Open Microscopy Environment

The OME community
https://www.openmicroscopy.org/community/

Changing to secure ldap authentication

https://www.openmicroscopy.org/community/viewtopic.php?f=5&t=1281

Page 1 of 1

Changing to secure ldap authentication

PostPosted: Fri Jul 27, 2012 9:05 pm
by jlbryants
We have been using Omero for the past couple of months with LDAP authentication on port 389. The university is going to port 636 and I need to change it to support the secure port. I have made the changes to the configuration and I am not able to log in. Looking at the logs I get FileNotFoundException: /home/user/.mystore (No such file or directory). Any ideas?

Joe

Re: Changing to secure ldap authentication

PostPosted: Tue Jul 31, 2012 8:17 am
by cxallan
Hi Joe,

Which parts of the LDAP and Security pages have you already followed?

-Chris

Re: Changing to secure ldap authentication

PostPosted: Wed Aug 01, 2012 8:05 pm
by jlbryants
Hi Chris,

I changed the URLS to ldaps://ad.ufl.edu:636

I added:
omero.security.keyStore=/home/user/.mystore
omero.security.keyStorePassword=secret
omero.security.trustStore=/home/user/.keystore
omero.security.trustStorePassword=secret

We have not enabled any firewalls at this point. We will tighten that down after it is working. We are still running Omero Server 4.3.4. We have purchased another server to test 4.4.1.

Thanks for your help.

Joe

Re: Changing to secure ldap authentication

PostPosted: Thu Aug 02, 2012 7:42 am
by cxallan
Sorry, you've added those lines to the configuration and it's working or you're still having issues?

Re: Changing to secure ldap authentication

PostPosted: Fri Aug 03, 2012 12:18 pm
by jlbryants
No it is not working with those entries. Please see the error log entries below.

Caused by: javax.naming.CommunicationException: ad.ufl.edu:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:199)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:116)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1580)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2678)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:43)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:254)
... 49 more
Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:179)
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:192)
at sun.reflect.GeneratedMethodAccessor319.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:316)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:186)
... 63 more
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at java.security.Provider$Service.newInstance(Provider.java:1245)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:147)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102)
at sun.reflect.GeneratedMethodAccessor318.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:272)
... 64 more
Caused by: java.security.PrivilegedActionException: java.io.FileNotFoundException: /home/user/.mystore (No such file or directory)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultKeyManager(DefaultSSLContextImpl.java:120)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40)
at sun.reflect.GeneratedConstructorAccessor116.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at java.security.Provider$Service.newInstance(Provider.java:1221)
... 73 more
Caused by: java.io.FileNotFoundException: /home/user/.mystore (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:120)
at java.io.FileInputStream.<init>(FileInputStream.java:79)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl$2.run(DefaultSSLContextImpl.java:123)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl$2.run(DefaultSSLContextImpl.java:121)
... 82 more
2012-08-02 08:49:36,910 INFO [ ome.services.util.ServiceHandler] (l.Server-5) Excp: org.springframework.ldap.CommunicationException: ad.ufl.edu:636; nested exception is javax.naming.CommunicationException: ad.ufl.edu:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)]
2012-08-02 08:49:36,910 ERROR [services.blitz.fire.PermissionsVerifierI] (l.Server-5) Exception thrown while checking password for:jlbryants
ome.conditions.InternalException: Wrapped Exception: (org.springframework.ldap.CommunicationException):
ad.ufl.edu:636; nested exception is javax.naming.CommunicationException: ad.ufl.edu:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:98)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:266)
at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:106)
at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:125)
at sun.reflect.GeneratedMethodAccessor317.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:196)
at $Proxy59.getReadOnlyContext(Unknown Source)
at ome.logic.LdapImpl.getBase(LdapImpl.java:571)
at ome.logic.LdapImpl.getContextMapper(LdapImpl.java:528)
at ome.logic.LdapImpl.findDN(LdapImpl.java:168)
at ome.security.auth.LdapPasswordProvider.getLdapDN(LdapPasswordProvider.java:180)
at ome.security.auth.LdapPasswordProvider.checkPassword(LdapPasswordProvider.java:134)
at ome.security.auth.PasswordProviders.checkPassword(PasswordProviders.java:42)
at ome.logic.AdminImpl.checkPassword(AdminImpl.java:1194)
at ome.services.sessions.SessionManagerImpl$9.doWork(SessionManagerImpl.java:978)
at sun.reflect.GeneratedMethodAccessor272.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:440)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.security.basic.EventHandler.invoke(EventHandler.java:150)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy64.doWork(Unknown Source)
at ome.services.util.Executor$Impl.execute(Executor.java:371)
at ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(SessionManagerImpl.java:973)
at ome.services.sessions.SessionManagerImpl.executeCheckPassword(SessionManagerImpl.java:945)
at ome.services.sessions.SessionManagerImpl.executePasswordCheck(SessionManagerImpl.java:920)
at ome.services.blitz.fire.PermissionsVerifierI.checkPermissions(PermissionsVerifierI.java:135)
at Glacier2._PermissionsVerifierDisp.___checkPermissions(_PermissionsVerifierDisp.java:90)
at Glacier2._PermissionsVerifierDisp.__dispatch(_PermissionsVerifierDisp.java:118)
at IceInternal.Incoming.invoke(Incoming.java:159)
at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
at Ice.ConnectionI.message(ConnectionI.java:972)
at IceInternal.ThreadPool.run(ThreadPool.java:577)
at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)

Re: Changing to secure ldap authentication

PostPosted: Fri Aug 03, 2012 12:42 pm
by cxallan
Unless you really have installed OMERO as "user" just copying those variables verbatim is not going to work. You have to specify the correct path based on the user you're running OMERO.server as.

Re: Changing to secure ldap authentication

PostPosted: Mon Aug 06, 2012 6:00 pm
by jlbryants
Thanks for your help Chris. We have it up. The path was not correct as you surmised.

Re: Changing to secure ldap authentication

PostPosted: Mon Aug 06, 2012 6:52 pm
by cxallan
jlbryants wrote:Thanks for your help Chris. We have it up. The path was not correct as you surmised.


Perfect. Happy to help.
All times are UTC
Page 1 of 1
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/