Hi Martin,
I suspect there's an error in the sample auth_conf.xml file, <search-filter> should try to match only the email, not the username (unless you specify <login-use-username>True</login-use-username>, in which case it's viceversa) because it is not known when you first login. In fact, for ActiveDirectory the filter is: <search-filter>(&amp;(objectClass=user)(mail={email}))</search-filter> So, can you try to change: <search-filter>(&amp;(cn={username})(mail={email}))</search-filter> to something like:
<search-filter>(mail={email})</search-filter> Cheers, Nicola
On 02/09/15 15:51, Martin Vickers wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Nicola,

It's an OpenLDAP server. uid isn't set on ours, it's cn instead, so using ldapsearch I can correctly bind;

dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com
objectClass: aberPerson
cn: mjv08

So authentication to the ldap server is working, the issue seems to be that when it's an unknown user, it's passing the following search string;

(&(cn=None)(mail=unknownuser@aber.ac.uk))

rather than;

(&(cn=unknownuser)(mail=unknownuser@aber.ac.uk))

hence the;

galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP authenticate: username is None
galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP authenticate: search returned no results

How is {username} in auth_config.xml set? Does it parse {email} to get it?

Many thanks,

Martin

On 09/02/2015 03:38 PM, Nicola Soranzo wrote:
> Hi Martin, > what LDAP server are you using? We have tested only OpenLDAP and > ActiveDirectory, but should work on any LDAP server. > > If it is OpenLDAP, I think you should use: > > <search-fields>uid,mail</search-fields> > <search-filter>(&amp;(mail={email})(uid={username}))</search-filter> > <auto-register-username>{uid}</auto-register-username> > > More details in: > > https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample > > Cheers, > Nicola > > Il 02.09.2015 15:03 Martin Vickers ha scritto: > > Hi All, > > I've been trying to get the new LDAP module to work. It works fine for > existing users but I can't get auto-register to work. In the logs I can > see the successful logins look like this; > > galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 > trans.app.config.auth_config_file: ./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: email is mjv08@aber.ac.uk [1] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: username is mjv08 > .... > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP > authentication successful > > and those that are unsuccessful have a username as None, which is why > the search filter isn't working; > > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: email is unreguser@aber.ac.uk [2] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: username is None > .... > galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP > authenticate: search returned no results > > My auth_config.xml openldap authenticator looks like this (edited to > remove openldap server details); > > ldap > '{email}'.endswith('@example.com') > > True > Challenge > ldaps://dc1.example.com > > ou=People,dc=dc1,dc=example,dc=com > > cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > > searchuserpassword > cn,mail > > (&(cn={username})(mail={email})) > {dn} > {password} > > {cn} > {mail} > > Are there any settings in galaxy.ini that are required to enable this to > work? > > Many thanks > > Martin > > > > Connetti gratis il mondo con la nuova indoona:  hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo. > E chiami gratis anche i numeri fissi e mobili nel mondo! > Scarica subito l’app Vai su https://www.indoona.com/ > >

- --

- --
Dr. Martin Vickers

Data Manager/HPC Systems Administrator
Institute of Biological, Environmental and Rural Sciences
IBERS New Building
Aberystwyth University

w: http://www.martin-vickers.co.uk/
e: mjv08@aber.ac.uk
t: 01970 62 2807
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQEcBAEBAgAGBQJV5wzhAAoJEHa0a8GkKQgIdGIH/3yjT7hz+3IECPIak4qyiEbF
C/4s+gpQdKnQHMJrg0xB1aB7lXhO+LjgP9bkZLMwBlQpiOPz2cApZ9e51S+vIXEU
e+MoOYIXputDgG49pfl6TB9N0fR2FIZcnp5vy3GBFUIWreJRvRX2EuiI97iY7iei
eSg9cjZ6UIWZBKdo+PrO1hPdhkAX+l5Kd8HMipLuInKpvZDZfiBxQMd4zFCIGz3W
vSymyQSHQpOul3rnwp70l76doT9jqsBW3ggpnwdbP2/pgRLvmPkyvCh2u2fyrouv
vsj11ODrskIZb10YyXy5QxsbluaThA1QeTw+0s+UEIPrNvyLcrSmuidHDjlnV5I=
=zSFZ
-----END PGP SIGNATURE-----