Jelle

I did all that and it looks correct.. it is retrieving the correct field.  This is the error i am still getting..  I am using pretty much the same option in other apps..



galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-14 12:04:40,648 trans.app.config.auth_config_file: ./config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP authenticate: email is johnuser@example.org
galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP authenticate: username is None
galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP authenticate: options are {'bind-user': '{dn}', 'search-fields': 'uid,mail', 'login-use-username': 'False', 'allow-register': 'True', 'ldap-options': 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email': '{email}', 'server': 'ldap://ldap.nyumc.org', 'auto-register': 'True', 'search-base': 'DC=example,DC=org', 'search-filter': '(mail={email})', 'continue-on-failure': 'True', 'auto-register-username': '{sAMAccountName', 'bind-password': '{password}', 'allow-password-change': 'False'}
galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP authenticate: Valid LDAP option pair OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3
galaxy.auth.providers.ldap_ad ERROR 2017-06-14 12:04:40,648 LDAP authenticate: search exception
Traceback (most recent call last):
  File "/home/galaxy/galaxy/lib/galaxy/auth/providers/ldap_ad.py", line 118, in authenticate
    ldap.set_option(*opt)
  File "/home/galaxy/galaxy/.venv/lib/python2.7/site-packages/ldap/functions.py", line 135, in set_option
    return _ldap_function_call(None,_ldap.set_option,option,invalue)
  File "/home/galaxy/galaxy/.venv/lib/python2.7/site-packages/ldap/functions.py", line 66, in _ldap_function_call
    result = func(*args,**kwargs)
ValueError: option error


Are you running MS AD ?   if so, could i take a look at your config file?

Thanks
John


From: Jelle Scholtalbers <j.scholtalbers@gmail.com>
To: Hans-Rudolf Hotz <hrh@fmi.ch>
Cc: John Chen <jchen162@yahoo.com>; Galaxy Dev List <galaxy-dev@lists.galaxyproject.org>
Sent: Monday, June 12, 2017 3:16 AM
Subject: Re: [galaxy-dev] AD Intergration

Hi John,

as a tip, you can use the tool "ldapsearch", from e.g. the package "openldap-client", to figure out with which attributes you search and which attributes you can retrieve.

Examples:
ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org" # retrieve all AD/ldap entries
$ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org "uid=a_username"  # retrieve all attributes for user with uid "a_username"
$ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org "sAMAccountName=a_username" mail # only retrieve the mail attribute by searching for the sAMAccountName


In addition, if you get it working, you might want to switch to the more secure ldaps if that is supported by your IT.

Cheers,
Jelle



On Mon, Jun 12, 2017 at 8:32 AM, Hans-Rudolf Hotz <hrh@fmi.ch> wrote:


On 06/09/2017 03:29 PM, John Chen wrote:
Hans-Rudolf,

That got me past the error, but I i am now having issue authenticating
with against AD, as if its not able to search for the users.  Do I need
a binding service account to search AD object?  Does the bottow 5 lines
look correct?

They look right, but I can't say whether they are correct. You need to discuss this with the person who has set up your Active Directory


Hans-Rudolf




<search-base>cn=galaxy,ou=Secu rity,ou=somegroup,dc=example, dc=org</search-base>

<search-filter>(&amp;(objectCl ass=user)(sAMAccountName={ username}))</search-filter>
             <search-user>ADsearchAccount< /search-user>
             <search-password>AD_Search_Pa sswrd</search-password>
             <bind-user>{sAMAccountName}</ bind-user>

The logs show that it found the userID and email, but gets an invalid
password on the webportal

galaxy.webapps.galaxy.controll ers.user DEBUG 2017-06-09 09:26:34,592
trans.app.config.auth_config_f ile: ./config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
authenticate: email is testUser.name@example.org
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
authenticate: username is testUser
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
authenticate: options are {'bind-user': '{sAMAccountName}',
'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True',
'allow-register': 'False', 'auto-register-email': '{mail}', 'server':
'ldap://xxx.xxx.xx', 'auto-register': 'True', 'search-base':
'cn=xxx-xx,ou=Security,ou=xxxx x xxx,dc=xxx,dc=xx', 'search-filter':
'(&(objectClass=user)(sAMAccou ntName={username}))',
'auto-register-username': '{sAMAccountName}', 'search-password': 'xxxx',
'search-user': 'xxxx', 'bind-password': '{password}'}
galaxy.auth.providers.ldap_ad WARNING 2017-06-09 09:26:34,596 LDAP
authenticate: search returned no results
10.127.220.227 - - [09/Jun/2017:09:26:34 -0400] "POST
/user/login?use_panels=False HTTP/1.1" 200 -
"http://glxlcdcpvm01.nyumc.org :8080/user/login?use_panels= False"
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"


------------------------------ ------------------------------ ------------
*From:* Hans-Rudolf Hotz <hrh@fmi.ch>
*To:* John Chen <jchen162@yahoo.com>; Galaxy Dev List
<galaxy-dev@lists.galaxyprojec t.org>
*Sent:* Friday, June 9, 2017 3:34 AM
*Subject:* Re: [galaxy-dev] AD Intergration

always keep the mailing list in the loop! in order for others to help or
learn



On 06/08/2017 07:27 PM, John Chen wrote:
 > Hans-Rudolf
 >
 > This is the error I get when I start the Galaxy server.
 >
...
 > xml.etree.ElementTree.ParseErr or: mismatched tag: line 8, column 105
 >

This is very informative. Looking at line 8 in your file:


<server><a class="moz-txt-link-freetext"
href="ldap://ldap.xxx.xx">ldap ://ldap.xxx.xx</server>


The element "a" is not  terminated


What happens, if you try just

<server>ldap://ldap.xxx.xx</se rver>





Regards, Hans-Rudolf


______________________________ _____________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
 https://lists.galaxyproject.o rg/

To search Galaxy mailing lists use the unified search at:
 http://galaxyproject.org/sear ch/