Hi Martin,
I suspect there's an error in the sample auth_conf.xml file, <search-filter> should try to match only the email, not the username (unless you specify <login-use-username>True</login-use-username>, in which case it's viceversa) because it is not known when you first login. In fact, for ActiveDirectory the filter is: <search-filter>(&amp;(objectClass=user)(mail={email}))</search-filter> So, can you try to change: <search-filter>(&amp;(cn={username})(mail={email}))</search-filter> to something like:
<search-filter>(mail={email})</search-filter> Cheers, Nicola
On 02/09/15 15:51, Martin Vickers wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Nicola,

It's an OpenLDAP server. uid isn't set on ours, it's cn instead, so using ldapsearch I can correctly bind;

dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com
objectClass: aberPerson
cn: mjv08

So authentication to the ldap server is working, the issue seems to be that when it's an unknown user, it's passing the following search string;

(&(cn=None)(mail=unknownu...@aber.ac.uk))

rather than;

(&(cn=unknownuser)(mail=unknownu...@aber.ac.uk))

hence the;

galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP authenticate: username is None galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP authenticate: search returned no results

How is {username} in auth_config.xml set? Does it parse {email} to get it?

Many thanks,

Martin

On 09/02/2015 03:38 PM, Nicola Soranzo wrote:
> Hi Martin, > what LDAP server are you using? We have tested only OpenLDAP and > ActiveDirectory, but should work on any LDAP server. > > If it is OpenLDAP, I think you should use: > > <search-fields>uid,mail</search-fields> > <search-filter>(&amp;(mail={email})(uid={username}))</search-filter> > <auto-register-username>{uid}</auto-register-username> > > More details in: > > https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample > > Cheers, > Nicola > > Il 02.09.2015 15:03 Martin Vickers ha scritto: > > Hi All, > > I've been trying to get the new LDAP module to work. It works fine for > existing users but I can't get auto-register to work. In the logs I can > see the successful logins look like this; > > galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 > trans.app.config.auth_config_file: ./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: email is mj...@aber.ac.uk [1] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: username is mjv08 > .... > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP > authentication successful > > and those that are unsuccessful have a username as None, which is why > the search filter isn't working; > > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: email is unregu...@aber.ac.uk [2] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: username is None > .... > galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP > authenticate: search returned no results > > My auth_config.xml openldap authenticator looks like this (edited to > remove openldap server details); > > ldap > '{email}'.endswith('@example.com') > > True > Challenge > ldaps://dc1.example.com > > ou=People,dc=dc1,dc=example,dc=com > > cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > > searchuserpassword > cn,mail > > (&(cn={username})(mail={email})) > {dn} > {password} > > {cn} > {mail} > > Are there any settings in galaxy.ini that are required to enable this to > work? > > Many thanks > > Martin > > > > Connetti gratis il mondo con la nuova indoona: hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo. > E chiami gratis anche i numeri fissi e mobili nel mondo! > Scarica subito l’app Vai su https://www.indoona.com/ > >

- --
- --
Dr. Martin Vickers

Data Manager/HPC Systems Administrator
Institute of Biological, Environmental and Rural Sciences
IBERS New Building
Aberystwyth University

w: http://www.martin-vickers.co.uk/
e: mj...@aber.ac.uk
t: 01970 62 2807
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQEcBAEBAgAGBQJV5wzhAAoJEHa0a8GkKQgIdGIH/3yjT7hz+3IECPIak4qyiEbF
C/4s+gpQdKnQHMJrg0xB1aB7lXhO+LjgP9bkZLMwBlQpiOPz2cApZ9e51S+vIXEU
e+MoOYIXputDgG49pfl6TB9N0fR2FIZcnp5vy3GBFUIWreJRvRX2EuiI97iY7iei
eSg9cjZ6UIWZBKdo+PrO1hPdhkAX+l5Kd8HMipLuInKpvZDZfiBxQMd4zFCIGz3W
vSymyQSHQpOul3rnwp70l76doT9jqsBW3ggpnwdbP2/pgRLvmPkyvCh2u2fyrouv
vsj11ODrskIZb10YyXy5QxsbluaThA1QeTw+0s+UEIPrNvyLcrSmuidHDjlnV5I=
=zSFZ
-----END PGP SIGNATURE-----


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to