: Select all
2016-07-05 16:55:24,904 INFO  [        ome.services.util.ServiceHandler] (l.Server-2)  Excp:   ome.conditions.InternalException: Full DN (cn=Farm-FSO,ou=FARM,ou=Distribution Groups,ou=Service Accounts,dc=med,dc=ualberta,dc=ca) does not start with base DN (ou=Core Research Facilities,ou=Research,dc=med,dc=ualberta,dc=ca)
2016-07-05 16:55:24,908 ERROR [     o.s.blitz.fire.PermissionsVerifierI] (l.Server-2) Exception thrown while checking password for:StephenOgg
ome.conditions.InternalException: Full DN (cn=Farm-FSO,ou=FARM,ou=Distribution Groups,ou=Service Accounts,dc=med,dc=ualberta,dc=ca) does not start with base DN (ou=Core Research Facilities,ou=Research,dc=med,dc=ualberta,dc=ca)
   at ome.security.auth.LdapConfig.relativeDN(LdapConfig.java:140) ~[server.jar:na]
   at ome.security.auth.AttributeNewUserGroupBean.groups(AttributeNewUserGroupBean.java:90) ~[server.jar:na]
   at ome.logic.LdapImpl$GroupLoader.<init>(LdapImpl.java:614) ~[server.jar:na]
   at ome.logic.LdapImpl.synchronizeLdapUser(LdapImpl.java:299) ~[server.jar:na]
   at ome.security.auth.LdapPasswordProvider.checkPassword(LdapPasswordProvider.java:152) ~[server.jar:na]
   at ome.security.auth.PasswordProviders.checkPassword(PasswordProviders.java:52) ~[server.jar:na]
   at ome.logic.AdminImpl.checkPassword(AdminImpl.java:1197) ~[server.jar:na]
   at ome.services.sessions.SessionManagerImpl$9.doWork(SessionManagerImpl.java:1102) ~[server.jar:na]
   at sun.reflect.GeneratedMethodAccessor302.invoke(Unknown Source) ~[na:na]
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_101]
   at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_101]
   at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) ~[spring-aop.jar:3.0.1.RELEASE]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) ~[spring-aop.jar:3.0.1.RELEASE]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) ~[spring-aop.jar:3.0.1.RELEASE]
   at ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:562) ~[server.jar:na]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) ~[spring-aop.jar:3.0.1.RELEASE]
   at ome.security.basic.EventHandler.invoke(EventHandler.java:154) ~[server.jar:na]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) ~[spring-aop.jar:3.0.1.RELEASE]
   at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111) ~[spring-orm.jar:3.0.1.RELEASE]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) ~[spring-aop.jar:3.0.1.RELEASE]
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108) ~[spring-tx.jar:3.0.1.RELEASE]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) ~[spring-aop.jar:3.0.1.RELEASE]
   at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:249) ~[server.jar:na]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) ~[spring-aop.jar:3.0.1.RELEASE]
   at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:121) ~[server.jar:na]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) ~[spring-aop.jar:3.0.1.RELEASE]
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) ~[spring-aop.jar:3.0.1.RELEASE]
   at com.sun.proxy.$Proxy70.doWork(Unknown Source) ~[na:na]
   at ome.services.util.Executor$Impl.execute(Executor.java:443) ~[server.jar:na]
   at ome.services.util.Executor$Impl.execute(Executor.java:387) ~[server.jar:na]
   at ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(SessionManagerImpl.java:1097) ~[server.jar:na]
   at ome.services.sessions.SessionManagerImpl.executeCheckPassword(SessionManagerImpl.java:1069) ~[server.jar:na]
   at ome.services.sessions.SessionManagerImpl.executePasswordCheck(SessionManagerImpl.java:1045) ~[server.jar:na]
   at ome.services.blitz.fire.PermissionsVerifierI.checkPermissions(PermissionsVerifierI.java:132) ~[blitz.jar:na]
   at Glacier2._PermissionsVerifierDisp.___checkPermissions(_PermissionsVerifierDisp.java:114) [ice-glacier2.jar:na]
   at Glacier2._PermissionsVerifierDisp.__dispatch(_PermissionsVerifierDisp.java:149) [ice-glacier2.jar:na]
   at IceInternal.Incoming.invoke(Incoming.java:221) [ice.jar:na]
   at Ice.ConnectionI.invokeAll(ConnectionI.java:2536) [ice.jar:na]
   at Ice.ConnectionI.dispatch(ConnectionI.java:1145) [ice.jar:na]
   at Ice.ConnectionI.message(ConnectionI.java:1056) [ice.jar:na]
   at IceInternal.ThreadPool.run(ThreadPool.java:395) [ice.jar:na]
   at IceInternal.ThreadPool.access$300(ThreadPool.java:12) [ice.jar:na]
   at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:832) [ice.jar:na]
   at java.lang.Thread.run(Thread.java:745) [na:1.7.0_101]


