LDAP user in Read-only setup login not working

[pwalczysko]

Have a Read-write (RW) and Read-only (RO) server connected to the same DB and omero.data.dir.

If in Docker on inside container, the login of an EXISTING ldap user which was created successfully in the RW OMERO.server does not work on the RO OMERO.server. This is despite the fact that the RO server can see the DB correctly and can retrieve the details (whilst logged in as e.g. root) of the ldap user.
Note that this issue is not present when the server is running in a RHEL 9 Virtual Machine (VM) without containerization. Nevertheless, it is not known how to set up 2 OMERO servers in one VM without using Docker or other containerization, and thus this VM example setup is incomplete.

Concrete examples of the setup (all setups in containers below perform the same error/issue as described above and in the Workflow for "Server inside containers" below):

1. deploy https://github.com/ome/docker-example-omero-readonly locally (done on Mac M1 with appropriate server docker image)
2. see image.sc cases:
   2a. kubernetes
   2b. aws docker

Workflow:

Server inside containers:

1. Spin up a RW & RO OMERO.servers inside docker containers. Configure both servers for ldap and verify that you can successfully create ldap users in the RW server.
2. Verify in the RW server that you can log in as the newly created ldap users.
3. Attempt to log in as the newly created ldap users in the RO server - observe error (see below) -> not expected. The user is created and visible in the DB of the RO server (the DB is shared with the RW server).
4. Create a new non-ldap user in the RW server. Try to log in as the new non-ldap user into the RO server -> observe successful login (as expected).
5. Reconfigure the RO server to RW. Restart the server -> observe that this does not allow the login of the ldap users either, the same error persists -> not expected.
6. Reconfigure the RW server to RO. Resteart the server -> observe that the ldap users which were previously able to log in to this server loose that ability -> not expected.

Server on a VM:

1. Spin up a RW server with ldap config on a Virtual Machine (RHEL 9 VM).
2. Create several ldap users and log in as those users -> success as expected.
3. Reconfigure the RW server to be RO. Resteart the server.
4. Try to login to the RO server as the ldap users creted in the steps above. -> Observer successful login as expected.

Cmds and Errors (web, cli and Blitz log)

OMERO.web:

OMERO.cli

bash-5.1$ /opt/omero/server/OMERO.server/bin/omero login -u PWalczysko
Server: [localhost:4064]
Password:
Internal error. Please contact your administrator:
This instance is read-only

From Blitz log after failed login:

2024-06-25 14:50:47,740 ERROR [     o.s.blitz.fire.PermissionsVerifierI] (l.Server-9) Exception thrown while checking password for:PWalczysko
ome.conditions.ApiUsageException: This instance is read-only
	at ome.security.basic.EventHandler.invoke(EventHandler.java:136)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	at org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:119)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	at ome.tools.hibernate.ProxyCleanupFilter$Interceptor.invoke(ProxyCleanupFilter.java:249)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	at ome.services.util.ServiceHandler.invoke(ServiceHandler.java:121)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
	at com.sun.proxy.$Proxy82.doWork(Unknown Source)
	at ome.services.util.Executor$Impl.execute(Executor.java:447)
	at ome.services.util.Executor$Impl.execute(Executor.java:392)
	at ome.services.sessions.SessionManagerImpl.executeCheckPasswordRW(SessionManagerImpl.java:1185)
	at ome.services.sessions.SessionManagerImpl.executeCheckPassword(SessionManagerImpl.java:1157)
	at ome.services.sessions.SessionManagerImpl.executePasswordCheck(SessionManagerImpl.java:1149)
	at ome.services.blitz.fire.PermissionsVerifierI.checkPermissions(PermissionsVerifierI.java:134)
	at Glacier2._PermissionsVerifierDisp.___checkPermissions(_PermissionsVerifierDisp.java:114)
	at Glacier2._PermissionsVerifierDisp.__dispatch(_PermissionsVerifierDisp.java:149)
	at IceInternal.Incoming.invoke(Incoming.java:221)
	at Ice.ConnectionI.invokeAll(ConnectionI.java:2536)
	at Ice.ConnectionI.dispatch(ConnectionI.java:1145)
	at Ice.ConnectionI.message(ConnectionI.java:1056)
	at IceInternal.ThreadPool.run(ThreadPool.java:395)
	at IceInternal.ThreadPool.access$300(ThreadPool.java:12)
	at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:832)
	at java.base/java.lang.Thread.run(Thread.java:829)

[imagesc-bot]

This issue has been mentioned on Image.sc Forum. There might be relevant details there:

https://forum.image.sc/t/issues-with-ldap-integration-with-omero-readonly-server/97572/20