Hi Martin, that's exactly what I was suggesting in my last email, sorry for not explaining myself better with a complete example! I'm happy it's working for you now, I will create a PR to update the sample file example. Thanks, Nicola On 03/09/15 12:47, Martin Vickers wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Okay I've solved it. The issue was that a) (mail={email}) is all that is required in the search filter (to allow non-registered users) b) to return cn and mail in the search-fields for use with the auto-register-username and email. Finally, ensure auto-register is set to True.
<auto-register>True</auto-register> <server>ldaps://dc1.example.com</server> <search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base> <search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user> <search-password>searchpassword</search-password> <search-fields>cn,mail</search-fields> <search-filter>(mail={email})</search-filter> <continue-on-failure>False</continue-on-failure> <bind-user>{dn}</bind-user> <bind-password>{password}</bind-password> <auto-register-username>{cn}</auto-register-username> <auto-register-email>{mail}</auto-register-email>
Cheers,
Martin
Hi Nicola, > > So I've realised that none of that was actually the issue. The (&(uid={username})(mail={email})) part does work fine, it's the setting of the username that is the issue. When the first unregistered user logs in, it works fine but the username is set to -10. When a second unregistered user attempts to login, they can't. If I manually change their username, the second user is then able to log in and once again the username is set to -10. (see attached images). > I think the issue here stems from; > > <auto-register-username>{uid}</auto-register-username> > > since I don't have a uid property in our ldap server. I've tried all combinations of auto-register (True/False) and allow-register (True/False/Challenge) and haven't been able to get it to work. It also appears that auto-register-username and auto-register-email are requirements to use this authenticator as without it noone can log in (including registered users), and I get the following "Internal Server Error" message. > > This is my current auth_config.xml file; > <authenticator> > <type>ldap</type> > <allow-register>True</allow-register> > <server>ldaps://dc1.example.com</server> > <search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base> > <search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user> <search-password>searchpasssword</search-password> > <search-fields>uid,mail</search-fields> > <search-filter>(|(mail={email})(uid={username}))</search-filter> <continue-on-failure>False</continue-on-failure> > <bind-user>{dn}</bind-user> > <bind-password>{password}</bind-password> > <auto-register-username>{uid}</auto-register-username> > <auto-register-email>{mail}</auto-register-email> > </options> > </authenticator> > > Doesn't one of the allow-register settings make/ask the user to provide a username rather
cn: mjv08 >> >> So authentication to the ldap server is working,
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP authenticate: username is None >> galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP authenticate: search returned no results >> >> How is {username} in auth_config.xml set? Does it parse {email} to get it? >> >> Many thanks, >> >> Martin >> >> On 09/02/2015 03:38 PM, Nicola Soranzo wrote: >> > Hi Martin, > what LDAP server are you using? We have tested only OpenLDAP and > ActiveDirectory, but should work on any LDAP server. > > If it is OpenLDAP, I think you should use: > > <search-fields>uid,mail</search-fields> > <search-filter>(&(mail={email})(uid={username}))</search-filter> > <auto-register-username>{uid}</auto-register-username> > > More
Cheers, > Nicola > > Il 02.09.2015 15:03 Martin Vickers ha scritto: > > Hi All, > > I've been trying to get the new LDAP module to work. It works fine for > existing users but I can't get auto-register to work. In the logs I can > see the successful logins look like this; > > galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 > trans.app.config.auth_config_file: ./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: email is mjv08@aber.ac.uk [1] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP authenticate: username is mjv08 > .... > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP > authentication successful > > and those that are unsuccessful have a username as None, which is why > the search filter isn't working; > > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: email is unreguser@aber.ac.uk [2] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: username is None > .... > galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP > authenticate: search returned no results > > My auth_config.xml openldap authenticator looks like
On 09/03/2015 11:59 AM, Martin Vickers wrote: than trying to auto generate it? or, is there a way to get the username out of the ldap server if it's not using uid to store it? > > Many thanks, > > Martin > > On 09/02/2015 06:09 PM, Nicola Soranzo wrote: > > Hi Martin, > > I suspect there's an error in the sample auth_conf.xml file, <search-filter> should try to match only the email, not the username (unless you specify <login-use-username>True</login-use-username>, in which case it's viceversa) because it is not known when you first login. In fact, for ActiveDirectory the filter is: <search-filter>(&(objectClass=user)(mail={email}))</search-filter> So, can you try to change: <search-filter>(&(cn={username})(mail={email}))</search-filter> to something like: > > <search-filter>(mail={email})</search-filter> Cheers, Nicola > > On 02/09/15 15:51, Martin Vickers wrote: > >> >> Hi Nicola, >> >> It's an OpenLDAP server. uid isn't set on ours, it's cn instead, so using ldapsearch I can correctly bind; >> >> dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com >> objectClass: aberPerson the issue seems to be that when it's an unknown user, it's passing the following search string; >> >> (&(cn=None)(mail=unknownuser@aber.ac.uk)) >> >> rather than; >> >> (&(cn=unknownuser)(mail=unknownuser@aber.ac.uk)) >> >> hence the; >> details in: > > https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample this (edited to > remove openldap server details); > > ldap > '{email}'.endswith('@example.com') > > True > Challenge > ldaps://dc1.example.com > > ou=People,dc=dc1,dc=example,dc=com > > cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > > searchuserpassword > cn,mail > > (&(cn={username})(mail={email})) > {dn} > {password} > > {cn} > {mail} > > Are there any settings in galaxy.ini that are required to enable this to > work? > > Many thanks
Martin > > > > Connetti gratis il mondo con la nuova indoona: hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo. > E chiami gratis anche i numeri fissi e mobili nel mondo! > Scarica subito l’app Vai su https://www.indoona.com/ > > >> > >> > > > -- > > -- > Dr. Martin Vickers > > Data Manager/HPC Systems Administrator > Institute of Biological, Environmental and Rural Sciences > IBERS New Building > Aberystwyth University > > w: http://www.martin-vickers.co.uk/ > e: mjv08@aber.ac.uk > t: 01970 62 2807 >
- --
- -- Dr. Martin Vickers
Data Manager/HPC Systems Administrator Institute of Biological, Environmental and Rural Sciences IBERS New Building Aberystwyth University
w: http://www.martin-vickers.co.uk/ e: mjv08@aber.ac.uk t: 01970 62 2807 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJV6DNUAAoJEHa0a8GkKQgInOgIALJ3m2/DYUEgHre3go/KBIuo I2h59wSEqjzhkX3SzUho96lRK1OHy481r7fJAW89BojYlNSlyw9qnA1mvaD4CxKi DuLyhNHDCFOQngXeiZrfqzkHNJ2bjJQiJ8yHHUBZPuq4S+E9PbP4o52N8Z63SXUL pz1bEWjUiNSRq3k2BjcEQkIVF3IZuwx0ygM3tKnWQK3IRQTCuO/dvdXJeNvw3kb7 P45OukPWCI5PpcfUnYMZQX0HRTGOaqZnhVEZyEXTcEXURY6aZMJOS8pcxd8QeGib SMcbykYO+MLOjY8F0N+vnjse5K3qDIDbPxMD1AHtu6K2r9iHHDoGHivemP23piE= =Uz+C -----END PGP SIGNATURE-----