We're Hiring!

Open Microscopy Environment

The OME community

Skip to content

LDAP authentication not successful

Having a problem deploying OMERO? Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

The OMERO.server installation documentation begins here and you can find OMERO.web deployment documentation here.
Post a reply

LDAP authentication not successful

Postby SteveO » Fri Nov 11, 2011 2:05 am

Hi -
I have a brand new installation of Omero 4.3.3 on Ubuntu 10.04 LTS. Installation was a snap following the "Linux Debian/Ubuntu Install Walkthrough" guide. Thanks

The only thing I cannot figure out is how to use LDAP for authentication. This will have to do with the fact that I know almost nothing about LDAP, rather than anything else. I was hoping someone with more experience could take a look at my settings and let me know where I've gone wrong.

I had some initial trouble until I specified the fully qualified distinguished name of the directory administrator, and I think I'm successfully binding to the ldap server, but somehow the credentials of the user are not returned to the omero login? It's beyond my very limited skill to troubleshoot this any further. The LDAP is really the apple offering of open LDAP running as "Open Directory".

here's the error I get from the Blitz log
Code: Select all
2011-11-10 17:56:53,924 INFO  [  ome.security.auth.LdapPasswordProvider] (l.Server-0) Default choice on create user: steveo (ome.conditions.ApiUsageExcepti
on: Cannot find unique DistinguishedName: found=0)




Here's my bin/omero config get :
Code: Select all
steve@omero:~/apps/OMERO/OMERO.server$ bin/omero config get
omero.data.dir=/OMERO.data
omero.db.name=omerodb
omero.db.pass=omeropassword
omero.db.user=omero
omero.ldap.base=dc=ellesmere,dc=med,dc=ualberta,dc=ca
omero.ldap.config=true
omero.ldap.password=******
omero.ldap.urls=ldap://ellesmere.med.ualberta.ca:389
omero.ldap.user_filter=(objectClass=inetOrgPerson)
omero.ldap.username=uid=cicadmin,cn=users,dc=ellesmere,dc=med,dc=ualberta,dc=ca
omero.web.application_server=fastcgi-tcp
omero.web.applicaton_host=http://129.128.191.25:80/
omero.web.server_email=stephen.ogg@gmail.com


here's the output from bin/omero admin diagnostics:
Code: Select all
================================================================================
OMERO Diagnostics 4.3.3-00d1137e-b2894
================================================================================
       
Commands:   java -version                  1.6.0     (/usr/bin/java -- 2 others)
Commands:   python -V                      2.6.5     (/usr/bin/python)
Commands:   icegridnode --version          3.3.1     (/usr/bin/icegridnode)
Commands:   icegridadmin --version         3.3.1     (/usr/bin/icegridadmin)
Commands:   psql --version                 8.4.9     (/usr/bin/psql -- 2 others)

Server:     icegridnode                    running
Server:     Blitz-0                        active (pid = 23466, enabled)
Server:     DropBox                        active (pid = 23468, enabled)
Server:     FileServer                     active (pid = 23477, enabled)
Server:     Indexer-0                      active (pid = 23479, enabled)
Server:     MonitorServer                  active (pid = 23480, enabled)
Server:     OMERO.Glacier2                 active (pid = 23481, enabled)
Server:     OMERO.IceStorm                 active (pid = 23484, enabled)
Server:     PixelData-0                    active (pid = 23485, enabled)
Server:     Processor-0                    active (pid = 23487, enabled)
Server:     Tables-0                       active (pid = 23496, enabled)
Server:     TestDropBox                    inactive (enabled)

