We're Hiring!

ldap users into existing groups

General user discussion about using the OMERO platform to its fullest. Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

There are workflow guides for various OMERO functions on our help site - http://help.openmicroscopy.org

You should find answers to any basic questions about using the clients there.

ldap users into existing groups

Postby robert.stanislawiak » Mon Dec 30, 2013 2:28 pm

I want to map users from ldap into existing groups and in my config.xml I use omero.ldap.new_user_group value for example "some_group". After a some time period I can`t login again and apache shows me internal server error 500...There is no problem with users created internaly with omero. My system version OMERO.web 4.4.9-ice34-b98.

that`s my config

<properties id="__ACTIVE__">
<property name="omero.config.profile" value="default"/>
<property name="omero.config.version" value="4.2.1"/>
<property name="omero.web.application_server" value="fastcgi-tcp"/>
<property name="omero.db.name" value="omero_database"/>
<property name="omero.db.user" value="omero_user"/>
<property name="omero.db.pass" value="***"/>
<property name="omero.data.dir" value="/MSCOPE"/>
<property name="omero.web.viewer.initial_zoom_level" value="3"/>
<property name="omero.ldap.config" value="true"/>
<property name="omero.ldap.base" value="DC=puls,DC=edu,DC=pl"/>
<property name="omero.ldap.referral" value="follow"/>
<property name="omero.ldap.urls" value="ldap://a.b.c.d:389"/>
<property name="omero.ldap.password" value="***"/>
<property name="omero.ldap.username" value="cn=Manager,dc=puls,dc=edu,dc=pl"/>
<property name="omero.ldap.user_filter" value="(cn=*)"/>
<property name="omero.ldap.user_mapping" value="omeName=cn,firstName=cn,lastName=sn,email=mail"/>
<property name="omero.ldap.new_user_group" value="PULS"/>
<property name="omero.ldap.sync_on_login" value="false"/>
<property name="omero.db.poolsize" value="50"/>
<property name="omero.sessions.timeout" value="600000"/>
</properties>
<properties id="default">
<property name="omero.config.version" value="4.2.1"/>
<property name="omero.web.application_server" value="fastcgi-tcp"/>
<property name="omero.db.name" value="omero_database"/>
<property name="omero.db.user" value="omero_user"/>
<property name="omero.db.pass" value="***"/>
<property name="omero.data.dir" value="/MSCOPE"/>
<property name="omero.web.viewer.initial_zoom_level" value="3"/>
<property name="omero.ldap.config" value="true"/>
<property name="omero.ldap.base" value="DC=puls,DC=edu,DC=pl"/>
<property name="omero.ldap.referral" value="follow"/>
<property name="omero.ldap.urls" value="ldap://a.b.c.d:389"/>
<property name="omero.ldap.password" value="***"/>
<property name="omero.ldap.username" value="cn=Manager,dc=puls,dc=edu,dc=pl"/>
<property name="omero.ldap.user_filter" value="(cn=*)"/>
<property name="omero.ldap.user_mapping" value="omeName=cn,firstName=cn,lastName=sn,email=mail"/>
<property name="omero.ldap.new_user_group" value="PULS"/>
<property name="omero.ldap.sync_on_login" value="false"/>
<property name="omero.db.poolsize" value="50"/>
<property name="omero.sessions.timeout" value="600000"/>
</properties>


what is the problem?

Apache gives me this

[Mon Dec 30 16:05:06 2013] [error] [client 150.254.175.41] FastCGI: comm with server "/home/cc36812/apps/OMERO.server-4.4.9-ice34-b98/var/omero.fcgi" aborted: idle timeout (30 sec), referer: http://microscopy.oi.up.poznan.pl/omero ... bclient%2F
[Mon Dec 30 16:05:06 2013] [error] [client 150.254.175.41] FastCGI: incomplete headers (0 bytes) received from server "/home/cc36812/apps/OMERO.server-4.4.9-ice34-b98/var/omero.fcgi", referer: http://microscopy.oi.up.poznan.pl/omero ... bclient%2F
robert.stanislawiak
 
Posts: 18
Joined: Mon Dec 16, 2013 2:21 pm
Location: Poland

Re: ldap users into existing groups

Postby jmoore » Wed Jan 01, 2014 4:32 pm

Could you possibly upload the server log files? Specifically: var/log/Blitz-0.log, var/log/master.out and var/log/master.err.

