We're Hiring!

Problem signing in with LDAP accounts

Having a problem deploying OMERO? Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

The OMERO.server installation documentation begins here and you can find OMERO.web deployment documentation here.

Problem signing in with LDAP accounts

Postby rdecoster » Wed Feb 20, 2019 9:32 am

I have a problem with existing accounts that were added to additional groups in ldap, which need to sync at login to the OMERO system.
This is only for existing accounts and not for fresh logins.
I upgraded to the latest version of OMERO 5.4.10 and should have performed all DB steps

This is the error messag in the log:
2019-02-20 09:53:39,211 INFO [ ome.services.util.ServiceHandler] (l.Server-6) Executor.doWork -- ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO[u0114991]
2019-02-20 09:53:39,211 INFO [ ome.services.util.ServiceHandler] (l.Server-6) Args: [null, InternalSF@95788093]
2019-02-20 09:53:39,212 INFO [ ome.security.basic.EventHandler] (l.Server-6) Auth: user=0,group=0,event=null(Sessions),sess=651ec5cf-4a9e-408d-ba8e-c9f9075a124b
2019-02-20 09:53:40,152 INFO [ ome.logic.LdapImpl] (l.Server-6) Adding groups for u0114991: [355]
2019-02-20 09:53:40,173 INFO [ org.perf4j.TimingLogger] (l.Server-6) start[1550652819211] time[962] tag[omero.call.exception]
2019-02-20 09:53:40,175 WARN [ ome.services.util.ServiceHandler] (l.Server-6) Unknown exception thrown.

org.springframework.jdbc.UncategorizedSQLException: PreparedStatementCallback; uncategorized SQLException for SQL [select ome_nextval(?,?)]; SQL state [25P02]; error code [0]; ERROR: current transaction is aborted, commands ignored until end of transaction block; nested exception is org.postgresql.util.PSQLException: ERROR: current transaction is aborted, commands ignored until end of transaction block


Any thoughts on what is going on?
could there be hanging locks on certain rows in the DB?

Best,
Raf
rdecoster
 
Posts: 21
Joined: Mon Feb 01, 2016 11:55 am

Re: Problem signing in with LDAP accounts

Postby mtbc » Wed Feb 20, 2019 9:55 am

Raf,

It could well be some issue with LDAP config. From which OMERO version did you upgrade -- when were things working okay? Could you share your omero.ldap.* config settings? I guess there wasn't also some message in some other log like master.err?

If you experiment with the OMERO.cli LDAP commands like "ldap getdn", "ldap list", also "user list", etc., do things look okay for the user who can't log in? From that output do feel free to share anything you're not sure about.

Cheers,
Mark
User avatar
mtbc
Team Member
 
Posts: 282
Joined: Tue Oct 23, 2012 10:59 am
Location: Dundee, Scotland

Re: Problem signing in with LDAP accounts

Postby rdecoster » Wed Feb 20, 2019 12:18 pm

Hi Mark,

So this is my ldap config:
Code: Select all
omero.ldap.base=DC=luna,DC=kuleuven,DC=be
omero.ldap.config=true
omero.ldap.group_filter=(&(objectClass=group)(cn=GBW.GS.ISPAMM.*)(!(cn=GBW.GS.ISPAMM.Users)))
omero.ldap.group_mapping=name=cn
omero.ldap.new_user_group=:filtered_dn_attribute:memberOf
omero.ldap.password=********
omero.ldap.sync_on_login=true
omero.ldap.urls=ldaps://ICTS-S-DC1.luna.kuleuven.be:3269
omero.ldap.user_filter=(memberOf=CN=GBW.GS.ISPAMM.Users,OU=ISPAMM,OU=groups_sec,OU=GBW,OU=kuleuven,DC=luna,DC=kuleuven,DC=be)
omero.ldap.user_mapping=omeName=sAMAccountName,firstName=givenName,lastName=sn,email=mail
omero.ldap.username=CN=GBW.A.CMEVIB.ISPAMM,OU=services,OU=GBW,OU=kuleuven,DC=luna,DC=kuleuven,DC=be