omero - or some underlying component - seems to take exception that one of the groups named in the memberOf section of my details doesn't start with the base DN set in my omero.ldap.base property. I'm not entirely sure what this means?

I have also tried to set the new_user_group property to :filtered_attribute:memberOf instead of :filtered_dn_attribute:memberOf and in I still cannot authenticate, but I get a different error in the Blitz log.
Code: Select all
2016-07-05 17:14:29,966 INFO  [         ome.security.basic.EventHandler] (l.Server-6)  Auth:   user=0,group=0,event=8713(Sessions),sess=0386f2ba-5140-4fbe-94b1-447707169abe
2016-07-05 17:14:29,973 WARN  [ome.services.sessions.SessionManagerImpl] (l.Server-6) Exception while running executeDefaultGroup
ome.conditions.ValidationException: The user 102 has no default group set.
   at ome.logic.AdminImpl.getDefaultGroup(AdminImpl.java:875) ~[server.jar:na]
   at ome.services.sessions.SessionManagerImpl._getDefaultGroup(SessionManagerImpl.java:1363) [server.jar:na]
   at ome.services.sessions.SessionManagerImpl.validateSessionInputs(SessionManagerImpl.java:876) [server.jar:na]
   at ome.services.sessions.SessionManagerImpl.access$000(SessionManagerImpl.java:90) [server.jar:na]
   at ome.services.sessions.SessionManagerImpl$2.doWork(SessionManagerImpl.java:358) [server.jar:na]
   at sun.reflect.GeneratedMethodAccessor300.invoke(Unknown Source) ~[na:na]
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_101]
   at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_101]
   at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307) [spring-aop.jar:3.0.1.RELEASE]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) [spring-aop.jar:3.0.1.RELEASE]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) [spring-aop.jar:3.0.1.RELEASE]
   at ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:562) [server.jar:na]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop.jar:3.0.1.RELEASE]
   at ome.security.basic.EventHandler.invoke(EventHandler.java:154) [server.jar:na]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop.jar:3.0.1.RELEASE]
   at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111) [spring-orm.jar:3.0.1.RELEASE]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop.jar:3.0.1.RELEASE]
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108) [spring-tx.jar:3.0.1.RELEASE]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop.jar:3.0.1.RELEASE]
   at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:249) [server.jar:na]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop.jar:3.0.1.RELEASE]
   at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:121) [server.jar:na]
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) [spring-aop.jar:3.0.1.RELEASE]
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) [spring-aop.jar:3.0.1.RELEASE]
   at com.sun.proxy.$Proxy70.doWork(Unknown Source) [na:na]
   at ome.services.util.Executor$Impl.execute(Executor.java:443) [server.jar:na]
   at ome.services.sessions.SessionManagerImpl.createSession(SessionManagerImpl.java:352) [server.jar:na]
   at ome.services.sessions.SessionManagerImpl.createFromRequest(SessionManagerImpl.java:276) [server.jar:na]
   at ome.services.sessions.SessionManagerImpl.createWithAgent(SessionManagerImpl.java:296) [server.jar:na]
   at ome.services.blitz.fire.SessionManagerI.create(SessionManagerI.java:183) [blitz.jar:na]
   at Glacier2._SessionManagerDisp.___create(_SessionManagerDisp.java:114) [ice-glacier2.jar:na]
   at Glacier2._SessionManagerDisp.__dispatch(_SessionManagerDisp.java:148) [ice-glacier2.jar:na]
   at IceInternal.Incoming.invoke(Incoming.java:221) [ice.jar:na]
   at Ice.ConnectionI.invokeAll(ConnectionI.java:2536) [ice.jar:na]
   at Ice.ConnectionI.dispatch(ConnectionI.java:1145) [ice.jar:na]
   at Ice.ConnectionI.message(ConnectionI.java:1056) [ice.jar:na]
   at IceInternal.ThreadPool.run(ThreadPool.java:395) [ice.jar:na]
   at IceInternal.ThreadPool.access$300(ThreadPool.java:12) [ice.jar:na]
   at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:832) [ice.jar:na]
   at java.lang.Thread.run(Thread.java:745) [na:1.7.0_101]

