-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Okay I've solved it. The issue was that a) (mail={email}) is all
that is required in the search filter (to allow non-registered
users) b) to return cn and mail in the search-fields for use with
the auto-register-username and email. Finally, ensure auto-register
is set to True.
<auto-register>True</auto-register>
<server>ldaps://dc1.example.com</server>
<search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base>
<search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user>
<search-password>searchpassword</search-password>
<search-fields>cn,mail</search-fields>
<search-filter>(mail={email})</search-filter>
<continue-on-failure>False</continue-on-failure>
<bind-user>{dn}</bind-user>
<bind-password>{password}</bind-password>
<auto-register-username>{cn}</auto-register-username>
<auto-register-email>{mail}</auto-register-email>
Cheers,
Martin
On 09/03/2015 11:59 AM, Martin Vickers wrote:
> Hi Nicola,
>
> So I've realised that none of that was actually the issue.
The (&(uid={username})(mail={email})) part does work fine,
it's the setting of the username that is the issue. When the
first unregistered user logs in, it works fine but the username is
set to -10. When a second unregistered user attempts to login,
they can't. If I manually change their username, the second user
is then able to log in and once again the username is set to -10.
(see attached images).
>
> I think the issue here stems from;
>
>
<auto-register-username>{uid}</auto-register-username>
>
> since I don't have a uid property in our ldap server. I've
tried all combinations of auto-register (True/False) and
allow-register (True/False/Challenge) and haven't been able to get
it to work. It also appears that auto-register-username and
auto-register-email are requirements to use this authenticator as
without it noone can log in (including registered users), and I
get the following "Internal Server Error" message.
>
> This is my current auth_config.xml file;
>
> <authenticator>
> <type>ldap</type>
>
<allow-register>True</allow-register>
>
<server>ldaps://dc1.example.com</server>
>
<search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base>
>
<search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user>
>
<search-password>searchpasssword</search-password>
>
<search-fields>uid,mail</search-fields>
>
<search-filter>(|(mail={email})(uid={username}))</search-filter>
>
<continue-on-failure>False</continue-on-failure>
>
<bind-user>{dn}</bind-user>
>
<bind-password>{password}</bind-password>
>
<auto-register-username>{uid}</auto-register-username>
>
<auto-register-email>{mail}</auto-register-email>
> </options>
> </authenticator>
>
> Doesn't one of the allow-register settings make/ask the user
to provide a username rather than trying to auto generate it? or,
is there a way to get the username out of the ldap server if it's
not using uid to store it?
>
> Many thanks,
>
> Martin
>
> On 09/02/2015 06:09 PM, Nicola Soranzo wrote:
> > Hi Martin,
> > I suspect there's an error in the sample auth_conf.xml
file, <search-filter> should try to match only the email,
not the username (unless you specify
<login-use-username>True</login-use-username>, in
which case it's viceversa) because it is not known when you first
login. In fact, for ActiveDirectory the filter is:
<search-filter>(&(objectClass=user)(mail={email}))</search-filter>
So, can you try to change:
<search-filter>(&(cn={username})(mail={email}))</search-filter>
to something like:
> >
<search-filter>(mail={email})</search-filter> Cheers,
Nicola
> > On 02/09/15 15:51, Martin Vickers wrote:
> >>
>> Hi Nicola,
>>
>> It's an OpenLDAP server. uid isn't set on ours, it's cn
instead, so using ldapsearch I can correctly bind;
>>
>> dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com
>> objectClass: aberPerson
>> cn: mjv08
>>
>> So authentication to the ldap server is working, the
issue seems to be that when it's an unknown user, it's passing the
following search string;
>>
>> (&(cn=None)(mail=unknownuser@aber.ac.uk))
>>
>> rather than;
>>
>> (&(cn=unknownuser)(mail=unknownuser@aber.ac.uk))
>>
>> hence the;
>>
>> galaxy.auth.providers.ldap_ad DEBUG 2015-09-02
15:40:07,322 LDAP authenticate: username is None
>> galaxy.auth.providers.ldap_ad WARNING 2015-09-02
15:40:07,485 LDAP authenticate: search returned no results
>>
>> How is {username} in auth_config.xml set? Does it parse
{email} to get it?
