Page 1 of 1

ldapsearch works but OMERO LDAP doesn't

PostPosted: Fri Nov 01, 2013 5:53 pm
by zebrax0r
Hey all.

Just thought I'd throw this out there, as it'a already on the email llist.

I have a shiny new Omero 5 beta 1 server running. Desperately trying to get some authentication happening with it.Didn't think it'd be this hard. I'm not using SSL at the moment for my LDAP source, as I want to try and get the very basics right, first.

omero config get looks like this:

Code: Select all
linuxadmin@place-omero-prod:~$ omero config get
omero.data.dir=/omero.data
omero.db.name=place_omero_database
omero.db.pass=censored
omero.db.user=censored
omero.ldap.base=ou=Staff,ou=People,o=the place of place,c=au
omero.ldap.config=true
omero.ldap.password=censored
omero.ldap.referral=follow
omero.ldap.urls=ldap://ldap.place.edu.au:389
omero.ldap.user_filter=()
omero.ldap.username=cn=place_nss,ou=special,o=the place of place,c=au
omero.security.keyStore=/home/linuxadmin/ssl_stores/.censored
omero.security.keyStorePassword=censored
omero.security.trustStore=/home/linuxadmin/ssl_stores/.censored
omero.security.trustStorePassword=censored
omero.web.application_server=development
omero.web.debug=True


So, when I use an ldapsearch from command line:

Code: Select all
linuxadmin@place-omero-prod:~$ ldapsearch -LLL -H ldap://ldap.place.edu.au
-x -D ‘uid=place_nss,ou=special,o=the place of place,c=au' -w ’secret' -b
'ou=Staff,ou=People,o=the place of place,c=au' | grep -i carroll
cn: Associate Professor blah blue
mail: blah.blue@blah.edu.au


So - my mind string, names, base DN and password are all correct.

However, if I use the above Omero config and try to login with an appropriate username + password:

Code: Select all
2013-11-02 03:46:09,663 INFO  [        ome.services.util.ServiceHandler] (.Server-19)  Excp:   org.springframework.ldap.AuthenticationException: [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
2013-11-02 03:46:09,666 ERROR [     o.s.blitz.fire.PermissionsVerifierI] (.Server-19) Exception thrown while checking password for:blahblah


Really not sure what I'm missing, at this point. It's almost as if the JNDI spring ldap toolkit doesn't understand the type or form of DN's and schema I have?

Further to this, I note a lot of suggestions that the "No such object" error suggests that the DN search base doesn't exist. The problem is, it definitely does, and ldapsearch proves that in clear sight. Does OMERO's use of the JNDI require some other syntax or some "more full" path somehow?

Thoughts?

-z

Re: ldapsearch works but OMERO LDAP doesn't

PostPosted: Sun Nov 03, 2013 7:56 pm
by jmoore
This thread along with the one on the ome-users (http://lists.openmicroscopy.org.uk/pipe ... 04032.html) were solved by changing configuration properties to use the full AD values. E.g.:

omero.ldap.base=OU=Deputy Vice-Chancellor (Academic),OU=Vice-Chancellor,DC=...
omero.ldap.urls=ldap://ad.cc...:389
omero.ldap.username=CN=Active Directory Admin Account - OU=Deputy Vice-Chancellor
(Academic),OU=Vice-Chancellor,...

Hopefully we can incorporate more specific AD-examples to help other users. (Feedback welcome!)
~J