OMERO server LDAP problems

Hello,

we have a fresh installation of OMERO.server and web 5.6 running on a Centos 7 machine. The installation followed the instructions found in the online documentation.
Now i am trying to get LDAP up and running. The problem is that it works for some users whereas it does not work for others. In the log file Blitz-0.log i can see error messages regarding this issue.

[        ome.services.util.ServiceHandler] (.Server-45)  Executor.doWork -- ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO[xyz_user]
[        ome.services.util.ServiceHandler] (.Server-45)  Args:	[null, InternalSF@75867593]
[         ome.security.basic.EventHandler] (.Server-45)  Auth: user=0,group=0,event=null(Sessions),sess=10cbe9ca-5215-48de-a31c-344654e8fb13
[                 org.perf4j.TimingLogger] (.Server-45) start[1580304727487] time[7] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$8.doWork]
[        ome.services.util.ServiceHandler] (.Server-45)  Rslt:	null
[        ome.services.util.ServiceHandler] (.Server-45)  Executor.doWork -- ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW[xyz_user]
[        ome.services.util.ServiceHandler] (.Server-45)  Args:	[null, InternalSF@75867593]
[         ome.security.basic.EventHandler] (.Server-45)  Auth:	user=0,group=0,event=211553(Sessions),sess=10cbe9ca-5215-48de-a31c-344654e8fb13
[ome.services.sessions.state.SessionCache] (1-thread-2) Synchronizing session cache. Count = 1
[        ome.services.util.ServiceHandler] (1-thread-2)  Executor.doWork -- ome.services.sessions.SessionManagerImpl.reload[10cbe9ca-5215-48de-a31c-344654e8fb13]
[        ome.services.util.ServiceHandler] (1-thread-2)  Args:	[null, InternalSF@75867593]
[         ome.security.basic.EventHandler] (1-thread-2)  Auth:	user=0,group=0,event=null(Sessions),sess=10cbe9ca-5215-48de-a31c-344654e8fb13
[                 org.perf4j.TimingLogger] (1-thread-2) start[1580304737942] time[22] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$6.doWork]
[        ome.services.util.ServiceHandler] (1-thread-2)  Rslt:	(ome.model.meta.Experimenter:Id_0, ome.model.meta.ExperimenterGroup:Id_0, (ome.model.enums.AdminPrivilege:DeleteScriptRepo:Hash_-618986919, ome.model.enums.AdminPrivilege:ReadSession:Hash_1205045073, ome.model.enums.AdminPrivilege:ModifyUser:Hash_1496496918, ... 12 more), ... 5 more)
[                 org.perf4j.TimingLogger] (1-thread-2) start[1580304737942] time[23] tag[omero.sessions.synchronization]
[ome.services.sessions.state.SessionCache] (1-thread-2) Synchronization took 23 ms.
[  ome.security.auth.LdapPasswordProvider] (.Server-45) Default choice on create user: xyz_user (ome.conditions.ApiUsageException: Cannot find unique user DistinguishedName: found=2 (xyz_user))
[                     ome.logic.AdminImpl] (.Server-45) Password provider returned null: ome.security.auth.PasswordProviders@70b53f71
[                 org.perf4j.TimingLogger] (.Server-45) start[1580304727495] time[15526] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$9.doWork]
[        ome.services.util.ServiceHandler] (.Server-45)  Rslt:	false
[        ome.services.util.ServiceHandler] (.Server-45) Method interface ome.services.util.Executor$Work.doWork invocation took 15526
[        ome.services.util.ServiceHandler] (.Server-45)  Executor.doWork -- java.lang.String.xyz_user[]
[        ome.services.util.ServiceHandler] (.Server-45)  Args:	[null, InternalSF@75867593]
[         ome.security.basic.EventHandler] (.Server-45)  Auth:	user=0,group=0,event=null(Internal),sess=10cbe9ca-5215-48de-a31c-344654e8fb13
[                 org.perf4j.TimingLogger] (.Server-45) start[1580304743023] time[9] tag[omero.call.success.ome.services.blitz.fire.PermissionsVerifierI$1.doWork]
[        ome.services.util.ServiceHandler] (.Server-45)  Rslt:	null
[        ome.services.util.ServiceHandler] (.Server-46)  Executor.doWork -- ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO[xyz_user]
[        ome.services.util.ServiceHandler] (.Server-46)  Args:	[null, InternalSF@75867593]
[         ome.security.basic.EventHandler] (.Server-46)  Auth:	user=0,group=0,event=null(Sessions),sess=10cbe9ca-5215-48de-a31c-344654e8fb13
[                 org.perf4j.TimingLogger] (.Server-46) start[1580304743044] time[2] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$8.doWork]
[        ome.services.util.ServiceHandler] (.Server-46)  Rslt:	null
[        ome.services.util.ServiceHandler] (.Server-46)  Executor.doWork -- ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW[xyz_user]
[        ome.services.util.ServiceHandler] (.Server-46)  Args:	[null, InternalSF@75867593]
[         ome.security.basic.EventHandler] (.Server-46)  Auth:	user=0,group=0,event=211554(Sessions),sess=10cbe9ca-5215-48de-a31c-344654e8fb13
[  ome.security.auth.LdapPasswordProvider] (.Server-46) Default choice on create user: xyz_user (ome.conditions.ApiUsageException: Cannot find unique user DistinguishedName: found=2 (xyz_user))
[                     ome.logic.AdminImpl] (.Server-46) Password provider returned null: ome.security.auth.PasswordProviders@70b53f71

