Hi Nicola,
So I've realised that none of that was actually the issue. The (&(uid={username})(mail={email})) part does work fine, it's the setting of the username that is the issue. When the first unregistered user logs in, it works fine but the username is set to -10. When a second unregistered user attempts to login, they can't. If I manually change
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Okay I've solved it. The issue was that a) (mail={email}) is all that is required in the search filter (to allow non-registered users) b) to return cn and mail in the search-fields for use with the auto-register-username and email. Finally, ensure auto-register is set to True. <auto-register>True</auto-register> <server>ldaps://dc1.example.com</server> <search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base> <search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user> <search-password>searchpassword</search-password> <search-fields>cn,mail</search-fields> <search-filter>(mail={email})</search-filter> <continue-on-failure>False</continue-on-failure> <bind-user>{dn}</bind-user> <bind-password>{password}</bind-password> <auto-register-username>{cn}</auto-register-username> <auto-register-email>{mail}</auto-register-email> Cheers, Martin On 09/03/2015 11:59 AM, Martin Vickers wrote: their username, the second user is then able to log in and once again the username is set to -10. (see attached images).
I think the issue here stems from;
<auto-register-username>{uid}</auto-register-username>
since I don't have a uid property in our ldap server. I've tried all
combinations of auto-register (True/False) and allow-register (True/False/Challenge) and haven't been able to get it to work. It also appears that auto-register-username and auto-register-email are requirements to use this authenticator as without it noone can log in (including registered users), and I get the following "Internal Server Error" message.
This is my current auth_config.xml file;
<authenticator> <type>ldap</type> <allow-register>True</allow-register> <server>ldaps://dc1.example.com</server>
<search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base>
<search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user>
<search-password>searchpasssword</search-password> <search-fields>uid,mail</search-fields>
<search-filter>(|(mail={email})(uid={username}))</search-filter>
<continue-on-failure>False</continue-on-failure> <bind-user>{dn}</bind-user> <bind-password>{password}</bind-password>
<auto-register-username>{uid}</auto-register-username>
<auto-register-email>{mail}</auto-register-email> </options> </authenticator>
Doesn't one of the allow-register settings make/ask the user to
provide a username rather than trying to auto generate it? or, is there a way to get the username out of the ldap server if it's not using uid to store it?
Many thanks,
Martin
On 09/02/2015 06:09 PM, Nicola Soranzo wrote:
Hi Martin, I suspect there's an error in the sample auth_conf.xml file,
<search-filter>(mail={email})</search-filter> Cheers, Nicola On 02/09/15 15:51, Martin Vickers wrote:
Hi Nicola,
It's an OpenLDAP server. uid isn't set on ours, it's cn instead, so using ldapsearch I can correctly bind;
dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com objectClass: aberPerson cn: mjv08
So authentication to the ldap server is working, the issue seems to be that when it's an unknown user, it's passing the following search string;
(&(cn=None)(mail=unknownuser@aber.ac.uk))
rather than;
(&(cn=unknownuser)(mail=unknownuser@aber.ac.uk))
hence the;
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP authenticate: username is None galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP authenticate: search returned no results
How is {username} in auth_config.xml set? Does it parse {email} to get it?
Many thanks,
Martin
On 09/02/2015 03:38 PM, Nicola Soranzo wrote:
Hi Martin, > what LDAP server are you using? We have tested only OpenLDAP and > ActiveDirectory, but should work on any LDAP server. > > If it is OpenLDAP, I think you should use: > > <search-fields>uid,mail</search-fields> > <search-filter>(&(mail={email})(uid={username}))</search-filter> > <auto-register-username>{uid}</auto-register-username> > > More details in: > > https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample Cheers, > Nicola > > Il 02.09.2015 15:03 Martin Vickers ha scritto: Hi All, > > I've been trying to get the new LDAP module to work. It works fine for > existing users but I can't get auto-register to work. In the logs I can > see the successful logins look like this; > > galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 >
<search-filter> should try to match only the email, not the username (unless you specify <login-use-username>True</login-use-username>, in which case it's viceversa) because it is not known when you first login. In fact, for ActiveDirectory the filter is: <search-filter>(&(objectClass=user)(mail={email}))</search-filter> So, can you try to change: <search-filter>(&(cn={username})(mail={email}))</search-filter> to something like: trans.app.config.auth_config_file: ./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: email is mjv08@aber.ac.uk [1] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: username is mjv08 > .... > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP > authentication successful > > and those that are unsuccessful have a username as None, which is why > the search filter isn't working; > > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: email is unreguser@aber.ac.uk [2] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: username is None > .... > galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP > authenticate: search returned no results > > My auth_config.xml openldap authenticator looks like this (edited to > remove openldap server details); > > ldap > '{email}'.endswith('@example.com') > > True > Challenge > ldaps://dc1.example.com > > ou=People,dc=dc1,dc=example,dc=com > > cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > > searchuserpassword
cn,mail > > (&(cn={username})(mail={email})) > {dn} > {password} > > {cn} > {mail} > > Are there any settings in galaxy.ini that are required to enable this to > work? > > Many thanks > > Martin > > > > Connetti gratis il mondo con la nuova indoona: hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo. > E chiami gratis anche i numeri fissi e mobili nel mondo! > Scarica subito l’app Vai su https://www.indoona.com/ > >
--
-- Dr. Martin Vickers
Data Manager/HPC Systems Administrator Institute of Biological, Environmental and Rural Sciences IBERS New Building Aberystwyth University
w: http://www.martin-vickers.co.uk/ e: mjv08@aber.ac.uk t: 01970 62 2807
- -- - -- Dr. Martin Vickers Data Manager/HPC Systems Administrator Institute of Biological, Environmental and Rural Sciences IBERS New Building Aberystwyth University w: http://www.martin-vickers.co.uk/ e: mjv08@aber.ac.uk t: 01970 62 2807 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQEcBAEBAgAGBQJV6DNUAAoJEHa0a8GkKQgInOgIALJ3m2/DYUEgHre3go/KBIuo I2h59wSEqjzhkX3SzUho96lRK1OHy481r7fJAW89BojYlNSlyw9qnA1mvaD4CxKi DuLyhNHDCFOQngXeiZrfqzkHNJ2bjJQiJ8yHHUBZPuq4S+E9PbP4o52N8Z63SXUL pz1bEWjUiNSRq3k2BjcEQkIVF3IZuwx0ygM3tKnWQK3IRQTCuO/dvdXJeNvw3kb7 P45OukPWCI5PpcfUnYMZQX0HRTGOaqZnhVEZyEXTcEXURY6aZMJOS8pcxd8QeGib SMcbykYO+MLOjY8F0N+vnjse5K3qDIDbPxMD1AHtu6K2r9iHHDoGHivemP23piE= =Uz+C -----END PGP SIGNATURE-----