Existing users can not login anymore after a re-installation
23 views
Skip to first unread message
Pieter van Vliet
Aug 28, 2025, 9:22:14 AM (10 days ago) Aug 28
to xnat_discussion
Hello all,
Because the OS was EOL, we did a reinstall with AlmaLinux 8.
We were running XNAT 1.8.X and we reinstalled the latest XNAT 1.8.10.5.
We are using:
- LDAP plugin for authentication against our AD controller
- Postgresql database on a separated server (no change here)
- (Pre)Archive,etc (dicom, etc) on a separated NFS storage.
After the installation, existing users can not login anymore.
We see:
===
Registration Received
Thank you for your interest in our site. Your user account will be reviewed and enabled by the site administrator.
When this is complete, you will receive an email inviting you to login to the site.=
===
In the log file we see:
- username XX.XXX.XXX.XX POST Authentication "Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0" FAILED (NewAutoAccountNotAutoEnabledException): Successful first-time authentication via LDAP, but accounts are not auto.enabled or email verification required. We'll treat this the same as we would a user registration
===
The LDAP (1.2.1) plugin config:
/data/xnat/home/config/auth/ldap-provider.properties
name=LDAP
provider.id=ldap
auth.method=ldap
auto.enabled=true
auto.verified=true
address=ldap://example.nl
userdn=cn=ldapbrowse,cn=Users,dc=example,dc=nl
password=xxxxxxxxxxx
search.base=dc=example,dc=nl
search.filter=(sAMAccountName={0})
visible=true
Both settings:
auto.enabled=true
auto.verified=true
should give existing users access.
The LDAP connection is working as expected.
User with wrong username/password are denied.
LDAP connection is also tested with groovy:
===
groovy-4.0.27/bin/groovy 'jar:file:/data/xnat/home/plugins/ldap-auth-plugin-1.2.1.jar!/ValidateLdap.groovy' /data/xnat/home/config/auth/ldap1-provider.properties
Loading properties from /data/xnat/home/config/auth/ldap1-provider.properties
Address: ldap://example.nl
User DN: cn=ldapbrowse,cn=Users,dc=example,dc=nl
Password: XXXXXXXXXXX
Search base: dc=example,dc=nl
Search filter: (sAMAccountName={0})
Username: XXXXXXXX
password: XXXXXXXX
SLF4J(W): No SLF4J providers were found.
SLF4J(W): Defaulting to no-operation (NOP) logger implementation
SLF4J(W): See https://www.slf4j.org/codes.html#noProviders for further details.
Aug 26, 2025 12:49:59 PM org.springframework.security.ldap.DefaultSpringSecurityContextSource <init>
INFO: URL 'ldap://example.nl', root DN is ''
Validating the binding user account 'cn=ldapbrowse' with search base 'cn=Users,dc=example,dc=nl'
Creating user search object with search base 'cn=Users,dc=example,dc=nl' and filter '(cn=ldapbrowse)
User 'cn=ldapbrowse' authentication state: true
Binding user 'cn=ldapbrowse' authenticated successfully, validating the user account 'XXXXXXXXX'
Creating user search object with search base 'dc=example,dc=nl' and filter '(sAMAccountName={0})
Aug 26, 2025 12:49:59 PM org.springframework.security.ldap.SpringSecurityLdapTemplate searchForSingleEntryInternal
INFO: Ignoring PartialResultException
User 'XXXXXXXXXX' authentication state: true
User 'XXXXXXXXXX' authenticated successfully
===
What is working:
The admin account (local database) can login.
Within XNAT, we can see all the projects and all the registered users.
And:
GUI: Administer => Users => username: Verified [X] Enabled [X]
When we add a new user who does not exists in XNAT but does exists in LDAP, this user can successfully login for the first time and can login after the first time.
So it is a issue with current users.
We think there is a issue with the postgresql database but we don't know where to look.
We also have updated to XNAT version 1.9.2.1 because we saw a bug fix related to LDAP, but the issue is still there.
We hope that you user/developers can give us a clue/solution what the problem is.
Regards,
Pieter
Because the OS was EOL, we did a reinstall with AlmaLinux 8.
We were running XNAT 1.8.X and we reinstalled the latest XNAT 1.8.10.5.
We are using:
- LDAP plugin for authentication against our AD controller
- Postgresql database on a separated server (no change here)
- (Pre)Archive,etc (dicom, etc) on a separated NFS storage.
After the installation, existing users can not login anymore.
We see:
===
Registration Received
Thank you for your interest in our site. Your user account will be reviewed and enabled by the site administrator.
When this is complete, you will receive an email inviting you to login to the site.=
===
In the log file we see:
- username XX.XXX.XXX.XX POST Authentication "Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0" FAILED (NewAutoAccountNotAutoEnabledException): Successful first-time authentication via LDAP, but accounts are not auto.enabled or email verification required. We'll treat this the same as we would a user registration
===
The LDAP (1.2.1) plugin config:
/data/xnat/home/config/auth/ldap-provider.properties
name=LDAP
provider.id=ldap
auth.method=ldap
auto.enabled=true
auto.verified=true
address=ldap://example.nl
userdn=cn=ldapbrowse,cn=Users,dc=example,dc=nl
password=xxxxxxxxxxx
search.base=dc=example,dc=nl
search.filter=(sAMAccountName={0})
visible=true
Both settings:
auto.enabled=true
auto.verified=true
should give existing users access.
The LDAP connection is working as expected.
User with wrong username/password are denied.
