Open Microscopy Environment

We have been using Omero with LDAP authentication for about a year. We have one user who can no longer login. She was a student at the university and has been successfully loging in until she graduated and was hired full time as a research assistant. As a student, she was located in the student OU within the directory structure. After her hire, her user object was moved to the OU where she is now employed. Looking at the blitz log I see the following warning:

2013-06-12 10:52:40,069 WARN [ ome.security.auth.LdapPasswordProvider] (l.Server-5) DNs don't match: 'cn=heather.brown,ou=STUDENTS,ou=People,ou=UF,dc=ad,dc=ufl,dc=edu' and 'cn=heather.brown,ou=DN-ORALBIO,ou=DN,ou=HSC,ou=People,ou=UF,dc=ad,dc=ufl,dc=edu'
2013-06-12 10:52:40,070 WARN [ ome.security.auth.LoginAttemptListener] (l.Server-5) 3 failed logins for heather.brown. Throttling for 3000

All other users are still able to successfully login. Any assistance would be appreciated.

Hi,

Can you please paste the (non sensitive!) omero.ldap.* settings from the results of bin/omero config get?

The following page may also help: http://www.openmicroscopy.org/site/supp ... -ldap.html

Thanks,

Kenny

Kenny,

Thanks for the reply:


<property name="omero.config.profile" value="default"/>
<property name="omero.config.version" value="4.2.1"/>
<property name="omero.data.dir" value="/Omero-data"/>
<property name="omero.db.name" value="omero"/>
<property name="omero.db.pass" value="***************"/>
<property name="omero.db.poolsize" value="75"/>
<property name="omero.db.user" value="omero"/>
<property name="omero.ldap.base" value="OU=UF,DC=ad,DC=ufl,DC=edu"/>
<property name="omero.ldap.config" value="true"/>
<property name="omero.ldap.password" value="*****************************"/>
<property name="omero.ldap.urls" value="ldaps://ufdc-hsc09.ad.ufl.edu:636"/>
<property name="omero.ldap.user_filter" value="(objectClass=user)"/>
<property name="omero.ldap.user_mapping" value="omeName=cn,firstName=givenName,lastName=sn,email=mail"/>
<property name="omero.ldap.username" value="CN=DN-OmeroServerLDAP,OU=ServiceAccounts,OU=DN-IT,OU=DENTISTRY,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu"/>
<property name="omero.security.keyStore" value="/Users/dn-srvc-omero/.keystore"/>
<property name="omero.security.keyStorePassword" value="*************************"/>
<property name="omero.security.password_provider" value="chainedPasswordProvider"/>
<property name="omero.security.trustStore" value="/Users/dn-srvc-omero/.truststore"/>
<property name="omero.security.trustStorePassword" value="************************"/>
<property name="omero.sessions.timeout" value="1200000"/>
<property name="omero.ldap.sync_on_login" value="false"/>
</properties>

Hi,

I suspect OMERO has kept a hold of the original DN of the user, now they have moved in LDAP, this mismatch is being disallowed due to possible security issues.

You can update heather.brown's DN by using setdn:

bin/omero ldap setdn heather.brown 'cn=heather.brown,ou=DN-ORALBIO,ou=DN,ou=HSC,ou=People,ou=UF,dc=ad,dc=ufl,dc=edu'

Best,

Kenny

Kenny,

Thank you! That worked perfectly. I appreciate it.

Joe