Log dir:    /home/steve/apps/OMERO/OMERO.server/var/log exists

Log files:  Blitz-0.log                    33.0 KB       errors=1    warnings=1   
Log files:  Blitz-0.log.old                5.0 MB        errors=12   warnings=12 
Log files:  DropBox.log                    11.0 KB       errors=0    warnings=4   
Log files:  FileServer.log                 1.0 KB       
Log files:  Indexer-0.log                  57.0 KB       errors=0    warnings=1   
Log files:  MonitorServer.log              6.0 KB        errors=0    warnings=1   
Log files:  OMEROweb.log                   23.0 KB       errors=32   warnings=0   
Log files:  PixelData-0.log                10.0 KB     
Log files:  Processor-0.log                7.0 KB        errors=0    warnings=4   
Log files:  Tables-0.log                   7.0 KB        errors=0    warnings=4   
Log files:  TestDropBox.log                n/a
Log files:  master.err                     0.0 KB       
Log files:  master.out                     0.0 KB       
Log files:  Total size                     5.71 MB

Parsing Blitz-0.log:[line:30] => Server restarted <=

Environment:OMERO_HOME=/home/steve/apps/OMERO/OMERO.server
Environment:OMERO_NODE=(unset)             
Environment:OMERO_MASTER=(unset)           
Environment:PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/lib/jvm/java-6-sun/bin:/usr/share/Ice:/usr/lib/postgresql/8.4/bin:/home/steve/apps/OMERO/OMERO.server/bin
Environment:ICE_HOME=/usr/share/Ice       
Environment:LD_LIBRARY_PATH=:/usr/share/java:/usr/lib
Environment:DYLD_LIBRARY_PATH=(unset)     

OMERO data dir: '/OMERO.data'   Exists? True   Is writable? True
OMERO.web status... [RUNNING] (PID 15085)


and here's what I get if I query my ldap server with ldapsearch for the same user that is rejected from the omero login:
Code: Select all
steve@omero:~/apps/OMERO/OMERO.server/var/log$ ldapsearch -x -LLL uid=steveo
dn: uid=steveo,cn=users,dc=ellesmere,dc=med,dc=ualberta,dc=ca
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
uidNumber: 1043
apple-generateduid: A2374512-6BDC-4C01-BB4B-5A300FA195E0
loginShell: /bin/bash
gidNumber: 20
uid: steveo
altSecurityIdentities: Kerberos:steveo@ELLESMERE.MED.UALBERTA.CA
authAuthority: ;ApplePasswordServer;0x4cb3243e008ff9000000004e0000004e,1024 35
  1386141094137962807715329480415826814514356556737431299757030838030738416847
59391691149547069015517273036093231629871346380909787054563490976486270156150
80913102203942505122612482339391560338894147269011663936415081785144060255421
02548819823044736188812538441123014123111672724443231385847170135257084256081
13 root@ellesmere.med.ualberta.ca:129.128.24.251
authAuthority: ;Kerberosv5;0x4cb3243e008ff9000000004e0000004e;steveo@ELLESMERE
.MED.UALBERTA.CA;ELLESMERE.MED.UALBERTA.CA;1024 35 13861410941379628077153294
80415826814514356556737431299757030838030738416847593916911495470690155172730
36093231629871346380909787054563490976486270156150809131022039425051226124823
39391560338894147269011663936415081785144060255421025488198230447361888125384
4112301412311167272444323138584717013525708425608113 root@ellesmere.med.ualbe
rta.ca:129.128.24.251
userPassword:: KioqKioqKio=
cn: Stephen Ogg
apple-mcxflags:: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUW
VBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy
5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjA
iPgo8ZGljdD4KCTxrZXk+c2ltdWx0YW5lb3VzX2xvZ2luX2VuYWJsZWQ8L2tleT4KCTxmYWxzZS8+
CjwvZGljdD4KPC9wbGlzdD4K
apple-keyword: CIC
apple-keyword: Medical Microbiology & Immunology
apple-user-homeurl:: PGhvbWVfZGlyPjx1cmw+YWZwOi8vZWxsZXNtZXJlLm1lZC51YWxiZXJ0Y
S5jYS9Vc2VyczwvdXJsPjxwYXRoPnN0ZXZlbzwvcGF0aD48L2hvbWVfZGlyPg==
homeDirectory: /Network/Servers/ellesmere.med.ualberta.ca/Volumes/CIC/Users/st
eveo
givenName: Stephen
sn: Ogg
departmentNumber: CIC
telephoneNumber: 780.492.1613
mail: stephen.ogg@ualberta.ca
profilePath: \\Ellesmere\Profiles\steveo
homeDrive: H:
smbHome: \\Ellesmere\Users\steveo


