LDAP Auto register - "username is None"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, I've been trying to get the new LDAP module to work. It works fine for existing users but I can't get auto-register to work. In the logs I can see the successful logins look like this; galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 trans.app.config.auth_config_file: ./config/auth_conf.xml galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP authenticate: email is mjv08@aber.ac.uk galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP authenticate: username is mjv08 .... galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP authentication successful and those that are unsuccessful have a username as None, which is why the search filter isn't working; galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP authenticate: email is unreguser@aber.ac.uk galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP authenticate: username is None .... galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP authenticate: search returned no results My auth_config.xml openldap authenticator looks like this (edited to remove openldap server details); <authenticator> <type>ldap</type> <filter>'{email}'.endswith('@example.com')</filter> <options> <auto-register>True</auto-register> <allow-register>Challenge</allow-register> <server>ldaps://dc1.example.com</server> <search-base>ou=People,dc=dc1,dc=example,dc=com</search-base> <search-user>cn=searchuser,ou=People,dc=dc1,dc=example,dc=com</search-user> <search-password>searchuserpassword</search-password> <search-fields>cn,mail</search-fields> <search-filter>(&(cn={username})(mail={email}))</search-filter> <bind-user>{dn}</bind-user> <bind-password>{password}</bind-password> <auto-register-username>{cn}</auto-register-username> <auto-register-email>{mail}</auto-register-email> </options> </authenticator> Are there any settings in galaxy.ini that are required to enable this to work? Many thanks Martin - -- - -- Dr. Martin Vickers Data Manager/HPC Systems Administrator Institute of Biological, Environmental and Rural Sciences IBERS New Building Aberystwyth University w: http://www.martin-vickers.co.uk/ e: mjv08@aber.ac.uk t: 01970 62 2807 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQEcBAEBAgAGBQJV5vO7AAoJEHa0a8GkKQgIJJQH/20auDZKNYOw0JfXq6y/DpY9 2d7C5e81BepLfi3b715vhuG5qtJUj+fLkI86fgKgloo/y4SqQWeni51buxs3kgSl L0ynVeZC/hIQSSLIEUTfPomT0CIR4GdPwnegbqaWZuy3NBlq2Rj6Boc2V/6EIp1M ARlEKeV/gK64h/cq2guTbPLdgK5vnGFCNKcsLLYCLelBmpXfjRG8z9JIa1nLa/F/ 4p1KaIX+UqCTMZrGAOM2S5Fb3rfmeApcp73w6aM4RDKwdJpsfuhQhFwtkPFjfSyn GrQM6naA/qY8m+Gtl+he6L7XczP4nFyan1JN9AcWEGtzHBappPKMeI/L7ZLoHTw= =Cwa8 -----END PGP SIGNATURE-----
Hi Martin, what LDAP server are you using? We have tested only OpenLDAP and ActiveDirectory, but should work on any LDAP server. If it is OpenLDAP, I think you should use: <search-fields>uid,mail</search-fields> <search-filter>(&(mail={email})(uid={username}))</search-filter> <auto-register-username>{uid}</auto-register-username> More details in: https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample Cheers, Nicola Il 02.09.2015 15:03 Martin Vickers ha scritto:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi All,
I've been trying to get the new LDAP module to work. It works fine for existing users but I can't get auto-register to work. In the logs I can see the successful logins look like this;
galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 trans.app.config.auth_config_file: ./config/auth_conf.xml galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP authenticate: email is mjv08@aber.ac.uk [1] galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP authenticate: username is mjv08 .... galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP authentication successful
and those that are unsuccessful have a username as None, which is why the search filter isn't working;
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP authenticate: email is unreguser@aber.ac.uk [2] galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP authenticate: username is None .... galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP authenticate: search returned no results
My auth_config.xml openldap authenticator looks like this (edited to remove openldap server details);
ldap '{email}'.endswith('@example.com')
True Challenge ldaps://dc1.example.com
ou=People,dc=dc1,dc=example,dc=com
cn=searchuser,ou=People,dc=dc1,dc=example,dc=com
searchuserpassword cn,mail
(&(cn={username})(mail={email})) {dn} {password}
{cn} {mail}
Are there any settings in galaxy.ini that are required to enable this to work?