When looking into OMEROweb.log i see the following:

[                           omero.gateway] (proc.11196) connect():2167 Connect attempt, sUuid=None, group=None, self.sUuid=None
[                           omero.gateway] (proc.11196) connect():2227 Creating Session...
[                           omero.gateway] (proc.11196) _createProxies():2001 ## Creating proxies
[                     omero.gateway.utils] (proc.11196) __setitem__():92 Setting 'omero.client.uuid' to 'ed017de1-7523-437f-bbe1-030879bd0cb6'
[                     omero.gateway.utils] (proc.11196) __setitem__():92 Setting 'omero.session.uuid' to '5c0f2a42-793e-4f2d-aa6b-6f2ef7f4aad0'
[                     omero.gateway.utils] (proc.11196) setOmeroGroup():149 Key 'omero.group' not found in <ServiceOptsDict: {'omero.client.uuid': 'ed017de1-7523-437f-bbe1-030879bd0cb6', 'omero.session.uuid': '5c0f2a42-793e-4f2d-aa6b-6f2ef7f4aad0'}>
[                     omero.gateway.utils] (proc.11196) setOmeroUser():161 Key 'omero.user' not found in <ServiceOptsDict: {'omero.client.uuid': 'ed017de1-7523-437f-bbe1-030879bd0cb6', 'omero.session.uuid': '5c0f2a42-793e-4f2d-aa6b-6f2ef7f4aad0'}>
[                           omero.gateway] (proc.11196) connect():2229 Session created
[                           omero.gateway] (proc.11196) _createProxies():1997 ## Reusing proxies
[                           omero.gateway] (proc.11196) connect():2273 created connection (uuid=5c0f2a42-793e-4f2d-aa6b-6f2ef7f4aad0)
[                           omero.gateway] (proc.11196) connect():2285 .. connected!
[                      omeroweb.connector] (proc.11196) create_guest_connection():188 Successfully created a guest connection.
[                      omeroweb.connector] (proc.11196) check_version():241 Client version: '['5', '6', '1']'; Server version: '['5', '6', '0']'
[                           omero.gateway] (proc.11196) close():1986 closed connection (uuid=5c0f2a42-793e-4f2d-aa6b-6f2ef7f4aad0)
[                           omero.gateway] (proc.11196) _resetOmeroClient():2125 localhost
[                           omero.gateway] (proc.11196) _resetOmeroClient():2126 4064
[                           omero.gateway] (proc.11196) _resetOmeroClient():2127 []
[                           omero.gateway] (proc.11196) connect():2167 Connect attempt, sUuid=None, group=None, self.sUuid=None
[                           omero.gateway] (proc.11196) connect():2227 Creating Session...
[                           omero.gateway] (proc.11196) connect():2262 Failed to create session.
[                           omero.gateway] (proc.11196) connect():2265 BlitzGateway.connect().createSession(): Traceback (most recent call last):
  File "/opt/omero/venv_web/lib64/python3.6/site-packages/omero/gateway/__init__.py", line 2228, in connect
    self._createSession()
  File "/opt/omero/venv_web/lib64/python3.6/site-packages/omero/gateway/__init__.py", line 2088, in _createSession
    self._ic_props[omero.constants.PASSWORD])
  File "/opt/omero/venv_web/lib64/python3.6/site-packages/omero/clients.py", line 653, in createSession
    prx = rtr.createSession(username, password, ctx)
  File "/opt/omero/venv_web/lib64/python3.6/site-packages/Glacier2_Router_ice.py", line 258, in createSession
    return _M_Glacier2.Router._op_createSession.invoke(self, ((userId, password), _ctx))
Glacier2.PermissionDeniedException: exception ::Glacier2::PermissionDeniedException
{
    reason = Password check failed for 'xyz_user': []
}

