Hi Nicola,
So I've realised that none of that was actually the issue. The
(&(uid={username})(mail={email})) part does work fine, it's the
setting of the username that is the issue. When the first
unregistered user logs in, it works fine but the username is set to
-10. When a second unregistered user attempts to login, they can't.
If I manually change their username, the second user is then able to
log in and once again the username is set to -10. (see attached
images).
I think the issue here stems from;
<auto-register-username>{uid}</auto-register-username>
since I don't have a uid property in our ldap server. I've tried all
combinations of auto-register (True/False) and allow-register
(True/False/Challenge) and haven't been able to get it to work. It
also appears that auto-register-username and auto-register-email are
requirements to use this authenticator as without it noone can log
in (including registered users), and I get the following "Internal
Server Error" message.
This is my current auth_config.xml file;
<authenticator>
<type>ldap</type>
<allow-register>True</allow-register>
<server>ldaps://dc1.example.com</server>
<search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base>
<search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user>
<search-password>searchpasssword</search-password>
<search-fields>uid,mail</search-fields>
<search-filter>(|(mail={email})(uid={username}))</search-filter>
<continue-on-failure>False</continue-on-failure>
<bind-user>{dn}</bind-user>
<bind-password>{password}</bind-password>
<auto-register-username>{uid}</auto-register-username>
<auto-register-email>{mail}</auto-register-email>
</options>
</authenticator>
Doesn't one of the allow-register settings make/ask the user to
provide a username rather than trying to auto generate it? or, is
there a way to get the username out of the ldap server if it's not
using uid to store it?
Many thanks,
Martin
On 09/02/2015 06:09 PM, Nicola Soranzo wrote:
> Hi Martin,
> I suspect there's an error in the sample auth_conf.xml file,
<search-filter> should try to match only the email, not the
username (unless you specify
<login-use-username>True</login-use-username>, in
which case it's viceversa) because it is not known when you first
login. In fact, for ActiveDirectory the filter is:
<search-filter>(&(objectClass=user)(mail={email}))</search-filter>
So, can you try to change:
<search-filter>(&(cn={username})(mail={email}))</search-filter>
to something like:
> <search-filter>(mail={email})</search-filter>
Cheers, Nicola
> On 02/09/15 15:51, Martin Vickers wrote:
>>
Hi Nicola,
It's an OpenLDAP server. uid isn't set on ours, it's cn instead,
so using ldapsearch I can correctly bind;
dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com
objectClass: aberPerson
cn: mjv08
So authentication to the ldap server is working, the issue seems
to be that when it's an unknown user, it's passing the following
search string;
(&(cn=None)(mail=unknownuser@aber.ac.uk))
rather than;
(&(cn=unknownuser)(mail=unknownuser@aber.ac.uk))
hence the;
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP
authenticate: username is None
galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP
authenticate: search returned no results
How is {username} in auth_config.xml set? Does it parse {email} to
get it?
Many thanks,
Martin
On 09/02/2015 03:38 PM, Nicola Soranzo wrote:
> Hi Martin, > what LDAP server are you using? We have
tested only OpenLDAP and > ActiveDirectory, but should work on
any LDAP server. > > If it is OpenLDAP, I think you should
use: > > <search-fields>uid,mail</search-fields>
>
<search-filter>(&(mail={email})(uid={username}))</search-filter>
>
<auto-register-username>{uid}</auto-register-username>
> > More details in: > >
https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample
> > Cheers, > Nicola > > Il 02.09.2015 15:03 Martin
Vickers ha scritto: > > Hi All, > > I've been trying
to get the new LDAP module to work. It works fine for >
existing users but I can't get auto-register to work. In the logs
I can > see the successful logins look like this; > >
galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02
13:35:06,130 > trans.app.config.auth_config_file:
./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG
2015-09-02 13:35:06,131 LDAP > authenticate: email is
mjv08@aber.ac.uk [1] > galaxy.auth.providers.ldap_ad DEBUG
2015-09-02 13:35:06,131 LDAP > authenticate: username is mjv08
> .... > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02
13:35:06,235 LDAP > authentication successful > > and
those that are unsuccessful have a username as None, which is why
> the search filter isn't working; > >
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP
> authenticate: email is unreguser@aber.ac.uk [2] >
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP
> authenticate: username is None > .... >
galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP
> authenticate: search returned no results > > My
auth_config.xml openldap authenticator looks like this (edited to
> remove openldap server details); > > ldap >
'{email}'.endswith('@example.com') > > True > Challenge
> ldaps://dc1.example.com > >
ou=People,dc=dc1,dc=example,dc=com > >
cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > >
searchuserpassword > cn,mail > >
(&(cn={username})(mail={email})) > {dn} > {password}
> > {cn} > {mail} > > Are there any settings in
galaxy.ini that are required to enable this to > work? >
> Many thanks > > Martin > > > > Connetti
gratis il mondo con la nuova indoona: hai la chat, le chiamate,
le video chiamate e persino le chiamate di gruppo. > E chiami
gratis anche i numeri fissi e mobili nel mondo! > Scarica
subito l’app Vai su https://www.indoona.com/ > >
>>
>
--
--
Dr. Martin Vickers
Data Manager/HPC Systems Administrator
Institute of Biological, Environmental and Rural Sciences
IBERS New Building
Aberystwyth University
w: http://www.martin-vickers.co.uk/
e: mjv08@aber.ac.uk
t: 01970 62 2807