>>
>> Many thanks,
>>
>> Martin
>>
>> On 09/02/2015 03:38 PM, Nicola Soranzo wrote:
>> > Hi Martin, > what LDAP server are you using? We
have tested only OpenLDAP and > ActiveDirectory, but should
work on any LDAP server. > > If it is OpenLDAP, I think you
should use: > >
<search-fields>uid,mail</search-fields> >
<search-filter>(&(mail={email})(uid={username}))</search-filter>
>
<auto-register-username>{uid}</auto-register-username>
> > More details in: > >
https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample
> > Cheers, > Nicola > > Il 02.09.2015 15:03 Martin
Vickers ha scritto: > > Hi All, > > I've been trying
to get the new LDAP module to work. It works fine for >
existing users but I can't get auto-register to work. In the logs
I can > see the successful logins look like this; > >
galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02
13:35:06,130 > trans.app.config.auth_config_file:
./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG
2015-09-02 13:35:06,131 LDAP > authenticate: email is
mjv08@aber.ac.uk [1] > galaxy.auth.providers.ldap_ad DEBUG
2015-09-02 13:35:06,131 LDAP > authenticate: username is mjv08
> .... > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02
13:35:06,235 LDAP > authentication successful > > and
those that are unsuccessful have a username as None, which is why
> the search filter isn't working; > >
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP
> authenticate: email is unreguser@aber.ac.uk [2] >
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP
> authenticate: username is None > .... >
galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP
> authenticate: search returned no results > > My
auth_config.xml openldap authenticator looks like this (edited to
> remove openldap server details); > > ldap >
'{email}'.endswith('@example.com') > > True > Challenge
> ldaps://dc1.example.com > >
ou=People,dc=dc1,dc=example,dc=com > >
cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > >
searchuserpassword > cn,mail > >
(&(cn={username})(mail={email})) > {dn} > {password}
> > {cn} > {mail} > > Are there any settings in
galaxy.ini that are required to enable this to > work? >
> Many thanks > > Martin > > > > Connetti
gratis il mondo con la nuova indoona: hai la chat, le chiamate,
le video chiamate e persino le chiamate di gruppo. > E chiami
gratis anche i numeri fissi e mobili nel mondo! > Scarica
subito l’app Vai su https://www.indoona.com/ > >
>>
> >>
> >
>
> --
>
> --
> Dr. Martin Vickers
>
> Data Manager/HPC Systems Administrator
> Institute of Biological, Environmental and Rural Sciences
> IBERS New Building
> Aberystwyth University
>
> w: http://www.martin-vickers.co.uk/
> e: mjv08@aber.ac.uk
> t: 01970 62 2807
>
- --
- --
Dr. Martin Vickers
Data Manager/HPC Systems Administrator
Institute of Biological, Environmental and Rural Sciences
IBERS New Building
Aberystwyth University
w: http://www.martin-vickers.co.uk/
e: mjv08@aber.ac.uk
t: 01970 62 2807
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJV6DNUAAoJEHa0a8GkKQgInOgIALJ3m2/DYUEgHre3go/KBIuo
I2h59wSEqjzhkX3SzUho96lRK1OHy481r7fJAW89BojYlNSlyw9qnA1mvaD4CxKi
DuLyhNHDCFOQngXeiZrfqzkHNJ2bjJQiJ8yHHUBZPuq4S+E9PbP4o52N8Z63SXUL
pz1bEWjUiNSRq3k2BjcEQkIVF3IZuwx0ygM3tKnWQK3IRQTCuO/dvdXJeNvw3kb7
P45OukPWCI5PpcfUnYMZQX0HRTGOaqZnhVEZyEXTcEXURY6aZMJOS8pcxd8QeGib
SMcbykYO+MLOjY8F0N+vnjse5K3qDIDbPxMD1AHtu6K2r9iHHDoGHivemP23piE=
=Uz+C
-----END PGP SIGNATURE-----