As I am going back in the logs, first time I see this error is in september last year. When I updated group membership in our Active Directory. It might very well be a slumbering problem long before that.
Also if I remove the user in AD from the group, the user can login with no problems.
As for versions:
- jan - 2016: 5.1.4 => 5.2.1
- jun - 2016: => 5.2.4
- yesterday => 5.4.10

the ldap commands work just fine. I see no difference between existing users and fresh users.

master.err is not showing anything ...

thx,
Raf
rdecoster
 
Posts: 21
Joined: Mon Feb 01, 2016 11:55 am

Re: Problem signing in with LDAP accounts

Postby rdecoster » Wed Feb 20, 2019 12:23 pm

and now all of a sudden the issues are gone...

log shows:
Code: Select all
2019-02-20 13:16:58,192 INFO  [        ome.services.util.ServiceHandler] (l.Server-6)  Executor.doWork -- ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW[u0114991]
2019-02-20 13:16:58,193 INFO  [        ome.services.util.ServiceHandler] (l.Server-6)  Args:    [null, InternalSF@95788093]
2019-02-20 13:16:58,200 INFO  [         ome.security.basic.EventHandler] (l.Server-6)  Auth:    user=0,group=0,event=2539364(Sessions),sess=651ec5cf-4a9e-408d-ba8e-c9f9075a124b
2019-02-20 13:16:59,053 INFO  [                      ome.logic.LdapImpl] (l.Server-6) Adding groups for u0114991: [355]
2019-02-20 13:16:59,056 INFO  [       ome.security.basic.CurrentDetails] (l.Server-6) Adding log:INSERT,class ome.model.meta.GroupExperimenterMap,923
2019-02-20 13:16:59,057 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 203
2019-02-20 13:16:59,058 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 353
2019-02-20 13:16:59,059 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 53
2019-02-20 13:16:59,060 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 355
2019-02-20 13:16:59,060 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 154
2019-02-20 13:16:59,060 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 153
2019-02-20 13:16:59,061 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 305
2019-02-20 13:16:59,062 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 103
2019-02-20 13:16:59,062 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 304
2019-02-20 13:16:59,063 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 155
2019-02-20 13:16:59,063 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 4
2019-02-20 13:16:59,064 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 3
2019-02-20 13:16:59,064 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 253
2019-02-20 13:16:59,065 INFO  [    ome.security.auth.SimpleRoleProvider] (l.Server-6) Seeting ownership flag on user 602 to false for 303
2019-02-20 13:16:59,205 INFO  [                 org.perf4j.TimingLogger] (l.Server-6) start[1550665018193] time[1012] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$9.doWork]
2019-02-20 13:16:59,205 INFO  [        ome.services.util.ServiceHandler] (l.Server-6)  Rslt:    true
2019-02-20 13:16:59,206 INFO  [        ome.services.util.ServiceHandler] (.Server-10)  Executor.doWork -- ome.services.sessions.SessionManagerImpl.createSession[]
20


I did _not_ change a thing ...
could I have triggerd something with the commands you suggested?

Best,
Raf
rdecoster
 
Posts: 21
Joined: Mon Feb 01, 2016 11:55 am

Re: Problem signing in with LDAP accounts

Postby rdecoster » Wed Feb 20, 2019 12:29 pm

could these commands have a positive effect?

OMERO.server/bin/omero ldap discover --groups
OMERO.server/bin/omero ldap discover

apart from "user list", "ldap list" and "ldap getdn" that's what I did extra compared to yesterday.

best,
Raf
rdecoster
 
Posts: 21
Joined: Mon Feb 01, 2016 11:55 am

Re: Problem signing in with LDAP accounts

Postby jmoore » Fri Feb 22, 2019 11:28 am

Hi Raf,

the commands that Mark suggested shouldn't have had any effect. I assume that there was something locked in the database server which resolved itself. I'm happy to take a look at the logs if you'd like to send them, but considering have now cleared up, it may be difficult to track it down. In any case, if you see any further issues, please let us know.

All the best,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany


Return to Installation and Deployment

Who is online

Users browsing this forum: Google [Bot] and 1 guest