Hi Nicola,

 

Again I appreciate your help Nicola.  I dropped the database and created new one and then I restarted galaxy.  Once galaxy is up then I went to the login page and used the username without the @example.com part as you suggested.  Now I got a different error as shown below.  Something to do with the ldap_ad.py file.  Is there anything I need to add to this file?  Or this is because of my configuration file?

 

galaxy.auth.providers.ldap_ad ERROR 2017-11-13 14:55:50,929 LDAP authenticate: search exception

Traceback (most recent call last):

  File "/gpfs/home/gal_admin/galaxy/lib/galaxy/auth/providers/ldap_ad.py", line 126, in authenticate

    l = ldap.initialize(_get_subs(options, 'server', params))

  File "/gpfs/home/gal_admin/galaxy/.venv/lib/python2.7/site-packages/ldap/functions.py", line 94, in initialize

    return LDAPObject(uri,trace_level,trace_file,trace_stack_limit)

  File "/gpfs/home/gal_admin/galaxy/.venv/lib/python2.7/site-packages/ldap/ldapobject.py", line 79, in __init__

    self._l = ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri)

  File "/gpfs/home/gal_admin/galaxy/.venv/lib/python2.7/site-packages/ldap/functions.py", line 66, in _ldap_function_call

    result = func(*args,**kwargs)

LDAPError: (2, 'No such file or directory')

galaxy.auth DEBUG 2017-11-13 14:55:50,931 Email: , Username , stopping due to failed non-continue

 

Hakeem Almabrazi

Senior Software Architect

 

Sidra Medical and Research Center

Out-Patient Clinic

PO Box 26999 , Al Luqta Street 
Education City North Campus
Qatar Foundation

Tel:+974-4003-7458 (ext:37458)  | Mobile: +974-7479-4201

halmabrazi@sidra.org |  www.sidra.org

 Description: C:\Users\fgenevieve\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\O53SYTUP\Sidra-Logo-Member of QF Short.PNG

 

 

From: Nicola Soranzo [mailto:nicola.soranzo@gmail.com] On Behalf Of Nicola Soranzo
Sent: Monday, November 13, 2017 1:17 PM
To: Hakeem Almabrazi; galaxy-dev@lists.galaxyproject.org
Subject: Re: [galaxy-dev] Active Directory Authentication question

 

Hi Hakeem,
since you are using:

<login-use-username>True</login-use-username>

you need to use your username without the "@mydomain.com" for the first login. After the first successful login, Galaxy will store the email associated to your username on the AD server in its user database and you will be able to use it as an alternative to your username to login.

Cheers,
Nicola

On 12/11/17 10:46, Hakeem Almabrazi wrote:

HI Nicola,

 

Thank you for your response.  I have added your suggestions but still I am getting the same error; the username is None if I used the username@domian.com as a login in the login page.  Here is the error log I keep getting. 

 

galaxy.webapps.galaxy.controllers.user DEBUG 2017-11-12 13:35:38,507 trans.app.config.auth_config_file: ./config/auth_conf.xml

galaxy.auth.providers.ldap_ad DEBUG 2017-11-12 13:35:38,507 LDAP authenticate: email is useraccount@mydomain.com

galaxy.auth.providers.ldap_ad DEBUG 2017-11-12 13:35:38,507 LDAP authenticate: username is None

galaxy.auth.providers.ldap_ad DEBUG 2017-11-12 13:35:38,507 LDAP authenticate: options are {'bind-user': '{sAMAccountName}@research.sidra.local', 'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True', 'allow-register': 'False', 'auto-register-email': '{mail}', 'server': ' myAD.mydomain.example.local ', 'auto-register': 'True', 'search-base': 'cn=Users,dc=mydomian,dc=example,dc=local', 'auto-register-username': '{sAMAccountName}', 'search-password': 'PASSWORD', 'search-user': 'serviceacct@mydomain.example.local', 'bind-password': '{password}', 'allow-password-change': 'False'}

galaxy.auth.providers.ldap_ad DEBUG 2017-11-12 13:35:38,508 LDAP authenticate: username must be used to login, cannot be None

 

And here is my updated auth_config.xml file

 

<?xml version="1.0"?>

<auth>

<authenticator>

        <type>ldap</type>

        <options>

        <allow-register>False</allow-register>

        <auto-register>True</auto-register>

        <allow-password-change>False</allow-password-change>

        <server>myAD.mydomain.example.local</server>

        <login-use-username>True</login-use-username>

 

        <search-fields>sAMAccountName,mail</search-fields>

        <search-base>cn=Users,dc=mydomain,dc=example,dc=local</search-base>

        <search-user>serviceacct@mydomain.example.local</search-user>

        <search-password>PASSWORD</search-password>

 

        <bind-user>{sAMAccountName}@mydomain.example.local</bind-user>

        <bind-password>{password}</bind-password>

        <auto-register-username>{sAMAccountName}</auto-register-username>

        <auto-register-email>{mail}</auto-register-email>

 

      </options>

    </authenticator>

 

    <authenticator>

        <type>localdb</type>

        <options>

            <allow-password-change>true</allow-password-change>

        </options>

    </authenticator>

 

</auth>

 

I will appreciate it if you think the file looks okay to you.