Many thanks
Martin
- --
- -- Dr. Martin Vickers
Data Manager/HPC Systems Administrator Institute of Biological, Environmental and Rural Sciences IBERS New Building Aberystwyth University
w: http://www.martin-vickers.co.uk/ e: mjv08@aber.ac.uk t: 01970 62 2807 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJV5vO7AAoJEHa0a8GkKQgIJJQH/20auDZKNYOw0JfXq6y/DpY9 2d7C5e81BepLfi3b715vhuG5qtJUj+fLkI86fgKgloo/y4SqQWeni51buxs3kgSl L0ynVeZC/hIQSSLIEUTfPomT0CIR4GdPwnegbqaWZuy3NBlq2Rj6Boc2V/6EIp1M ARlEKeV/gK64h/cq2guTbPLdgK5vnGFCNKcsLLYCLelBmpXfjRG8z9JIa1nLa/F/ 4p1KaIX+UqCTMZrGAOM2S5Fb3rfmeApcp73w6aM4RDKwdJpsfuhQhFwtkPFjfSyn GrQM6naA/qY8m+Gtl+he6L7XczP4nFyan1JN9AcWEGtzHBappPKMeI/L7ZLoHTw= =Cwa8 -----END PGP SIGNATURE-----
Connetti gratis il mondo con la nuova indoona: hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo. E chiami gratis anche i numeri fissi e mobili nel mondo! Scarica subito l’app Vai su https://www.indoona.com/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Nicola, It's an OpenLDAP server. uid isn't set on ours, it's cn instead, so using ldapsearch I can correctly bind; dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com objectClass: aberPerson cn: mjv08 So authentication to the ldap server is working, the issue seems to be that when it's an unknown user, it's passing the following search string; (&(cn=None)(mail=unknownuser@aber.ac.uk)) rather than; (&(cn=unknownuser)(mail=unknownuser@aber.ac.uk)) hence the; galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP authenticate: username is None galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP authenticate: search returned no results How is {username} in auth_config.xml set? Does it parse {email} to get it? Many thanks, Martin On 09/02/2015 03:38 PM, Nicola Soranzo wrote:
Hi Martin, what LDAP server are you using? We have tested only OpenLDAP and ActiveDirectory, but should work on any LDAP server.
If it is OpenLDAP, I think you should use:
<search-fields>uid,mail</search-fields> <search-filter>(&(mail={email})(uid={username}))</search-filter> <auto-register-username>{uid}</auto-register-username>
More details in:
https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample
Cheers, Nicola
Il 02.09.2015 15:03 Martin Vickers ha scritto:
Hi All,
I've been trying to get the new LDAP module to work. It works fine for existing users but I can't get auto-register to work. In the logs I can see the successful logins look like this;
galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 trans.app.config.auth_config_file: ./config/auth_conf.xml galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP authenticate: email is mjv08@aber.ac.uk [1] galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP authenticate: username is mjv08 .... galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP authentication successful
and those that are unsuccessful have a username as None, which is why the search filter isn't working;
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP authenticate: email is unreguser@aber.ac.uk [2] galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP authenticate: username is None .... galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP authenticate: search returned no results
My auth_config.xml openldap authenticator looks like this (edited to remove openldap server details);
ldap '{email}'.endswith('@example.com')
True Challenge ldaps://dc1.example.com
ou=People,dc=dc1,dc=example,dc=com
cn=searchuser,ou=People,dc=dc1,dc=example,dc=com
searchuserpassword cn,mail
(&(cn={username})(mail={email})) {dn} {password}
{cn} {mail}
Are there any settings in galaxy.ini that are required to enable this to work?
Many thanks
Martin
Connetti gratis il mondo con la nuova indoona: hai la chat, le
chiamate, le video chiamate e persino le chiamate di gruppo.