LDAP connection is also tested with groovy:
===
groovy-4.0.27/bin/groovy 'jar:file:/data/xnat/home/plugins/ldap-auth-plugin-1.2.1.jar!/ValidateLdap.groovy' /data/xnat/home/config/auth/ldap1-provider.properties
Loading properties from /data/xnat/home/config/auth/ldap1-provider.properties
Address: ldap://example.nl
User DN: cn=ldapbrowse,cn=Users,dc=example,dc=nl
Password: XXXXXXXXXXX
Search base: dc=example,dc=nl
Search filter: (sAMAccountName={0})
Username: XXXXXXXX
password: XXXXXXXX
SLF4J(W): No SLF4J providers were found.
SLF4J(W): Defaulting to no-operation (NOP) logger implementation
SLF4J(W): See https://www.slf4j.org/codes.html#noProviders for further details.
Aug 26, 2025 12:49:59 PM org.springframework.security.ldap.DefaultSpringSecurityContextSource <init>
INFO: URL 'ldap://example.nl', root DN is ''
Validating the binding user account 'cn=ldapbrowse' with search base 'cn=Users,dc=example,dc=nl'
Creating user search object with search base 'cn=Users,dc=example,dc=nl' and filter '(cn=ldapbrowse)
User 'cn=ldapbrowse' authentication state: true
Binding user 'cn=ldapbrowse' authenticated successfully, validating the user account 'XXXXXXXXX'
Creating user search object with search base 'dc=example,dc=nl' and filter '(sAMAccountName={0})
Aug 26, 2025 12:49:59 PM org.springframework.security.ldap.SpringSecurityLdapTemplate searchForSingleEntryInternal
INFO: Ignoring PartialResultException
User 'XXXXXXXXXX' authentication state: true
User 'XXXXXXXXXX' authenticated successfully
===
What is working:
The admin account (local database) can login.
Within XNAT, we can see all the projects and all the registered users.
And:
GUI: Administer => Users => username: Verified [X] Enabled [X]
When we add a new user who does not exists in XNAT but does exists in LDAP, this user can successfully login for the first time and can login after the first time.
So it is a issue with current users.
We think there is a issue with the postgresql database but we don't know where to look.
We also have updated to XNAT version 1.9.2.1 because we saw a bug fix related to LDAP, but the issue is still there.
We hope that you user/developers can give us a clue/solution what the problem is.
Regards,
Pieter
Timothy Olsen
Aug 28, 2025, 9:28:58 AM (10 days ago) Aug 28
to xnat_di...@googlegroups.com
Pieter,
We saw this on one of our client's systems the other day. We ended up rolling back the version of the LDAP plugin to the prior release (1.2.0) and it resolved the issue.
We think there was a change in 1.2.1 that is causing an issue in some configurations.
Tim
Timothy R Olsen
Founder, President
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/xnat_discussion/158e6be5-f5b2-4472-9ae6-b7e504b9ac81n%40googlegroups.com.
Pieter van Vliet
Aug 29, 2025, 8:12:04 AM (9 days ago) Aug 29
to xnat_discussion
Hi Timothy,
Thanks for the info.
We will try this tomorrow and let you know.
Regards,
Pieter
Pieter van Vliet
Aug 29, 2025, 8:12:19 AM (9 days ago) Aug 29
to xnat_discussion
We have rolled back to LDAP plugin version 1.2.0:
Administer => Installed Plugins
Plugin Name: XNAT LDAP Authentication Provider Plugin
Plugin ID: xnat-ldap-auth-plugin
Plugin Version: 1.2.0
Plugin Name: XNAT LDAP Authentication Provider Plugin
Plugin ID: xnat-ldap-auth-plugin
Plugin Version: 1.2.0
Unfortunately, the issue still exists:
"2025-08-29 13:43:32,408 - username XXX.XX.XX.XX POST Authentication "Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0" FAILED (NewAutoAccountNotAutoEnabledException): Successful first-time authentication via LDAP, but accounts are not auto.enabled or email verification required. We'll treat this the same as we would a user registration"
Existing users can not login.
When going through the log-files (tomcat, xnat, nginx), this is the only error we see, everything else looks fine.
We have multiple XNAT servers running but this is the only server with this issue.
Any thoughts how we can debug it more thoroughly?
Thanks,
Pieter
On Thursday, August 28, 2025 at 3:28:58 PM UTC+2 Timothy Olsen wrote:
Timothy Olsen
Aug 29, 2025, 10:01:13 AM (9 days ago) Aug 29
to xnat_di...@googlegroups.com
Does it effect all LDAP users or just some?
To view this discussion visit https://groups.google.com/d/msgid/xnat_discussion/c2dad2e8-1584-4dc2-9f2c-5836158c8727n%40googlegroups.com.
Pieter van Vliet
Aug 29, 2025, 11:33:43 AM (9 days ago) Aug 29
to xnat_discussion
It affects all existing users (before the re-installation) in XNAT who authenticate against LDAP. (all users must authenticate against LDAP, only the admin is using the local database)
New users added to XNAT after the re-installation have no problem. They are added, they can authenticate/login without any issues.
In the admin interfaces => users all the users are there, the "old" ones and who are added after installation.
PieterTimothy Olsen
Aug 29, 2025, 1:56:08 PM (9 days ago) Aug 29
to xnat_di...@googlegroups.com
It's hard to say what is going wrong there. We have definitely seen that on systems with LDAP v1.2.1. But, on the 2 systems where we encountered it, rolling back that plugin to 1.2.0 resolved the issue. I think it had something to do with changes around capitalization, but we haven't nailed down the exact cause yet.
Shortest path to resolution might be to hop on a call and take a look at it.
https://calendly.com/timothyolsen/30min?back=1
Tim
Shortest path to resolution might be to hop on a call and take a look at it.
https://calendly.com/timothyolsen/30min?back=1
Tim
Timothy R Olsen
Founder, President
To view this discussion visit https://groups.google.com/d/msgid/xnat_discussion/bd1f82e4-4e73-4532-900a-ee21f0837037n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages