Getting started with OMERO and LDAP

Dear colleagues,
I am stuggling with similar problems. The Server works well for local users but no success on ldap. I am using debian 10.0 as the server and the ldap tools don’t build beacuse of Java 11.xxx I need to confirm first the basic ladp stuff, running ldap-search from the same user works and retrieves a user…

Hi @HeikoHafok. Welcome to image.sc!

Hmmm… I don’t know of a reason that they wouldn’t build. If you’d like to get this working, let’s start another topic.

Do you mean GitHub - glencoesoftware/omero-ldaptool: Command line tool for working with OMERO and LDAP ?

Sounds good. Can you share your LDAP configuration in OMERO? What would also help is an example of the LDAP entry for a user who is trying to login. Finally, have you seen exceptions in your log files?

All the best,
~Josh

Dear Josh,
thank you for helping me. Your first question:
I used the github download to get the ldap tools omero-ldaptool-master.zip.
Then I tried to run the installation procedure…

omero-server@postgress1:~/omero-ldaptool-master$ ./gradlew installDist

FAILURE: Build failed with an exception.

  • What went wrong:
    Could not determine java version from ‘11.0.9.1’.

  • Try:
    Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

  • Get more help at https://help.gradle.org

Dear Josh,
her is my basic ldap configuration. I first tried it with an uncsecured ldap server. If this is running I want to switch to a server which uses ldaps… But here is now my first configuration:

omero config set omero.ldap.urls “ldap://myldapserver.xxx.fraunhofer.de”
omero config set omero.ldap.user_filter ‘(objectClass=person)’
omero config set omero.ldap.base “ou=dep,o=agency,c=DE”
omero config set omero.ldap.password
omero config set omero.ldap.username
omero config set omero.ldap.config “true”

I left out user_filter set password and user to “”. as this ldap is not secured…
I checked ldap on the OMERO server using ldapsearch:
ldapsearch -x -LLL -h myldapserver.xxx.fraunhofer.de -b “ou=dep,o=agency,c=de” -s sub “(objectClass=user)” | grep Doe

dn: cn=John Doe,ou=People,ou=dep,o=agency,c=DE
sn: Doe
cn: John Doe

just to check for network/port problem…

Gotcha. Please see Bump gradlew to 6.8.2 by joshmoore · Pull Request #1 · glencoesoftware/omero-ldaptool · GitHub You can also try running gradle wrapper yourself to update the gradle version.

And the other properties from Configuration properties glossary — OMERO documentation are also present in the output from ldapsearch? (especially givenName)

~Josh

LDAP Tools are there now. I had to delete gradle and gradlew, then re create it with the new version gradle wrapper again. After that ./gradlew installDist worked as planned

1 Like

Hi Josh,
that may be the problem givenName is my forename,
what I would need would be the uid…But even with the givenName I don’t see any conncection…My understanding is he takes the login name, verifies the password agains ldap and creates a local user with a astandard group or connects the ldap credentials with the same user? Maybe I misinterpret the documentation…

Hi Heiko,

can you share the full output of your John Doe user? What OMERO needs is to know how to map the existing fields for the LDAP entry into the OMERO database table. That’s what the user_mapping configuration setting does. If your fields are different from the default, then you’ll need to specify that property. For a bit more info, see:

https://docs.openmicroscopy.org/omero/5.6.3/sysadmins/server-ldap.html#user-lookup

~Josh

Hi Josh,
no problem. A little bit anonymized…
dn: cn=John Doe,ou=People,ou=myInstitute,o=agency,c=DE
loginShell: /bin/bash
homeDirectory: /home/jdoe
gidNumber: 999
uidNumber: 99999
personalTitle: Dr.
roomNumber: A 1.03
userCertificate;binary:: MIIF5TCCBM2gAwIBAgIMIjU/9WBl7Rm/L27CMA0GCSqGSIb3DQEBC
whYTRFJ1wg37nJiQsQlRuktGV/r6pRQaFTGIYB9
cO5QzOsceH1FBsdIyuf7T1znugjRQ+X6BalBn8P3aqxvJqvPvokkqO5CuSXf4X4pvbt5LdHWnGu6i
xkOVCVyEE4HRLH4qLXZy5iBQWUNv7tjlpskv9Lsg==
mail: myMAiladdress
uid: jdoe
givenName: Joe
title: Gruppenleitung
telephoneNumber: +49 xxx
sn: Doe
ou: myInstitute
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
objectClass: DirXML-PasswordSyncStatusUser
objectClass: posixAccount
objectClass: instituteUser
objectClass: DirXML-EntitlementRecipient
objectClass: DirXML-ApplicationAttrs
l: mylocation
groupMembership: cn=adminlinux,ou=Group,ou=myinstute,o=agency,c=DE
and others come here
cn: John Doe

How can I use the ldap-tool to verify this?
Hope this helps,

Heiko

Hi, one thing
shouldn’t I see any .Ldap in the Blitz.log despite the configuration?
Heiko