Now it seems there is a problem with somehow setting my default group??

Do you have any suggestions about my ldap group properties that could help me resolve this challenge?
Thanks

Re: help with LDAP setup

PostPosted: Wed Jul 06, 2016 8:36 am
by atarkowska
Hi Steve,

Did you follow https://www.openmicroscopy.org/site/sup ... ensitivity for case insensitivity? If you already have users created in your system you have to lowercase omename in experimenter table

Code: Select all
BEGIN;
update experimenter set omename = lower(omename);
COMMIT;


Ola

Re: help with LDAP setup

PostPosted: Wed Jul 06, 2016 2:24 pm
by SteveO
Thanks Ola -
I'm the only experimenter in the table besides the root account and the guest account. I will leave omero's case sensitivity on and remember to use the correct credentials when I login.

Best,
Steve

Re: help with LDAP setup

PostPosted: Wed Jul 20, 2016 10:18 pm
by SteveO
I've finally managed to set the group filters correctly to put my AD users into proper groups and use the AD as the authority for group membership. During the group ldap setup, a couple of incorrectly named groups were added to the system (see listing below)

id | name | perms | ldap | # of owners | # of members
-----+--------------------------------------------------------------------------------------------------------------------+--------+-------+-------------+--------------
0 | system | rw---- | False | 1 | 0
1 | user | rwr-r- | False | 0 | 3
2 | guest | rw---- | False | 0 | 1
103 | default | rw---- | True | 0 | 1
153 | CN=Cell Imaging Centre - Security,OU=Cell Imaging,OU=Core Research Facilities,OU=Research,DC=med,DC=ualberta,DC=ca | rw---- | True | 0 | 0
154 | CN=CIC Lab,OU=Cell Imaging,OU=Core Research Facilities,OU=Research,DC=med,DC=ualberta,DC=ca | rw---- | True | 0 | 0
203 | CIC Lab | rw---- | True | 0 | 1



The system is not yet in production, and I'm wondering what the best way is to remove groups with id 153 and 154? They have no users in them nor have images been imported by a user in any of the groups I wish to remove.
I can't find any info on the user/group management page on how to delete a group using "bin/omero group"
I guess by design there is no easy way to do this?
Thanks for any help,
Steve

Re: help with LDAP setup

PostPosted: Thu Jul 21, 2016 12:08 pm
by jmoore
Hi Steve,.

SteveO wrote:During the group ldap setup, a couple of incorrectly named groups were added to the system (see listing below)
...
The system is not yet in production, and I'm wondering what the best way is to remove groups with id 153 and 154? They have no users in them nor have images been imported by a user in any of the groups I wish to remove.
I can't find any info on the user/group management page on how to delete a group using "bin/omero group"
I guess by design there is no easy way to do this?


Correct. Both group & user deletion are not currently supported in general. In your case, where the group has been newly created, you can attempt:

Code: Select all
$ psql ome9 -c "delete from experimentergroup where id in (153, 154)"


which I would expect to work unless a user was added to the group in which case:

Code: Select all
$ psql ome9 -c "delete from groupexperimentermap where parent in (153, 154)"


will be needed before you can delete the group. Similarly, this should work for users:

Code: Select all
$ psql ome9 -c "delete from groupexperimentermap where child in (X, Y)"
$ psql ome9 -c "delete from experimenter where id in (X, Y)"


Thanks for any help,
Steve


Cheers,
~Josh.

Re: help with LDAP setup

PostPosted: Fri Jul 22, 2016 5:49 pm
by SteveO
Success!
Thanks Jmoore