[                           omero.gateway] (proc.11196) connect():2282 connect(): Traceback (most recent call last):
  File "/opt/omero/venv_web/lib64/python3.6/site-packages/omero/gateway/__init__.py", line 2267, in connect
    self._createSession()
  File "/opt/omero/venv_web/lib64/python3.6/site-packages/omero/gateway/__init__.py", line 2088, in _createSession
    self._ic_props[omero.constants.PASSWORD])
  File "/opt/omero/venv_web/lib64/python3.6/site-packages/omero/clients.py", line 653, in createSession
    prx = rtr.createSession(username, password, ctx)
  File "/opt/omero/venv_web/lib64/python3.6/site-packages/Glacier2_Router_ice.py", line 258, in createSession
    return _M_Glacier2.Router._op_createSession.invoke(self, ((userId, password), _ctx))
Glacier2.PermissionDeniedException: exception ::Glacier2::PermissionDeniedException
{
    reason = Password check failed for 'xyz_user': []
}

2020-01-29 13:42:44,025  INFO [                           omero.gateway] (proc.11196) close():1986 closed connection (uuid=None)

The LDAP configuration is as follows:

omero.ldap.base=dc=xyz_domain,dc=de
omero.ldap.config=true
omero.ldap.new_user_group=Demo
omero.ldap.password=********
omero.ldap.referral=follow
omero.ldap.urls=ldap://xyz_domain.de
omero.ldap.user_mapping=omeName=cn,firstName=givenName,lastName=sn,email=mail
omero.ldap.username=cn=bind_user,ou=Projekt-Benutzer,dc=xyz_domain,dc=de

The password used is correct as it works when using ldap commands on commandline.
Strangely the same configuration works for some users and for others not. I issued a ldapsearch for working and non-working accounts, but i couldn’t find any significant difference that could explain the problem.

We had the same issue already with OMERO server 5.4 / 5.5 and i couldn’t get it t work.
Hopefully anyone can help me out and solve this issue.

Best regards
Christian

PS: In the OMEROweb.log are tons of errors from django.template where it can not resolve many variables. Thats not a serious problem right?

Judging from:

[  ome.security.auth.LdapPasswordProvider] (.Server-46) Default choice on create user: xyz_user (ome.conditions.ApiUsageException: Cannot find unique user DistinguishedName: found=2 (xyz_user))

I’d say that some query for user xyz_user should be returning two distinct DNs and OMERO can’t choose between them. If you can’t find a query that shows you the two entries, we could look at an LDIF dump if you could provide one.

It’s certainly not related to your LDAP issues, but you might want to open a separate thread on the forums so that that issue can be cleared up as well.

~Josh

Hi,

Sorry for the late reply. I was not in my office for one and a half week.
Unfortunately i can not reproduce the problem with our current installation. Hence i can’t provide ldif dumps from a working and non working account.
I can only guess that the problem occurred due to our testing with ldap settings. We have 2 domains running and we tried both on the same server.
On the 30th of january we made fresh installation and up to now Ldap is working for all users.

I think the thread can be closed.
If the problem reoccurs i will come back here.

~Christian

Thanks for letting us know!
~Josh