In this case, omero-ldaptool cfg "John Doe" should find the user (where cfg is the output from:

omero config get --show-password > cfg

~Josh

Hi Josh,
thnk you very much, that seems to work. With this name I can log in via LDAP! Now I need to change the login name to the uid? Then I should be there…

Then you will need to set this in your OMERO server configuration:

omero.ldap.user_mapping=omeName=uid,firstName=givenName,lastName=sn,email=mail,institution=department,middleName=middleName

~Josh

1 Like

Hi Josh,
this works fine now! great Job! I hope many benefit from this! Especially the omero-ldap-tool is great to debug the server and should be included in the main distribution. It helped me a lot to get an understanding what is going on.

But the jouney just started. Now I want to switch to the secure ldap…
so I followed the steps from the docs. Can I use the ldap-tools also for this step? Normal access with this server does not work either. I created a config file:

omero.certificates.commonname=localhost
omero.certificates.key=server.key
omero.certificates.owner=/L=OMERO/O=OMERO.server
omero.data.dir=/omeroData
omero.db.name=omero_database
omero.db.pass=mypassword
omero.db.user=db_user
omero.glacier2.IceSSL.CAs=server.pem
omero.glacier2.IceSSL.CertFile=server.p12
omero.glacier2.IceSSL.Ciphers=HIGH
omero.glacier2.IceSSL.DefaultDir=/omeroData/certs
omero.glacier2.IceSSL.Password=secret
omero.glacier2.IceSSL.ProtocolVersionMax=TLS1_2
omero.glacier2.IceSSL.Protocols=TLS1_0,TLS1_1,TLS1_2
omero.ldap.base=ou=People,ou=myinsitute,dc=myinstitute,dc=agency,dc=de
omero.ldap.config=true
omero.ldap.password=mypassword
omero.ldap.urls=ldaps://myldapserver
omero.ldap.user.mapping=omeName=uid,firstName=givenName, lasName=sn,email=mail
omero.ldap.user_mapping=omeName=uid,firstName=givenName,lastName=sn,email=mail,institution=ou,middleName=middleName
omero.ldap.username=querypassword
omero.security.TrustStorePassword=secret

with this I see an exception in the simple bind:

org.springframework.ldap.CommunicationException: simple bind failed:

[Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Maybe you have an idea to proceed:

:+1:

Good question. I don’t know. It may require some modifications.

Can you tell us what steps you took to set up your trust store? e.g. did you follow https://docs.openmicroscopy.org/omero/5.6/sysadmins/server-security.html#java-key-and-truststores ?

~Josh

Hi Josh,
I followed the steps described in the Link.

openssl s_client -connect {{host}}:{{port}} -prexit < /dev/null | openssl x509 -outform PEM | keytool -import -alias ldap -storepass {{password}} -keystore {{truststore}} -noprompt

any way to verify this step?

At least a certificate is created. Afterwards I set the following config variables:

omero config set omero.security.trustStorePassword secret
omero config set omero.security.keyStore /home/omero-server/.keystore
omero config set omero.security.TrustStorePassword secret

I added then
omero config set omero.ports.prefix 1

Hi Heiko,

We don’t have anything built into OMERO. Looking around, this class at least worked for me: SSLPoke/SSLPoke.java at ea387ecf7fdde06be1af308c43cd8b041aff20bd · MichalHecko/SSLPoke · GitHub (Found via atlassian)

Omitting the package sk.mhecko.ssl; line:

openssl s_client -connect HOST:PORT -prexit < /dev/null | openssl x509 -outform PEM | keytool -import -alias ldap -storepass foobar -keystore /tmp/ks -noprompt
javac SSLPoke.java
java -Djavax.net.ssl.trustStore=/tmp/ks SSLPoke HOST PORT

omero.security.keyStorePassword seems to be missing.

I’d think this capitalization is wrong. (The other looks correct)


Keeping my fingers crossed!
~Josh

Yes I fixed this, but with no success so far…

omero config set omero.security.trustStorePassword secret
omero config set omero.security.keyStore /home/omero-server/.keystore
omero config set omero.security.keyStorePassword secret
omero config set omero.ports.prefix 1

And you are getting the same error as above (SSLHandshakeException: PKIX path building) and you tried the SSLPoke class?
~josh

Hi, the error is from ldap-tools, so I did not try this…
when I run the SSLPoke I get:

That seems rather similar… something fishy in the security setup, as id java does not find the keystore file or the certificate does not match…

omero-server@postgress1:~$ java -Djavax.net.ssl.trustStore=/home/omero-server/.keystore SSLPoke myssldap 3269
javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:350)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:293)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:288)
        at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1581)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:453)
        at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:819)
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1189)
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1161)
        at SSLPoke.main(SSLPoke.java:25)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
        at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
        at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:300)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:189)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1408)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1314)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
        ... 4 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
        at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:99)