LDAP bind to active directory
Posted: Fri Apr 09, 2010 9:34 am
Hi all,
I am trying to use active directory (2003 R2 in native mode) as a LDAP backend for omero 4.1.1 under Ubuntu 9.10. I included the output of omero admin diagnostics at the end of this post.
I have omero running without any error's or warnings, but logging on with an ADS account fails in the bind phase.
The output of bin/omero config get is as follows:
Initially, I got the following error:
Which indicates omero cannot verify the ADS cert using the the root certificates used to sign the ADS certificate (we use an internal CA/subCA to sign everything)
The ldap.truststore does however contain the CA certificates. (I find the manual a bit confusing though; calling the truststore .keystore and calling the keystore .mystore )
Using SSLPoke I can verify the keystore is valid:
I even tried adding the CA certs to the ldap.keystore. In the end I simply added the CA certs to the java cacerts keystore. This resulted in a new error:
At this point I am stuck. I suspect omero is not really using the keystores I have set up, but I have no idea how to remedy that. Also, I have no idea if the settings above are actually the correct ones for binding to an ADS.
Roelof
I am trying to use active directory (2003 R2 in native mode) as a LDAP backend for omero 4.1.1 under Ubuntu 9.10. I included the output of omero admin diagnostics at the end of this post.
I have omero running without any error's or warnings, but logging on with an ADS account fails in the bind phase.
The output of bin/omero config get is as follows:
- Code: Select all
omero.db.name=omero
omero.db.pass=XXXXXXXX
omero.db.user=omero
omero.ldap.base=dc=fwnc,dc=net
omero.ldap.config=true
omero.ldap.groups=OmeroUsers
omero.ldap.keyStore=/home/omero/.mystore
omero.ldap.keyStorePassword=yyyyyyyy
omero.ldap.trustStore=/home/omero/.keystore
omero.ldap.trustStorePassword=yyyyyyyy
omero.ldap.urls=ldaps://fwncads.fwnc.net:636
omero.ldap.username=cn=omeroserver,ou=xxx,ou=yyy,dc=fwnc,dc=net
Initially, I got the following error:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Which indicates omero cannot verify the ADS cert using the the root certificates used to sign the ADS certificate (we use an internal CA/subCA to sign everything)
The ldap.truststore does however contain the CA certificates. (I find the manual a bit confusing though; calling the truststore .keystore and calling the keystore .mystore )
Using SSLPoke I can verify the keystore is valid:
- Code: Select all
java -Djavax.net.ssl.trustStore=/home/omero/.keystore SSLPoke fwncads.fwnc.net 636
Successfully connected
I even tried adding the CA certs to the ldap.keystore. In the end I simply added the CA certs to the java cacerts keystore. This resulted in a new error:
Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece^@]; remaining name ''
At this point I am stuck. I suspect omero is not really using the keystores I have set up, but I have no idea how to remedy that. Also, I have no idea if the settings above are actually the correct ones for binding to an ADS.
Roelof
- Code: Select all
================================================================================
OMERO Diagnostics Beta-4.1.1-r5927-b91
================================================================================
Commands: java -version 1.6.0 (/usr/bin/java)
Commands: python -V 2.6.4 (/usr/bin/python)
Commands: icegridnode --version 3.3.1 (/usr/bin/icegridnode)
Commands: icegridadmin --version 3.3.1 (/usr/bin/icegridadmin)
Commands: psql --version 8.4.2 (/usr/bin/psql)
Server: icegridnode running
Server: Blitz-0 active (pid = 4972, enabled)
Server: DropBox active (pid = 4997, enabled)
Server: FSServer active (pid = 4999, enabled)
Server: Indexer-0 active (pid = 5010, enabled)
Server: OMERO.Glacier2 active (pid = 5011, enabled)
Server: OMERO.IceStorm active (pid = 5032, enabled)
Server: Processor-0 active (pid = 5039, enabled)
Server: Tables-0 active (pid = 5070, enabled)
Server: TestDropBox inactive (enabled)
Server: Web inactive (enabled)