E chiami gratis anche i numeri fissi e mobili nel mondo! Scarica subito l’app Vai su https://www.indoona.com/
- -- - -- Dr. Martin Vickers Data Manager/HPC Systems Administrator Institute of Biological, Environmental and Rural Sciences IBERS New Building Aberystwyth University w: http://www.martin-vickers.co.uk/ e: mjv08@aber.ac.uk t: 01970 62 2807 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQEcBAEBAgAGBQJV5wzhAAoJEHa0a8GkKQgIdGIH/3yjT7hz+3IECPIak4qyiEbF C/4s+gpQdKnQHMJrg0xB1aB7lXhO+LjgP9bkZLMwBlQpiOPz2cApZ9e51S+vIXEU e+MoOYIXputDgG49pfl6TB9N0fR2FIZcnp5vy3GBFUIWreJRvRX2EuiI97iY7iei eSg9cjZ6UIWZBKdo+PrO1hPdhkAX+l5Kd8HMipLuInKpvZDZfiBxQMd4zFCIGz3W vSymyQSHQpOul3rnwp70l76doT9jqsBW3ggpnwdbP2/pgRLvmPkyvCh2u2fyrouv vsj11ODrskIZb10YyXy5QxsbluaThA1QeTw+0s+UEIPrNvyLcrSmuidHDjlnV5I= =zSFZ -----END PGP SIGNATURE-----
Hi Martin, I suspect there's an error in the sample auth_conf.xml file, <search-filter> should try to match only the email, not the username (unless you specify <login-use-username>True</login-use-username>, in which case it's viceversa) because it is not known when you first login. In fact, for ActiveDirectory the filter is: <search-filter>(&(objectClass=user)(mail={email}))</search-filter> So, can you try to change: <search-filter>(&(cn={username})(mail={email}))</search-filter> to something like: <search-filter>(mail={email})</search-filter> Cheers, Nicola On 02/09/15 15:51, Martin Vickers wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Nicola,
It's an OpenLDAP server. uid isn't set on ours, it's cn instead, so using ldapsearch I can correctly bind;
dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com objectClass: aberPerson cn: mjv08
So authentication to the ldap server is working, the issue seems to be that when it's an unknown user, it's passing the following search string;
(&(cn=None)(mail=unknownuser@aber.ac.uk))
rather than;
(&(cn=unknownuser)(mail=unknownuser@aber.ac.uk))
hence the;
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP authenticate: username is None galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP authenticate: search returned no results
How is {username} in auth_config.xml set? Does it parse {email} to get it?
Many thanks,
Martin
Hi Martin, > what LDAP server are you using? We have tested only OpenLDAP and > ActiveDirectory, but should work on any LDAP server. > > If it is OpenLDAP, I think you should use: > > <search-fields>uid,mail</search-fields> > <search-filter>(&(mail={email})(uid={username}))</search-filter> > <auto-register-username>{uid}</auto-register-username> > > More
Cheers, > Nicola > > Il 02.09.2015 15:03 Martin Vickers ha scritto: > > Hi All, > > I've been trying to get the new LDAP module to work. It works fine for > existing users but I can't get auto-register to work. In the logs I can > see the successful logins look like this; > > galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 > trans.app.config.auth_config_file: ./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: email is mjv08@aber.ac.uk [1] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP authenticate: username is mjv08 > .... > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP > authentication successful > > and those that are unsuccessful have a username as None, which is why > the search filter isn't working; > > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: email is unreguser@aber.ac.uk [2] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: username is None > .... > galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP > authenticate: search returned no results > > My auth_config.xml openldap authenticator looks like
On 09/02/2015 03:38 PM, Nicola Soranzo wrote: details in: > > https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample this (edited to > remove openldap server details); > > ldap > '{email}'.endswith('@example.com') > > True > Challenge > ldaps://dc1.example.com > > ou=People,dc=dc1,dc=example,dc=com > > cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > > searchuserpassword > cn,mail > > (&(cn={username})(mail={email})) > {dn} > {password} > > {cn} > {mail} > > Are there any settings in galaxy.ini that are required to enable this to > work? > > Many thanks
Martin > > > > Connetti gratis il mondo con la nuova indoona: hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo. > E chiami gratis anche i numeri fissi e mobili nel mondo! > Scarica subito l’app Vai su https://www.indoona.com/ > >
- --
- -- Dr. Martin Vickers
Data Manager/HPC Systems Administrator Institute of Biological, Environmental and Rural Sciences IBERS New Building Aberystwyth University
w: http://www.martin-vickers.co.uk/ e: mjv08@aber.ac.uk t: 01970 62 2807 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJV5wzhAAoJEHa0a8GkKQgIdGIH/3yjT7hz+3IECPIak4qyiEbF C/4s+gpQdKnQHMJrg0xB1aB7lXhO+LjgP9bkZLMwBlQpiOPz2cApZ9e51S+vIXEU e+MoOYIXputDgG49pfl6TB9N0fR2FIZcnp5vy3GBFUIWreJRvRX2EuiI97iY7iei eSg9cjZ6UIWZBKdo+PrO1hPdhkAX+l5Kd8HMipLuInKpvZDZfiBxQMd4zFCIGz3W vSymyQSHQpOul3rnwp70l76doT9jqsBW3ggpnwdbP2/pgRLvmPkyvCh2u2fyrouv vsj11ODrskIZb10YyXy5QxsbluaThA1QeTw+0s+UEIPrNvyLcrSmuidHDjlnV5I= =zSFZ -----END PGP SIGNATURE-----
Hi Nicola, So I've realised that none of that was actually the issue. The (&(uid={username})(mail={email})) part does work fine, it's the setting of the username that is the issue. When the first unregistered user logs in, it works fine but the username is set to -10. When a second unregistered user attempts to login, they can't. If I manually change their username, the second user is then able to log in and once again the username is set to -10. (see attached images). I think the issue here stems from; <auto-register-username>{uid}</auto-register-username> since I don't have a uid property in our ldap server. I've tried all combinations of auto-register (True/False) and allow-register (True/False/Challenge) and haven't been able to get it to work. It also appears that auto-register-username and auto-register-email are requirements to use this authenticator as without it noone can log in (including registered users), and I get the following "Internal Server Error" message. This is my current auth_config.xml file; <authenticator> <type>ldap</type> <allow-register>True</allow-register> <server>ldaps://dc1.example.com</server> <search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base> <search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user> <search-password>searchpasssword</search-password> <search-fields>uid,mail</search-fields> <search-filter>(|(mail={email})(uid={username}))</search-filter> <continue-on-failure>False</continue-on-failure> <bind-user>{dn}</bind-user> <bind-password>{password}</bind-password> <auto-register-username>{uid}</auto-register-username> <auto-register-email>{mail}</auto-register-email> </options> </authenticator> Doesn't one of the allow-register settings make/ask the user to provide a username rather than trying to auto generate it? or, is there a way to get the username out of the ldap server if it's not using uid to store it? Many thanks, Martin On 09/02/2015 06:09 PM, Nicola Soranzo wrote:
Hi Martin, I suspect there's an error in the sample auth_conf.xml file, <search-filter> should try to match only the email, not the username (unless you specify <login-use-username>True</login-use-username>, in which case it's viceversa) because it is not known when you first login. In fact, for ActiveDirectory the filter is: <search-filter>(&(objectClass=user)(mail={email}))</search-filter> So, can you try to change: <search-filter>(&(cn={username})(mail={email}))</search-filter> to something like: <search-filter>(mail={email})</search-filter> Cheers, Nicola On 02/09/15 15:51, Martin Vickers wrote:
Hi Nicola,
It's an OpenLDAP server. uid isn't set on ours, it's cn instead, so using ldapsearch I can correctly bind;
dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com objectClass: aberPerson cn: mjv08
So authentication to the ldap server is working, the issue seems to be that when it's an unknown user, it's passing the following search string;
(&(cn=None)(mail=unknownuser@aber.ac.uk))
rather than;
(&(cn=unknownuser)(mail=unknownuser@aber.ac.uk))
hence the;
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP authenticate: username is None galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP authenticate: search returned no results
How is {username} in auth_config.xml set? Does it parse {email} to get it?
Many thanks,
Martin
Hi Martin, > what LDAP server are you using? We have tested only OpenLDAP and > ActiveDirectory, but should work on any LDAP server. > If it is OpenLDAP, I think you should use: > > <search-fields>uid,mail</search-fields> > <search-filter>(&(mail={email})(uid={username}))</search-filter> > <auto-register-username>{uid}</auto-register-username> > > More
Cheers, > Nicola > > Il 02.09.2015 15:03 Martin Vickers ha scritto: > > Hi All, > > I've been trying to get the new LDAP module to work. It works fine for > existing users but I can't get auto-register to work. In the logs I can > see the successful logins look like this; > > galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 > trans.app.config.auth_config_file: ./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: email is mjv08@aber.ac.uk [1] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP authenticate: username is mjv08 > .... > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP > authentication successful > > and those that are unsuccessful have a username as None, which is why > the search filter isn't working; > > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: email is unreguser@aber.ac.uk [2] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: username is None > .... > galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP > authenticate: search returned no results > > My auth_config.xml openldap authenticator looks like
On 09/02/2015 03:38 PM, Nicola Soranzo wrote: details in: > > https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample this (edited to > remove openldap server details); > > ldap > '{email}'.endswith('@example.com') > > True > Challenge > ldaps://dc1.example.com > > ou=People,dc=dc1,dc=example,dc=com > > cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > > searchuserpassword > cn,mail > > (&(cn={username})(mail={email})) > {dn} > {password} > > {cn} > {mail} > > Are there any settings in galaxy.ini that are required to enable this to > work? > > Many thanks
Martin > > > > Connetti gratis il mondo con la nuova indoona: hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo. > E chiami gratis anche i numeri fissi e mobili nel mondo! > Scarica subito l’app Vai su https://www.indoona.com/ > >
-- -- Dr. Martin Vickers Data Manager/HPC Systems Administrator Institute of Biological, Environmental and Rural Sciences IBERS New Building Aberystwyth University w: http://www.martin-vickers.co.uk/ e: mjv08@aber.ac.uk t: 01970 62 2807
Hi Nicola,
So I've realised that none of that was actually the issue. The (&(uid={username})(mail={email})) part does work fine, it's the setting of the username that is the issue. When the first unregistered user logs in, it works fine but the username is set to -10. When a second unregistered user attempts to login, they can't. If I manually change
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Okay I've solved it. The issue was that a) (mail={email}) is all that is required in the search filter (to allow non-registered users) b) to return cn and mail in the search-fields for use with the auto-register-username and email. Finally, ensure auto-register is set to True. <auto-register>True</auto-register> <server>ldaps://dc1.example.com</server> <search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base> <search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user> <search-password>searchpassword</search-password> <search-fields>cn,mail</search-fields> <search-filter>(mail={email})</search-filter> <continue-on-failure>False</continue-on-failure> <bind-user>{dn}</bind-user> <bind-password>{password}</bind-password> <auto-register-username>{cn}</auto-register-username> <auto-register-email>{mail}</auto-register-email> Cheers, Martin On 09/03/2015 11:59 AM, Martin Vickers wrote: their username, the second user is then able to log in and once again the username is set to -10. (see attached images).
I think the issue here stems from;
<auto-register-username>{uid}</auto-register-username>
since I don't have a uid property in our ldap server. I've tried all
combinations of auto-register (True/False) and allow-register (True/False/Challenge) and haven't been able to get it to work. It also appears that auto-register-username and auto-register-email are requirements to use this authenticator as without it noone can log in (including registered users), and I get the following "Internal Server Error" message.
This is my current auth_config.xml file;
<authenticator> <type>ldap</type> <allow-register>True</allow-register> <server>ldaps://dc1.example.com</server>
<search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base>
<search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user>
<search-password>searchpasssword</search-password> <search-fields>uid,mail</search-fields>
<search-filter>(|(mail={email})(uid={username}))</search-filter>
<continue-on-failure>False</continue-on-failure> <bind-user>{dn}</bind-user> <bind-password>{password}</bind-password>
<auto-register-username>{uid}</auto-register-username>
<auto-register-email>{mail}</auto-register-email> </options> </authenticator>
Doesn't one of the allow-register settings make/ask the user to
provide a username rather than trying to auto generate it? or, is there a way to get the username out of the ldap server if it's not using uid to store it?
Many thanks,
Martin
On 09/02/2015 06:09 PM, Nicola Soranzo wrote:
Hi Martin, I suspect there's an error in the sample auth_conf.xml file,
<search-filter>(mail={email})</search-filter> Cheers, Nicola On 02/09/15 15:51, Martin Vickers wrote:
Hi Nicola,
It's an OpenLDAP server. uid isn't set on ours, it's cn instead, so using ldapsearch I can correctly bind;
dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com objectClass: aberPerson cn: mjv08
So authentication to the ldap server is working, the issue seems to be that when it's an unknown user, it's passing the following search string;
(&(cn=None)(mail=unknownuser@aber.ac.uk))
rather than;
(&(cn=unknownuser)(mail=unknownuser@aber.ac.uk))
hence the;
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP authenticate: username is None galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP authenticate: search returned no results
How is {username} in auth_config.xml set? Does it parse {email} to get it?
Many thanks,
Martin
On 09/02/2015 03:38 PM, Nicola Soranzo wrote:
Hi Martin, > what LDAP server are you using? We have tested only OpenLDAP and > ActiveDirectory, but should work on any LDAP server. > > If it is OpenLDAP, I think you should use: > > <search-fields>uid,mail</search-fields> > <search-filter>(&(mail={email})(uid={username}))</search-filter> > <auto-register-username>{uid}</auto-register-username> > > More details in: > > https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample Cheers, > Nicola > > Il 02.09.2015 15:03 Martin Vickers ha scritto: Hi All, > > I've been trying to get the new LDAP module to work. It works fine for > existing users but I can't get auto-register to work. In the logs I can > see the successful logins look like this; > > galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 >
<search-filter> should try to match only the email, not the username (unless you specify <login-use-username>True</login-use-username>, in which case it's viceversa) because it is not known when you first login. In fact, for ActiveDirectory the filter is: <search-filter>(&(objectClass=user)(mail={email}))</search-filter> So, can you try to change: <search-filter>(&(cn={username})(mail={email}))</search-filter> to something like: trans.app.config.auth_config_file: ./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: email is mjv08@aber.ac.uk [1] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: username is mjv08 > .... > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP > authentication successful > > and those that are unsuccessful have a username as None, which is why > the search filter isn't working; > > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: email is unreguser@aber.ac.uk [2] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: username is None > .... > galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP > authenticate: search returned no results > > My auth_config.xml openldap authenticator looks like this (edited to > remove openldap server details); > > ldap > '{email}'.endswith('@example.com') > > True > Challenge > ldaps://dc1.example.com > > ou=People,dc=dc1,dc=example,dc=com > > cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > > searchuserpassword
cn,mail > > (&(cn={username})(mail={email})) > {dn} > {password} > > {cn} > {mail} > > Are there any settings in galaxy.ini that are required to enable this to > work? > > Many thanks > > Martin > > > > Connetti gratis il mondo con la nuova indoona: hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo. > E chiami gratis anche i numeri fissi e mobili nel mondo! > Scarica subito l’app Vai su https://www.indoona.com/ > >
--
-- Dr. Martin Vickers
Data Manager/HPC Systems Administrator Institute of Biological, Environmental and Rural Sciences IBERS New Building Aberystwyth University
w: http://www.martin-vickers.co.uk/ e: mjv08@aber.ac.uk t: 01970 62 2807
- -- - -- Dr. Martin Vickers Data Manager/HPC Systems Administrator Institute of Biological, Environmental and Rural Sciences IBERS New Building Aberystwyth University w: http://www.martin-vickers.co.uk/ e: mjv08@aber.ac.uk t: 01970 62 2807 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQEcBAEBAgAGBQJV6DNUAAoJEHa0a8GkKQgInOgIALJ3m2/DYUEgHre3go/KBIuo I2h59wSEqjzhkX3SzUho96lRK1OHy481r7fJAW89BojYlNSlyw9qnA1mvaD4CxKi DuLyhNHDCFOQngXeiZrfqzkHNJ2bjJQiJ8yHHUBZPuq4S+E9PbP4o52N8Z63SXUL pz1bEWjUiNSRq3k2BjcEQkIVF3IZuwx0ygM3tKnWQK3IRQTCuO/dvdXJeNvw3kb7 P45OukPWCI5PpcfUnYMZQX0HRTGOaqZnhVEZyEXTcEXURY6aZMJOS8pcxd8QeGib SMcbykYO+MLOjY8F0N+vnjse5K3qDIDbPxMD1AHtu6K2r9iHHDoGHivemP23piE= =Uz+C -----END PGP SIGNATURE-----
Hi Martin, that's exactly what I was suggesting in my last email, sorry for not explaining myself better with a complete example! I'm happy it's working for you now, I will create a PR to update the sample file example. Thanks, Nicola On 03/09/15 12:47, Martin Vickers wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
Okay I've solved it. The issue was that a) (mail={email}) is all that is required in the search filter (to allow non-registered users) b) to return cn and mail in the search-fields for use with the auto-register-username and email. Finally, ensure auto-register is set to True.
