We're Hiring!

Changing to secure ldap authentication

Having a problem deploying OMERO? Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

The OMERO.server installation documentation begins here and you can find OMERO.web deployment documentation here.

Changing to secure ldap authentication

Postby jlbryants » Fri Jul 27, 2012 9:05 pm

We have been using Omero for the past couple of months with LDAP authentication on port 389. The university is going to port 636 and I need to change it to support the secure port. I have made the changes to the configuration and I am not able to log in. Looking at the logs I get FileNotFoundException: /home/user/.mystore (No such file or directory). Any ideas?

Joe
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm

Re: Changing to secure ldap authentication

Postby cxallan » Tue Jul 31, 2012 8:17 am

Hi Joe,

Which parts of the LDAP and Security pages have you already followed?

-Chris
cxallan
Site Admin
 
Posts: 509
Joined: Fri May 01, 2009 8:07 am

Re: Changing to secure ldap authentication

Postby jlbryants » Wed Aug 01, 2012 8:05 pm

Hi Chris,

I changed the URLS to ldaps://ad.ufl.edu:636

I added:
omero.security.keyStore=/home/user/.mystore
omero.security.keyStorePassword=secret
omero.security.trustStore=/home/user/.keystore
omero.security.trustStorePassword=secret

We have not enabled any firewalls at this point. We will tighten that down after it is working. We are still running Omero Server 4.3.4. We have purchased another server to test 4.4.1.

Thanks for your help.

Joe
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm

Re: Changing to secure ldap authentication

Postby cxallan » Thu Aug 02, 2012 7:42 am

Sorry, you've added those lines to the configuration and it's working or you're still having issues?
cxallan
Site Admin
 
Posts: 509
Joined: Fri May 01, 2009 8:07 am

Re: Changing to secure ldap authentication

Postby jlbryants » Fri Aug 03, 2012 12:18 pm

No it is not working with those entries. Please see the error log entries below.

Caused by: javax.naming.CommunicationException: ad.ufl.edu:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:199)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:116)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1580)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2678)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:43)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:254)
... 49 more
Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:179)
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:192)
at sun.reflect.GeneratedMethodAccessor319.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:316)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:186)
... 63 more
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at java.security.Provider$Service.newInstance(Provider.java:1245)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:147)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102)
at sun.reflect.GeneratedMethodAccessor318.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:272)
... 64 more
Caused by: java.security.PrivilegedActionException: java.io.FileNotFoundException: /home/user/.mystore (No such file or directory)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultKeyManager(DefaultSSLContextImpl.java:120)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40)
at sun.reflect.GeneratedConstructorAccessor116.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at java.security.Provider$Service.newInstance(Provider.java:1221)
... 73 more
Caused by: java.io.FileNotFoundException: /home/user/.mystore (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:120)
at java.io.FileInputStream.<init>(FileInputStream.java:79)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl$2.run(DefaultSSLContextImpl.java:123)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl$2.run(DefaultSSLContextImpl.java:121)
... 82 more
2012-08-02 08:49:36,910 INFO [ ome.services.util.ServiceHandler] (l.Server-5) Excp: org.springframework.ldap.CommunicationException: ad.ufl.edu:636; nested exception is javax.naming.CommunicationException: ad.ufl.edu:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)]
2012-08-02 08:49:36,910 ERROR [services.blitz.fire.PermissionsVerifierI] (l.Server-5) Exception thrown while checking password for:jlbryants
ome.conditions.InternalException: Wrapped Exception: (org.springframework.ldap.CommunicationException):
ad.ufl.edu:636; nested exception is javax.naming.CommunicationException: ad.ufl.edu:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:98)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:266)
at org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:106)
at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:125)
at sun.reflect.GeneratedMethodAccessor317.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:196)
at $Proxy59.getReadOnlyContext(Unknown Source)
at ome.logic.LdapImpl.getBase(LdapImpl.java:571)
at ome.logic.LdapImpl.getContextMapper(LdapImpl.java:528)
at ome.logic.LdapImpl.findDN(LdapImpl.java:168)
at ome.security.auth.LdapPasswordProvider.getLdapDN(LdapPasswordProvider.java:180)
at ome.security.auth.LdapPasswordProvider.checkPassword(LdapPasswordProvider.java:134)
at ome.security.auth.PasswordProviders.checkPassword(PasswordProviders.java:42)
at ome.logic.AdminImpl.checkPassword(AdminImpl.java:1194)
at ome.services.sessions.SessionManagerImpl$9.doWork(SessionManagerImpl.java:978)
at sun.reflect.GeneratedMethodAccessor272.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at ome.services.util.Executor$Impl$Interceptor.invoke(Executor.java:440)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.security.basic.EventHandler.invoke(EventHandler.java:150)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:111)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:108)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:231)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:116)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy64.doWork(Unknown Source)
at ome.services.util.Executor$Impl.execute(Executor.java:371)
at ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(SessionManagerImpl.java:973)
at ome.services.sessions.SessionManagerImpl.executeCheckPassword(SessionManagerImpl.java:945)
at ome.services.sessions.SessionManagerImpl.executePasswordCheck(SessionManagerImpl.java:920)
at ome.services.blitz.fire.PermissionsVerifierI.checkPermissions(PermissionsVerifierI.java:135)
at Glacier2._PermissionsVerifierDisp.___checkPermissions(_PermissionsVerifierDisp.java:90)
at Glacier2._PermissionsVerifierDisp.__dispatch(_PermissionsVerifierDisp.java:118)
at IceInternal.Incoming.invoke(Incoming.java:159)
at Ice.ConnectionI.invokeAll(ConnectionI.java:2037)
at Ice.ConnectionI.message(ConnectionI.java:972)
at IceInternal.ThreadPool.run(ThreadPool.java:577)
at IceInternal.ThreadPool.access$100(ThreadPool.java:12)
at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:971)
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm

Re: Changing to secure ldap authentication

Postby cxallan » Fri Aug 03, 2012 12:42 pm

Unless you really have installed OMERO as "user" just copying those variables verbatim is not going to work. You have to specify the correct path based on the user you're running OMERO.server as.
cxallan
Site Admin
 
Posts: 509
Joined: Fri May 01, 2009 8:07 am

Re: Changing to secure ldap authentication

Postby jlbryants » Mon Aug 06, 2012 6:00 pm

Thanks for your help Chris. We have it up. The path was not correct as you surmised.
jlbryants
 
Posts: 25
Joined: Mon Apr 09, 2012 8:36 pm

Re: Changing to secure ldap authentication

Postby cxallan » Mon Aug 06, 2012 6:52 pm

jlbryants wrote:Thanks for your help Chris. We have it up. The path was not correct as you surmised.


Perfect. Happy to help.
cxallan
Site Admin
 
Posts: 509
Joined: Fri May 01, 2009 8:07 am


Return to Installation and Deployment

Who is online

Users browsing this forum: No registered users and 1 guest