Hello,
From my experience, By default, Active Directory does not allow bind operation over plain LDAP, you need LDAPS for that to happen.
My 2 cents.
Youssef Ghorbal ------------------------------------ On 9 Jun 2017, at 15:29, John Chen <jchen162@yahoo.commailto:jchen162@yahoo.com> wrote:
Hans-Rudolf,
That got me past the error, but I i am now having issue authenticating with against AD, as if its not able to search for the users. Do I need a binding service account to search AD object? Does the bottow 5 lines look correct?
<search-base>cn=galaxy,ou=Security,ou=somegroup,dc=example,dc=org</search-base> <search-filter>(&(objectClass=user)(sAMAccountName={username}))</search-filter> <search-user>ADsearchAccount</search-user> <search-password>AD_Search_Passwrd</search-password> <bind-user>{sAMAccountName}</bind-user>
The logs show that it found the userID and email, but gets an invalid password on the webportal
galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-09 09:26:34,592 trans.app.config.auth_config_file: ./config/auth_conf.xml galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: email is testUser.name@example.orgmailto:testUser.name@example.org galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: username is testUser galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: options are {'bind-user': '{sAMAccountName}', 'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True', 'allow-register': 'False', 'auto-register-email': '{mail}', 'server': 'ldap://xxx.xxx.xx', 'auto-register': 'True', 'search-base': 'cn=xxx-xx,ou=Security,ou=xxxxx xxx,dc=xxx,dc=xx', 'search-filter': '(&(objectClass=user)(sAMAccountName={username}))', 'auto-register-username': '{sAMAccountName}', 'search-password': 'xxxx', 'search-user': 'xxxx', 'bind-password': '{password}'} galaxy.auth.providers.ldap_ad WARNING 2017-06-09 09:26:34,596 LDAP authenticate: search returned no results 10.127.220.227 - - [09/Jun/2017:09:26:34 -0400] "POST /user/login?use_panels=False HTTP/1.1" 200 - "http://glxlcdcpvm01.nyumc.org:8080/user/login?use_panels=False" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"
________________________________ From: Hans-Rudolf Hotz <hrh@fmi.chmailto:hrh@fmi.ch> To: John Chen <jchen162@yahoo.commailto:jchen162@yahoo.com>; Galaxy Dev List <galaxy-dev@lists.galaxyproject.orgmailto:galaxy-dev@lists.galaxyproject.org> Sent: Friday, June 9, 2017 3:34 AM Subject: Re: [galaxy-dev] AD Intergration
always keep the mailing list in the loop! in order for others to help or learn
On 06/08/2017 07:27 PM, John Chen wrote:
Hans-Rudolf
This is the error I get when I start the Galaxy server.
...
xml.etree.ElementTree.ParseError: mismatched tag: line 8, column 105
This is very informative. Looking at line 8 in your file:
<server><a class="moz-txt-link-freetext" href="ldap://ldap.xxx.xx">ldap://ldap.xxx.xx</server>
The element "a" is not terminated
What happens, if you try just
<server>ldap://ldap.xxx.xx</server>
Regards, Hans-Rudolf
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/