Entire Blitz Log attached
Any Advice appreciated
Thanks in advance
Attachments
Blitz.gz
(18.98 KiB) Downloaded 190 times
SteveO
 
Posts: 15
Joined: Fri Oct 02, 2009 1:51 am
Location: 54° North
Top

Re: LDAP authentication not successful

Postby SteveO » Sat Nov 12, 2011 9:19 pm

OK
After playing around with omero.ldap.user_mapping and omero.ldap.user_filter I managed to get users mapped to experimenters in omero! Now the group mapping is slightly more complicated. The omero.ldap.new_user_group below doesn't work because some users have more than one uid, i.e. here's the error I get:
Code: Select all
2011-11-12 13:57:29,627 INFO  [  ome.security.auth.LdapPasswordProvider] (l.Server-4) Default choice on create user: anetar (ome.conditions.ValidationException: Multivalued property used in @{} format:memberUid=@{uid}=[abalicka, anetar])


and when I try a user that has only one uid, then I get this error:
Code: Select all
2011-11-12 14:13:20,578 INFO  [        ome.services.util.ServiceHandler] (l.Server-3)  Excp:   org.springframework.ldap.InvalidSearchFilterException: Unbalanced parenthesis; nested exception is javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name ''
2011-11-12 14:13:20,578 ERROR [services.blitz.fire.PermissionsVerifierI] (l.Server-3) Exception thrown while checking password for:testert
ome.conditions.InternalException:  Wrapped Exception: (org.springframework.ldap.InvalidSearchFilterException):
Unbalanced parenthesis; nested exception is javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name ''
   at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:133)
   at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
   at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
   at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:571)
   at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:556)
   at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:411)


and here's the config that's causing the exception:

Code: Select all
steve@omero:~/apps/OMERO/OMERO.server$ bin/omero config get
omero.data.dir=/OMERO.data
omero.db.name=omerodb
omero.db.pass=omeropassword
omero.db.user=omero
omero.ldap.base=dc=ellesmere,dc=med,dc=ualberta,dc=ca
omero.ldap.config=true
omero.ldap.group_filter=(objectClass=posixGroup)
omero.ldap.group_mapping=name=apple-group-realname
omero.ldap.new_user_group=:query:memberUid=@{uid}
omero.ldap.pasword=**********
omero.ldap.urls=ldap://ellesmere.med.ualberta.ca:389
omero.ldap.user_filter=(objectClass=inetOrgPerson)
omero.ldap.user_mapping=omeName=uid, firstName=givenName, lastName=sn, email=mail
omero.ldap.username=uid=cicadmin,cn=users,dc=ellesmere,dc=med,dc=ualberta,dc=ca
omero.web.application_server=fastcgi-tcp
omero.web.applicaton_host=http://129.128.191.25:80/
SteveO
 
Posts: 15
Joined: Fri Oct 02, 2009 1:51 am
Location: 54° North
Top

Re: LDAP authentication not successful

Postby jmoore » Mon Nov 14, 2011 7:41 am

Hi Steve,

the issue with the user who only has one uid is that you need parens around the query. For example,
Code: Select all
omero.ldap.new_user_group=:query:(member=@{dn})

because this section gets AND-ed with the group filter: (&(Q1)(Q2))

What would you want to happen in the case of multiple uids? Is there another (unique) value say on your group entries that you could use?

Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany
Top

Re: LDAP authentication not successful

Postby SteveO » Mon Nov 14, 2011 7:12 pm

Hi Josh-
Thanks - the parentheses have solved the problem. I used the guid instead of the uid as it is unique for each user.

Thanks for your help
SteveO
 
Posts: 15
Joined: Fri Oct 02, 2009 1:51 am
Location: 54° North
Top

Re: LDAP authentication not successful

Postby jmoore » Tue Nov 15, 2011 6:50 am

Glad to hear it!

~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany
Top
Post a reply

Return to Installation and Deployment

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
cron