<auto-register>True</auto-register> <server>ldaps://dc1.example.com</server> <search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base> <search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user> <search-password>searchpassword</search-password> <search-fields>cn,mail</search-fields> <search-filter>(mail={email})</search-filter> <continue-on-failure>False</continue-on-failure> <bind-user>{dn}</bind-user> <bind-password>{password}</bind-password> <auto-register-username>{cn}</auto-register-username> <auto-register-email>{mail}</auto-register-email>
Cheers,
Martin
Hi Nicola, > > So I've realised that none of that was actually the issue. The (&(uid={username})(mail={email})) part does work fine, it's the setting of the username that is the issue. When the first unregistered user logs in, it works fine but the username is set to -10. When a second unregistered user attempts to login, they can't. If I manually change their username, the second user is then able to log in and once again the username is set to -10. (see attached images). > I think the issue here stems from; > > <auto-register-username>{uid}</auto-register-username> > > since I don't have a uid property in our ldap server. I've tried all combinations of auto-register (True/False) and allow-register (True/False/Challenge) and haven't been able to get it to work. It also appears that auto-register-username and auto-register-email are requirements to use this authenticator as without it noone can log in (including registered users), and I get the following "Internal Server Error" message. > > This is my current auth_config.xml file; > <authenticator> > <type>ldap</type> > <allow-register>True</allow-register> > <server>ldaps://dc1.example.com</server> > <search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base> > <search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user> <search-password>searchpasssword</search-password> > <search-fields>uid,mail</search-fields> > <search-filter>(|(mail={email})(uid={username}))</search-filter> <continue-on-failure>False</continue-on-failure> > <bind-user>{dn}</bind-user> > <bind-password>{password}</bind-password> > <auto-register-username>{uid}</auto-register-username> > <auto-register-email>{mail}</auto-register-email> > </options> > </authenticator> > > Doesn't one of the allow-register settings make/ask the user to provide a username rather
cn: mjv08 >> >> So authentication to the ldap server is working,
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP authenticate: username is None >> galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP authenticate: search returned no results >> >> How is {username} in auth_config.xml set? Does it parse {email} to get it? >> >> Many thanks, >> >> Martin >> >> On 09/02/2015 03:38 PM, Nicola Soranzo wrote: >> > Hi Martin, > what LDAP server are you using? We have tested only OpenLDAP and > ActiveDirectory, but should work on any LDAP server. > > If it is OpenLDAP, I think you should use: > > <search-fields>uid,mail</search-fields> > <search-filter>(&(mail={email})(uid={username}))</search-filter> > <auto-register-username>{uid}</auto-register-username> > > More