Thanks,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: ldap users into existing groups

Postby robert.stanislawiak » Sun Jan 05, 2014 1:39 pm

It looks like sometimes - randomly - omero is not passing credentials to LDAP server, my blitz log file is over 400MB large and master.out is empty. What file extension is allowed for upload?
robert.stanislawiak
 
Posts: 18
Joined: Mon Dec 16, 2013 2:21 pm
Location: Poland

Re: ldap users into existing groups

Postby jmoore » Sun Jan 05, 2014 5:52 pm

.zip should be allowed. If you have any trouble, let us know.

Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: ldap users into existing groups

Postby robert.stanislawiak » Sun Jan 05, 2014 6:59 pm

zip file is about 900KB and i can`t attach it
robert.stanislawiak
 
Posts: 18
Joined: Mon Dec 16, 2013 2:21 pm
Location: Poland

Re: ldap users into existing groups

Postby jmoore » Mon Jan 06, 2014 8:01 am

Sorry about that. Would you mind uploading via http://qa.openmicroscopy.org.uk/qa/upload/ then? Cheers, ~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: ldap users into existing groups

Postby robert.stanislawiak » Tue Jan 07, 2014 8:39 am

jmoore wrote:Sorry about that. Would you mind uploading via http://qa.openmicroscopy.org.uk/qa/upload/ then? Cheers, ~Josh


I`ve uploaded
7802 unknown QA Bug 2014 01 07 150.254.175.41
robert.stanislawiak
 
Posts: 18
Joined: Mon Dec 16, 2013 2:21 pm
Location: Poland

Re: ldap users into existing groups

Postby jmoore » Tue Jan 07, 2014 9:17 am

Thanks for the logs. The first error I see is:
Code: Select all
2014-01-03 15:14:46,890 INFO  [        ome.services.util.ServiceHandler] (erver-2002)  Excp:    org.springframework.ldap.ServiceUnavailableException: 150.254.159.58:389; socket closed; nested exception is javax.naming.ServiceUnavailableException: 150.254.159.58:389; socket closed; remaining name ''
2014-01-03 15:14:46,890 ERROR [        ome.services.util.ServiceHandler] (erver-2002) Method interface ome.services.util.Executor$Work.doWork invocation took 960435
2014-01-03 15:14:46,890 ERROR [services.blitz.fire.PermissionsVerifierI] (erver-2002) Exception thrown while checking password for:36812
ome.conditions.InternalException:  Wrapped Exception: (org.springframework.ldap.ServiceUnavailableException):
150.254.159.58:389; socket closed; nested exception is javax.naming.ServiceUnavailableException: 150.254.159.58:389; socket closed; remaining name ''
        at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:210)


There are then a total of 18 of these at the following times:
Code: Select all
grep -E "^2014.*org.springframework.ldap.ServiceUnavailableException" Blitz-0.log  | cut -f 1 -d,
2014-01-03 15:14:46
2014-01-03 20:50:24
2014-01-03 20:51:20
2014-01-03 22:24:26
2014-01-05 09:30:04
2014-01-05 09:30:46
2014-01-05 16:25:28
2014-01-05 16:26:05
2014-01-05 16:47:33
2014-01-05 16:48:05
2014-01-05 16:56:58
2014-01-05 16:57:51
2014-01-05 17:13:16
2014-01-05 20:23:05
2014-01-05 23:14:08
2014-01-05 23:15:01
2014-01-05 23:46:09
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: ldap users into existing groups

Postby jmoore » Tue Jan 07, 2014 9:32 am

The most related information I can find seems to be:

At the moment, I assume what's happening is that queries are taking too long and therefore eventually there are no more connections. From the related Atlassian ticket CWD-1942, "...we concluded that the timeout may happen if:
1. The DC [the server] is connecting to is too big (huge number of users/groups), causing the LDAP query to be very expensive for AD.
2. [The server] is connecting to distributed DCs located in different physical locations, causing a search to depend on the communication latency between DCs.
3. The AD server query timeout is set to be very small."

Do any of those seem to hold? If so, you might try their suggested workaround:
Code: Select all
-Dcom.sun.jndi.ldap.connect.pool.timeout=3

(though 3 milliseconds was thought to be a bit short). The option can be added to your etc/grid/templates.xml file around line 205.

Another possibility would be to try setting omero.ldap.referral to ignore (the default) if you don't explicitly know that you need it.

Sorry for not having a more concrete fix, but hopefully with some back and forth we can figure out what's going on.

Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: ldap users into existing groups

Postby robert.stanislawiak » Fri Jan 10, 2014 9:38 pm

-Dcom.sun.jndi.ldap.connect.pool.timeout=3

I ve applied this and it works. Thank you very much!

regards
RS
robert.stanislawiak
 
Posts: 18
Joined: Mon Dec 16, 2013 2:21 pm
Location: Poland


Return to User Discussion

Who is online

Users browsing this forum: No registered users and 1 guest