 

Thank you    

 

Hakeem Almabrazi

Senior Software Architect

 

Sidra Medical and Research Center

Out-Patient Clinic

PO Box 26999 , Al Luqta Street 
Education City North Campus
Qatar Foundation

Tel:+974-4003-7458 (ext:37458)  | Mobile: +974-7479-4201

halmabrazi@sidra.org |  www.sidra.org

 Description:
                C:\Users\fgenevieve\AppData\Local\Microsoft\Windows\Temporary
                Internet
                Files\Content.Outlook\O53SYTUP\Sidra-Logo-Member of QF
                Short.PNG

 

 

From: Nicola Soranzo [mailto:nicola.soranzo@gmail.com] On Behalf Of Nicola Soranzo
Sent: Thursday, November 09, 2017 5:44 PM
To: Hakeem Almabrazi; galaxy-dev@lists.galaxyproject.org
Subject: Re: [galaxy-dev] Active Directory Authentication question

 

Hi Hakeem,
a couple of suggestions:
- allow-register should be False
- I don't see a line with something like <server>ldap://dc1.example.com</server> , but I suppose you have omitted it
- if your AD server doesn't allow anonymous searches (like in my case), you need to specify also:

<search-user>cn=jsmith,ou=People,dc=domain,dc=com</search-user>
<search-password>mysecret</search-password>

- you definitely need to specify an adapted version of these:

        <bind-user>{sAMAccountName}@dc1.example.com</bind-user>
        <bind-password>{password}</bind-password>
        <auto-register-username>{sAMAccountName}</auto-register-username>
        <auto-register-email>{mail}</auto-register-email>

Hope that helps!

Cheers,
Nicola

On 09/11/17 11:24, Hakeem Almabrazi wrote:

Hello,

 

I have installed the latest galaxy and I would like to use the MS Active Directory 2012 for authentication.  I tried to follow the instructions outlined here https://galaxyproject.org/admin/config/external-user-auth/  without touching the lib/galaxy/auth/providers/ldap_ad_py since I thought this is related to ldap not AD. 

 

Here is the exact auth_config.xml file

+++++++++++++++++++++++++

<?xml version="1.0"?>

<auth>

<authenticator>

        <type>ldap</type>

        <options>

        <allow-register>True</allow-register>

        <auto-register>True</auto-register>

        <allow-password-change>False</allow-password-change>

        <login-use-username>True</login-use-username>

            <!-- For Active Directory: -->

            <search-fields>sAMAccountName,mail</search-fields>

            <search-base>dc=dc1,dc=example,dc=com</search-base>

            <!-- If login-use-username is True -->

        <search-filter>(&amp;(objectClass=user)(sAMAccountName={username}))</search-filter>

      </options>

    </authenticator>

</auth>

+++++++++++++++++

 

When I try to login using a real user email and pwd, it says “No user of valid password” in the Galaxy page.  And here is the error log I keep getting.

 

galaxy.webapps.galaxy.controllers.user DEBUG 2017-11-09 13:55:37,940 trans.app.config.auth_config_file: ./config/auth_conf.xml

galaxy.auth.providers.ldap_ad DEBUG 2017-11-09 13:55:37,940 LDAP authenticate: email is user@example.com

galaxy.auth.providers.ldap_ad DEBUG 2017-11-09 13:55:37,940 LDAP authenticate: username is None

galaxy.auth.providers.ldap_ad DEBUG 2017-11-09 13:55:37,940 LDAP authenticate: options are {'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True', 'allow-register': 'True', 'auto-register': 'True', 'search-base': 'dc=dc1,dc=example,dc=com', 'search-filter': '(&(objectClass=user)(sAMAccountName={username}))', 'allow-password-change': 'False'}

galaxy.auth.providers.ldap_ad DEBUG 2017-11-09 13:55:37,940 LDAP authenticate: username must be used to login, cannot be None

galaxy.auth DEBUG 2017-11-09 13:55:37,941 Email: , Username , stopping due to failed non-continue

 

Is there anything missing from my auth_config.xml file?   

 

I appreciate any kind of help figuring this out.

 

Best regards,

 

Hak

 

 

Disclaimer: This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, any reading, printing, storage, disclosure, copying or any other action taken in respect of this e-mail is prohibited and may be unlawful. If you are not the intended recipient, please notify the sender immediately by using the reply function and then permanently delete what you have received. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Sidra Medical and Research Center.



___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/
 
To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/

 

Disclaimer: This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, any reading, printing, storage, disclosure, copying or any other action taken in respect of this e-mail is prohibited and may be unlawful. If you are not the intended recipient, please notify the sender immediately by using the reply function and then permanently delete what you have received. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Sidra Medical and Research Center.

 

Disclaimer: This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, any reading, printing, storage, disclosure, copying or any other action taken in respect of this e-mail is prohibited and may be unlawful. If you are not the intended recipient, please notify the sender immediately by using the reply function and then permanently delete what you have received. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Sidra Medical and Research Center.