Page 1 of 1

LDAP Authentication Failure

PostPosted: Wed Jun 12, 2013 3:09 pm
by jlbryants
We have been using Omero with LDAP authentication for about a year. We have one user who can no longer login. She was a student at the university and has been successfully loging in until she graduated and was hired full time as a research assistant. As a student, she was located in the student OU within the directory structure. After her hire, her user object was moved to the OU where she is now employed. Looking at the blitz log I see the following warning:

2013-06-12 10:52:40,069 WARN [ ome.security.auth.LdapPasswordProvider] (l.Server-5) DNs don't match: 'cn=heather.brown,ou=STUDENTS,ou=People,ou=UF,dc=ad,dc=ufl,dc=edu' and 'cn=heather.brown,ou=DN-ORALBIO,ou=DN,ou=HSC,ou=People,ou=UF,dc=ad,dc=ufl,dc=edu'
2013-06-12 10:52:40,070 WARN [ ome.security.auth.LoginAttemptListener] (l.Server-5) 3 failed logins for heather.brown. Throttling for 3000

All other users are still able to successfully login. Any assistance would be appreciated.

Re: LDAP Authentication Failure

PostPosted: Wed Jun 12, 2013 3:16 pm
by kennethgillen
Hi,

Can you please paste the (non sensitive!) omero.ldap.* settings from the results of bin/omero config get?

The following page may also help: http://www.openmicroscopy.org/site/supp ... -ldap.html

Thanks,

Kenny

Re: LDAP Authentication Failure

PostPosted: Wed Jun 12, 2013 3:49 pm
by jlbryants
Kenny,

Thanks for the reply:


<property name="omero.config.profile" value="default"/>
<property name="omero.config.version" value="4.2.1"/>
<property name="omero.data.dir" value="/Omero-data"/>
<property name="omero.db.name" value="omero"/>
<property name="omero.db.pass" value="***************"/>
<property name="omero.db.poolsize" value="75"/>
<property name="omero.db.user" value="omero"/>
<property name="omero.ldap.base" value="OU=UF,DC=ad,DC=ufl,DC=edu"/>
<property name="omero.ldap.config" value="true"/>
<property name="omero.ldap.password" value="*****************************"/>
<property name="omero.ldap.urls" value="ldaps://ufdc-hsc09.ad.ufl.edu:636"/>
<property name="omero.ldap.user_filter" value="(objectClass=user)"/>
<property name="omero.ldap.user_mapping" value="omeName=cn,firstName=givenName,lastName=sn,email=mail"/>
<property name="omero.ldap.username" value="CN=DN-OmeroServerLDAP,OU=ServiceAccounts,OU=DN-IT,OU=DENTISTRY,OU=HSC,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu"/>
<property name="omero.security.keyStore" value="/Users/dn-srvc-omero/.keystore"/>
<property name="omero.security.keyStorePassword" value="*************************"/>
<property name="omero.security.password_provider" value="chainedPasswordProvider"/>
<property name="omero.security.trustStore" value="/Users/dn-srvc-omero/.truststore"/>
<property name="omero.security.trustStorePassword" value="************************"/>
<property name="omero.sessions.timeout" value="1200000"/>
<property name="omero.ldap.sync_on_login" value="false"/>
</properties>

Re: LDAP Authentication Failure

PostPosted: Wed Jun 12, 2013 4:18 pm
by kennethgillen
Hi,

I suspect OMERO has kept a hold of the original DN of the user, now they have moved in LDAP, this mismatch is being disallowed due to possible security issues.

You can update heather.brown's DN by using setdn:

bin/omero ldap setdn heather.brown 'cn=heather.brown,ou=DN-ORALBIO,ou=DN,ou=HSC,ou=People,ou=UF,dc=ad,dc=ufl,dc=edu'

Best,

Kenny

Re: LDAP Authentication Failure

PostPosted: Wed Jun 12, 2013 6:30 pm
by jlbryants
Kenny,

Thank you! That worked perfectly. I appreciate it.

Joe