Page 1 of 1

LDAP bind to active directory

PostPosted: Fri Apr 09, 2010 9:34 am
by roelof
Hi all,

I am trying to use active directory (2003 R2 in native mode) as a LDAP backend for omero 4.1.1 under Ubuntu 9.10. I included the output of omero admin diagnostics at the end of this post.

I have omero running without any error's or warnings, but logging on with an ADS account fails in the bind phase.

The output of bin/omero config get is as follows:

Code: Select all
omero.db.name=omero
omero.db.pass=XXXXXXXX
omero.db.user=omero
omero.ldap.base=dc=fwnc,dc=net
omero.ldap.config=true
omero.ldap.groups=OmeroUsers
omero.ldap.keyStore=/home/omero/.mystore
omero.ldap.keyStorePassword=yyyyyyyy
omero.ldap.trustStore=/home/omero/.keystore
omero.ldap.trustStorePassword=yyyyyyyy
omero.ldap.urls=ldaps://fwncads.fwnc.net:636
omero.ldap.username=cn=omeroserver,ou=xxx,ou=yyy,dc=fwnc,dc=net



Initially, I got the following error:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Which indicates omero cannot verify the ADS cert using the the root certificates used to sign the ADS certificate (we use an internal CA/subCA to sign everything)

The ldap.truststore does however contain the CA certificates. (I find the manual a bit confusing though; calling the truststore .keystore and calling the keystore .mystore :? )
Using SSLPoke I can verify the keystore is valid:

Code: Select all
java -Djavax.net.ssl.trustStore=/home/omero/.keystore SSLPoke fwncads.fwnc.net 636
Successfully connected


I even tried adding the CA certs to the ldap.keystore. In the end I simply added the CA certs to the java cacerts keystore. This resulted in a new error:

Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece^@]; remaining name ''


At this point I am stuck. I suspect omero is not really using the keystores I have set up, but I have no idea how to remedy that. Also, I have no idea if the settings above are actually the correct ones for binding to an ADS.

Roelof

Code: Select all
================================================================================
OMERO Diagnostics Beta-4.1.1-r5927-b91
================================================================================

Commands:   java -version                  1.6.0     (/usr/bin/java)
Commands:   python -V                      2.6.4     (/usr/bin/python)
Commands:   icegridnode --version          3.3.1     (/usr/bin/icegridnode)
Commands:   icegridadmin --version         3.3.1     (/usr/bin/icegridadmin)
Commands:   psql --version                 8.4.2     (/usr/bin/psql)

Server:     icegridnode                    running
Server:     Blitz-0                        active (pid = 4972, enabled)
Server:     DropBox                        active (pid = 4997, enabled)
Server:     FSServer                       active (pid = 4999, enabled)
Server:     Indexer-0                      active (pid = 5010, enabled)
Server:     OMERO.Glacier2                 active (pid = 5011, enabled)
Server:     OMERO.IceStorm                 active (pid = 5032, enabled)
Server:     Processor-0                    active (pid = 5039, enabled)
Server:     Tables-0                       active (pid = 5070, enabled)
Server:     TestDropBox                    inactive (enabled)
Server:     Web                            inactive (enabled)

Re: LDAP bind to active directory (solved, kinda)

PostPosted: Mon Apr 12, 2010 2:12 pm
by roelof
I have got this working (kinda)

It turned out I was using the wrong DN for the bind account.

I can now do a secure bind against our ADS; the omeroserver account shows as a successful logon in the ADS event log.

Logging on with a user account results in
2010-04-12 11:19:33,397 ERROR [services.blitz.fire.PermissionsVerifierI] (l.Server-7) Exception thrown while checking password for:testuser
ome.conditions.InternalException: Wrapped Exception: (org.springframework.ldap.PartialResultException):
Unprocessed Continuation Reference(s); nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''


This turns out to be related to the search base. If I change the ldap.base to the DN of an OU holding accounts, I can login, but only with accounts inside that specific OU. (and using whatever value is in the CN field as username instead of the samAccountName) . sub-OU's are ignored.

so,
omero.ldap.base=OU=xxx,OU=yyy,DC=fwnc,DC=net works for accounts in the xxx OU but
omero.ldap.base=DC=fwnc,DC=net fails


In the end I suppose I will have to wait for version 4.2 :)

Re: LDAP bind to active directory

PostPosted: Thu Apr 15, 2010 2:47 pm
by jmoore
Hi Roelof,

that does sound very much like you need the improved LDAP support in the upcoming 4.2 version. The over-arching ticket is #1382. You might take a look at the example listed there, but I do think that it'll support your use case. Over the next 2 weeks, I'll try to add an example using your DNs. If you could provide me an LDIF example, that'd be great.

Cheers,
~Josh