Cheers, > Nicola > > Il 02.09.2015 15:03 Martin Vickers ha scritto: > > Hi All, > > I've been trying to get the new LDAP module to work. It works fine for > existing users but I can't get auto-register to work. In the logs I can > see the successful logins look like this; > > galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 > trans.app.config.auth_config_file: ./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: email is mjv08@aber.ac.uk [1] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP authenticate: username is mjv08 > .... > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP > authentication successful > > and those that are unsuccessful have a username as None, which is why > the search filter isn't working; > > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: email is unreguser@aber.ac.uk [2] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: username is None > .... > galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP > authenticate: search returned no results > > My auth_config.xml openldap authenticator looks like
On 09/03/2015 11:59 AM, Martin Vickers wrote: than trying to auto generate it? or, is there a way to get the username out of the ldap server if it's not using uid to store it? > > Many thanks, > > Martin > > On 09/02/2015 06:09 PM, Nicola Soranzo wrote: > > Hi Martin, > > I suspect there's an error in the sample auth_conf.xml file, <search-filter> should try to match only the email, not the username (unless you specify <login-use-username>True</login-use-username>, in which case it's viceversa) because it is not known when you first login. In fact, for ActiveDirectory the filter is: <search-filter>(&(objectClass=user)(mail={email}))</search-filter> So, can you try to change: <search-filter>(&(cn={username})(mail={email}))</search-filter> to something like: > > <search-filter>(mail={email})</search-filter> Cheers, Nicola > > On 02/09/15 15:51, Martin Vickers wrote: > >> >> Hi Nicola, >> >> It's an OpenLDAP server. uid isn't set on ours, it's cn instead, so using ldapsearch I can correctly bind; >> >> dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com >> objectClass: aberPerson the issue seems to be that when it's an unknown user, it's passing the following search string; >> >> (&(cn=None)(mail=unknownuser@aber.ac.uk)) >> >> rather than; >> >> (&(cn=unknownuser)(mail=unknownuser@aber.ac.uk)) >> >> hence the; >> details in: > > https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample this (edited to > remove openldap server details); > > ldap > '{email}'.endswith('@example.com') > > True > Challenge > ldaps://dc1.example.com > > ou=People,dc=dc1,dc=example,dc=com > > cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > > searchuserpassword > cn,mail > > (&(cn={username})(mail={email})) > {dn} > {password} > > {cn} > {mail} > > Are there any settings in galaxy.ini that are required to enable this to > work? > > Many thanks
Martin > > > > Connetti gratis il mondo con la nuova indoona: hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo. > E chiami gratis anche i numeri fissi e mobili nel mondo! > Scarica subito l’app Vai su https://www.indoona.com/ > > >> > >> > > > -- > > -- > Dr. Martin Vickers > > Data Manager/HPC Systems Administrator > Institute of Biological, Environmental and Rural Sciences > IBERS New Building > Aberystwyth University > > w: http://www.martin-vickers.co.uk/ > e: mjv08@aber.ac.uk > t: 01970 62 2807 >
- --
- -- Dr. Martin Vickers
Data Manager/HPC Systems Administrator Institute of Biological, Environmental and Rural Sciences IBERS New Building Aberystwyth University
w: http://www.martin-vickers.co.uk/ e: mjv08@aber.ac.uk t: 01970 62 2807 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux)
iQEcBAEBAgAGBQJV6DNUAAoJEHa0a8GkKQgInOgIALJ3m2/DYUEgHre3go/KBIuo I2h59wSEqjzhkX3SzUho96lRK1OHy481r7fJAW89BojYlNSlyw9qnA1mvaD4CxKi DuLyhNHDCFOQngXeiZrfqzkHNJ2bjJQiJ8yHHUBZPuq4S+E9PbP4o52N8Z63SXUL pz1bEWjUiNSRq3k2BjcEQkIVF3IZuwx0ygM3tKnWQK3IRQTCuO/dvdXJeNvw3kb7 P45OukPWCI5PpcfUnYMZQX0HRTGOaqZnhVEZyEXTcEXURY6aZMJOS8pcxd8QeGib SMcbykYO+MLOjY8F0N+vnjse5K3qDIDbPxMD1AHtu6K2r9iHHDoGHivemP23piE= =Uz+C -----END PGP SIGNATURE-----
participants (2)
-
Martin Vickers -
Nicola Soranzo